Stopping Spam in the ACL

These antispam tips are for Exim 4.x. If you don't know how to modify the helo, rcpt, and data ACLs, then these suggestions won't do you much good.

HELO ACL

You can block a lot of spammers right after they say HELO. They have a tendency to lie but, fortunately, it's often easy to catch them in their lie.

The first thing a remote system is supposed to do when it connects is to say "HELO domain.com". It is legal to use an ip address with the HELO, but losing acceptance. A spammer might try to HELO with your own ip address. There is absolutely no legitimate reason for someone else to use your ip address here. Plug your own ip address in here where it says ##.##.##.##. Repeat this for each IP address you handle.

deny message = HELO/EHLO with my ip address. You are not me.
- log_message = HELO/EHLO my.ip
- condition = ${if eq {$sender_helo_name}{##.##.##.##} {yes}{no}}

Basically the same thing as the previous filter, but using your domain name instead of your ip address. You should repeat this filter for each domain you control.

deny message = HELO/EHLO with my domain name. You are not me.
- log_message = HELO/EHLO my.domain
- condition = ${if match {$sender_helo_name}{your-domain.com} {yes}{no}}

Giving a domain name of 'none' isn't valid, so tell them to bugger off. This filter can be left out since the "period" filter below will catch it.

deny message = Fine, then the mail I accept is also none
- log_message = HELO/EHLO none
- condition = ${if match {$sender_helo_name}{none} {yes}{no}}

A remote system saying they are localhost? Sure they are. This filter can also be omitted if you use the "period" filter below.

deny message = You are hardly local, fool
- log_message = HELO/EHLO localhost
- condition = ${if match {$sender_helo_name}{localhost} {yes}{no}}

A proper domain will contain at least one period. A good percentage of spam worms HELO with random characters without a period.

deny message = Invalid HELO. You must be spam or a virus, or your system administrator is an idiot.
- condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}

RCPT ACL

Spammers like to forge some big names when they send you email. We can't easily check all of them, not until Sender Permitted From (SPF) is widely used. At least we can check for some of the most commonly abused domains, Yahoo, Hotmail, MSN, and AOL. These four filters will reject email with forged From: addresses containing the "big four" domains.

deny message = Faked Yahoo, so you must be spam.
- log_message = Fake Yahoo
- senders = *@yahoo.com
- condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
deny message = Faked hotmail, so you must be spam.
- log_message = Fake hotmail
- senders = *@hotmail.com
- condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
deny message = Faked MSN, so you must be spam.
- log_message = Fake MSN
- senders = *@msn.com
- condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}
deny message = Faked AOL, so you must be spam.
- log_message = Fake AOL
- senders = *@aol.com
- condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}

Of course, using a few good blacklists is a good idea. I put my blacklist checks immediately after the big four filters.

DATA ACL

A valid email should have a message id. Spamming software (and viruses) often don't. So refuse them. Note, this filter has been known to break the rare email sent from a highly customized Qmail server. Personally, I dont' care.

deny condition = ${if !def:h_Message-ID: {1}}
- message = Message SHOULD have Message-ID: but does not

deny condition = ${if !def:h_Date: {1}}
- message = Message SHOULD have Date: but does not

Required to do any mime handling, plus, a broken mime attachment might be an attempt to infect or break into your system.

deny message = Serious MIME defect detected ($demime_reason)
- log_message = Broken MIME ($mime_reason)
- demime = *
- condition = ${if >{$demime_errorlevel}{2}{1}{0}}

Refuse dangerous attachments. This gets a large number of viruses. It also catches a lot of spam with hidden surprises.

deny message = $found_extension files are not accepted here
- log_message = Dangerous extension ($found_extension)
- demime = com:vbs:bat:pif:scr:exe

For Windows clients, Microsoft has included a lovely little surprise. It is possible to attach a file with a CLSID in the name which causes Windows to hide the file extension. This is entirely independent of the "Hide file extensions for known file types" folder option. This is extremely dangerous, so lets just refuse the bastards.

deny message = Hiding of file extensions is not allowed!
- log_message = Dangerous extension (CLSID hidden)
- regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$

Mailto: Obscuring

This isn't an Exim trick, but is highly useful. Spammers have bots that scoure web pages for email addresses to add to their databases. Hiding your email address will reduce your spam, but often at the expense of convenience to real people. Here's a little bit of javascript that will obscure your mailto links from bots, but still work perfectly for humans clicking on the links so long as they have javascript enabled. Unfortunately, if javascript is disabled nothing is displayed.

The first argument is the clickable link text. The second argument is the name portion of the email address. The third argument is the domain. The fourth argument is an optional subject. Pass an empty string if you don't wish a default subject.

Businesses in the greater San Francisco Bay Area requiring assistance to implement antispam filters, virus prevention, or general mail server configuration can contact me via .