Reducing Spam - RBL checking
While stopping spam is a pipe dream you can tighten up your system so a little less gets in.
This is a technical FAQ mainly to remind support how to do it. Please contact support if you want this enabled as we don't expect you do make this level of change to your system.
Spammers use 'known' servers to send spam - if they change the server used people detect this fairly quickly - there are lists called 'Real Time Block Lists'. These are updated in real time when a new spam server is detected.
You can tell your machines to look at thes lists when mail is received, if the sending server is in the list mail is rejected.
After enabling RBL checking, the logs for a 2 week period shows
| Exim statistics from 2008-03-26 22:58:28 to 2008-04-09 12:05:39 | |
|---|---|
| Top 15 mail rejection reasons by message count | |
| Messages | Mail rejection reason |
| 2233 | Listed at xbl.spamhaus.org |
| 1808 | Listed at bl.spamcop.net |
| 1321 | Listed at escalations.dnsbl.sorbs.net |
| 588 | Rejected HELO/EHLO: syntactically invalid argument |
| 154 | Refused connection (host_reject_connection) |
| 144 | Rejected RCPT: Black Listed tkrh.co.uk |
| 90 | Listed at list.dsbl.org |
| 69 | Rejected EHLO: Your server announces itself |
| 54 | Message SHOULD have Date: but does not |
| 17 | Rejected RCPT: Black Listed Doamin |
| 9 | Rejected RCPT: Sender verify failed |
| 7 | Rejected RCPT: Fake Yahoo |
| 7 | SMTP protocol synchronization error |
| 6 | Listed at web.dnsbl.sorbs.net |
To enable it, modify /usr/local/etc/exim.configure
# Insert this in the acl spec near the top acl_smtp_helo = check_helo
This is the same as the HELO check.
The New 'check_helo' ACl is now:
check_helo:
deny message = Your server announcement ($sender_helo_name) \
is a single word rather than a FQDN. This is \
in breach of RFC2821
condition = ${if match {$sender_helo_name} \
{\.} {no}{yes}}
deny message = Your server announces itself \
($sender_helo_name) with a plain \
IP address which is in breach of RFC2821.
condition = ${if match {$sender_helo_name}\
{^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$}\
{yes}{no}}
# Check sending hosts against DNS black lists.
# Reject message if address listed in blacklist.
deny message = Message rejected because $sender_fullhost \
is blacklisted at $dnslist_domain see $dnslist_text
dnslists = bl.spamcop.net : \
zen.spamhaus.org : \
blackholes.mail-abuse.org : \
cbl.abuseat.org
accept
# Leaving this one out - little too restrictive
# dnsbl.sorbs.net : \
# spam.dnsbl.sorbs.net : \
# escalations.dnsbl.sorbs.net :
Note: If you pick up this list from the web then it will include
a server escalations.dnsbl.sorbs.net, at the time of
writting this was prone to false positives. Suggest you leave this
one OUT of the list.