There may be more elegant solutions but I've added ".website" and ".date" to my local_sender_blacklist recently. I find using that with spfquery works quite well. Regards, Dermot
On Tue, 28 Aug 2018 at 11:59, Cyborg via Exim-users <[email protected]> wrote: > Am 25.08.2018 um 21:27 schrieb scout--- via Exim-users: > > Hi, newbi questions please.. > > > > I can't figure out how to drop certain hostname connects. I get > > thousands of these types of connects per day: > > > > 2018-08-25 14:16:39.473 [25870] H=69.130.32.95.dsl-dynamic.vsi.ru > > (sex.com) [95.32.130.69]:7481 I=[1.2.3.4]:25 sender verify fail for > > <[email protected]>: No Such User Here" > > 2018-08-25 14:16:39.473 [25870] H=69.130.32.95.dsl-dynamic.vsi.ru > > (sex.com) [95.32.130.69]:7481 I=[1.2.3.4]:25 > > F=<[email protected]> rejected RCPT > > <[email protected]>: Sender verify failed > > > > Hostname IP's are always hacked international user computers so > > there's no sense trying throw the IPs in a firewall. The only > > constants is that every single > > Take the real IP, put it in a firewall rule, note the time, remove the > block after 24h . Works good. > The actual spammer can't send mails anymore, the original Serverowner > can send mails again later, when he removed his hack. > > > connection is for the same non-existing account: > > [email protected], and they all have 'sex.com' or > > my-domain-name in the hostname H=. Yes, they currently all fail with > > just two lines of code in the logs, but the volume of connections is > > increasing daily. > > > > I'm looking for something along the lines of: > > > > If hostname equals 'sex.com' or hostname equals 'my-domain-name.net' > > drop connection (don't process or write to the logs) > > > > nothing is easier spoofed and changed than that. So, your rule would > only be temporarily effective. SPAMASSASSIN rules should cover it > and they get updated from time to time. I suggest to use spamassassin on > your server. > > You can also use SPAMHAUS or NIXSPAM DNS-BLs , both are very effective > against spammers. The false positives are next to zer0. > > best regards, > Marius > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
