Lena edited this page May 23, 2018 · 10 revisions

Blacklist for email addresses in Reply-To and message bodies

The purpose of the EBL blacklist is described on http://msbl.org/ebl-purpose.html . I tested EBL since October 2016, in June 2017 it was declared in public beta. How to use EBL in Exim config (requires Exim version 4.87 or higher):

MLDOMAINS = /usr/local/etc/exim/mailing_list_domains
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
acl_not_smtp = acl_check_notsmtp
acl_not_smtp_mime = acl_check_notsmtpmime
begin acl
rt:
  deny  condition = ${if forany{${addresses:$rheader_Reply-To:}}\
                               {eq{${acl{ea}{$item}}}{caught}}}
        log_message = Reply-To: $header_Reply-To: in EBL: $dnslist_text \
                From: $header_From:, envelope-from $sender_address, \
                recipients=$recipients, Subject: $header_Subject:
        message = spam detected
                  # 419 (Nigerian) scams often sent by humans, do not tell them
                  # that the spam was detected with EBL http://msbl.org

  accept

mimeea:
  deny  condition = ${if match{$mime_content_type}{text}}
        mime_regex = \N(?s)([\w.+=-]+@\w[\w-]*\.[\w.-]+\w)\
                       (.+?([\w.+=-]+@\w[\w-]*\.[\w.-]+\w))?\
                       (.+?([\w.+=-]+@\w[\w-]*\.[\w.-]+\w))?\
                       (.+?([\w.+=-]+@\w[\w-]*\.[\w.-]+\w))?\
                       (.+?([\w.+=-]+@\w[\w-]*\.[\w.-]+\w))?
        condition = ${if forany{$regex1 :$regex3 :$regex5 :$regex7 :$regex9}\
                               {eq{${acl{ea}{$item}}}{caught}}}
        log_message = email address in body $acl_m_ea in EBL: $dnslist_text \
                From: $header_From:, envelope-from $sender_address, \
                recipients=$recipients, Subject: $header_Subject:
        message = spam detected

  accept

ea:
  accept condition = ${if eqi{$acl_arg1}{$sender_address}}

  accept condition = ${lookup{$sender_address_domain}nwildlsearch\
                             {MLDOMAINS}{1}{0}}

  accept condition = ${if eq{}\
		{${lookup dnsdb{defer_never,mxh=${domain:$acl_arg1}}}}}
        condition = ${if eq{}\
		{${lookup dnsdb{defer_never,a=${domain:$acl_arg1}}}}}

  warn  set acl_m_ea = ${sg{${lc:$acl_arg1}}{\\+.*@}{@}}
        condition = ${if match{$acl_m_ea}{@g(oogle)?mail.com}}
        set acl_m_ea = ${sg{${local_part:$acl_m_ea}}{\\.}{}}@${domain:$acl_m_ea}

  accept condition = ${lookup{${domain:$acl_m_ea}}nwildlsearch\
                             {MLDOMAINS}{0}{1}}
        dnslists = ebl.msbl.org/${sha1:$acl_m_ea}
        message = caught

  accept

acl_check_notsmtp:
  require acl = rt

  accept

acl_check_notsmtpmime:
  require acl = mimeea

  accept

acl_check_mime:

... (possible other checks before the first "accept")

  accept condition = ${if def:header_List-ID:}

  require acl = mimeea

... (the first "accept" if any)

  accept

acl_check_data:

... (other checks before the first "accept")

  require acl = rt

... (the first "accept")

This code checks only dropboxes - email addresses (in Reply-To: and body) which differ from the email address in "From:". You can check also email addresses in "From:" (for that change addresses:$rheader_Reply-To: to addresses:$rheader_From:,$rheader_Reply-To: and delete the first accept line after ea:), but that'll increase rate of requests to EBL.

The file specified in the MLDOMAINS macro - domains of legitimate mailing lists, add to it others known for you:

groups.io
*.groups.io
^yahoogroups\.
returns.groups.yahoo.com
googlegroups.com
^listserv\.
^lists\.
freebsd.org
exim.org
mailground.net
opennet.ru
subscribe.ru
njabl.org
spammers.dontlike.us
mailop.org
mutt.org

Lena

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.