I managed to figure it out. It was the \N. When I was looking at the debug logs, I noticed that for another blacklist that used simple wildcard domain blocks, each line of the log said
no (end of list) at the end of each line like so: 03:13:13 50032 address match test: subject=livewire-insurance-start-saving-me=domain....@foltertankit.com pattern=*a3a99l3y.com 03:13:13 50032 foltertankit.com in "*a3a99l3y.com"? no (end of list) 03:13:13 50032 address match test: subject=livewire-insurance-start-saving-me=domain....@foltertankit.com pattern=*afd7971a.com 03:13:13 50032 foltertankit.com in "*afd7971a.com"? no (end of list) 03:13:13 50032 address match test: subject=livewire-insurance-start-saving-me=domain....@foltertankit.com pattern=*laxdva.com 03:13:13 50032 foltertankit.com in "*laxdva.com"? no (end of list) But with my problematic blacklist file full of regular expressions (one regular expression per line), there was only one "no (end of list)" at the very end of the last line. Thus, the \N protection against string expansion was somehow causing exim to treat the entire file as a giant pattern, even though the log deceptively made it look like each line was being matched one line at a time like so: 03:13:13 50032 address match test: subject=livewire-insurance-start-saving-me=domain....@foltertankit.com pattern=\N^affiliate.renewal.*@.*\N 03:13:13 50032 address match test: subject=livewire-insurance-start-saving-me=domain....@foltertankit.com pattern=\N^toprated.wines.*@.*\N 03:13:13 50032 address match test: subject=livewire-insurance-start-saving-me=domain....@foltertankit.com pattern=\N^renewal.by.andersen.*@.*\N 03:13:13 50032 address match test: subject=livewire-insurance-start-saving-me=domain....@foltertankit.com pattern=\N^empire.today.*@.*\N 03:13:13 50032 livewire-insurance-start-saving-me= [email protected] in "/etc/exim4/sender-blacklist-envelope-from"? no (end of list) When I removed all the \N instances from the entire blacklist, every regular expression started working, each line that didn't match had a "no (end of list)" at the end of it, and I am now successfully blocking this network of sophisticated spammers. I hope this helps someone else. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
