Weblog entry #45 for lee

Blocking mail in exim4 based on the sender NS
Posted by lee on Fri 29 Jul 2011 at 12:52
Tags: ,

There's a prolific spammer that registers a fresh new domain every day and sends out DKIM signed mail via changing IP addresses. Keeping a blacklist of sending domains and IP addresses is fairly useless after the fact.

However, the one constant is that the nameservers they use for the domains always have the same domain names, and since that domain is registered to the spammer it's unlikely to be used for anything legitimate.

Therefore it's trivial to block based on a lookup of the nameserver in Exim's acl_check_rcpt

deny    message = Domain is blacklisted here
        condition = ${if match{ \
           ${lookup dnsdb{>: ns=$sender_address_domain}}}{ns1.example.com} {yes}} 
	set acl_m_sender_nameservers = ${lookup dnsdb{>: ns=$sender_address_domain}}
	log_message = nameservers for $sender_address_domain: $acl_m_sender_nameservers

 

Comments on this Entry

Posted by Grimnar (212.251.xx.xx) on Sun 14 Aug 2011 at 16:18
[ View Weblogs ]
Why do you keep the ns secret then?

[ Parent | Reply to this comment ]