comparison xml/dnsbl.in @ 127:2b1a4701e856

sendmail no longer guarantees <> wrapper on envelopes
author carl
date Sat, 08 Apr 2006 10:06:09 -0700
parents ea6f9c812faa
children f4746d8a12a3
comparison
equal deleted inserted replaced
126:05ae49d37896 127:2b1a4701e856
157 This milter can also verify the envelope from/recipient pairs with the 157 This milter can also verify the envelope from/recipient pairs with the
158 primary MX server. This allows the backup mail servers to properly 158 primary MX server. This allows the backup mail servers to properly
159 reject mail sent to invalid addresses. Otherwise, the backup mail 159 reject mail sent to invalid addresses. Otherwise, the backup mail
160 servers will accept that mail, and then generate a bounce message when 160 servers will accept that mail, and then generate a bounce message when
161 the message is forwarded to the primary server (and rejected there with 161 the message is forwarded to the primary server (and rejected there with
162 no such user). 162 no such user). These rejections are the primary cause of such backscatter.
163 </para> 163 </para>
164 <para> 164 <para>
165 This milter will also decode (uuencode, base64, mime, html entity, url 165 This milter will also decode (uuencode, base64, mime, html entity, url
166 encodings) and scan for HTTP and HTTPS URLs and bare hostnames in the 166 encodings) and scan for HTTP and HTTPS URLs and bare hostnames in the
167 body of the mail. If any of those host names have A or NS records on 167 body of the mail. If any of those host names have A or NS records on
445 445
446 <refsect1 id='todo.1'> 446 <refsect1 id='todo.1'>
447 <title>TODO</title> 447 <title>TODO</title>
448 <para> 448 <para>
449 The following ideas are under consideration. 449 The following ideas are under consideration.
450 </para>
451 <para>
452 Add mail volume limits based on smtp auth accounts, to prevent
453 customers from sending too much mail. This should catch customers
454 that get infected with malware that knows about smtp auth.
450 </para> 455 </para>
451 <para> 456 <para>
452 Add a per-context option to reject mail if the number of digits in 457 Add a per-context option to reject mail if the number of digits in
453 the reverse dns client name exceeds some threshold. 458 the reverse dns client name exceeds some threshold.
454 </para> 459 </para>
561 </refsect1> 566 </refsect1>
562 567
563 <refsect1 id='sample.5'> 568 <refsect1 id='sample.5'>
564 <title>Sample</title> 569 <title>Sample</title>
565 <literallayout class="monospaced"><![CDATA[ 570 <literallayout class="monospaced"><![CDATA[
566 context sample { 571 context main-default {
572 // outbound dnsbl filtering to catch our own customers that end up on the sbl
567 dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; 573 dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
568 dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; 574 dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
569 dnsbl xbl xbl.spamhaus.org "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s";
570 dnsbl dul dul.dnsbl.sorbs.net "Mail from %s rejected - dul; see http://www.sorbs.net/lookup.shtml?%s"; 575 dnsbl dul dul.dnsbl.sorbs.net "Mail from %s rejected - dul; see http://www.sorbs.net/lookup.shtml?%s";
571 dnsbl_list local sbl dul; 576 dnsbl_list local sbl dul;
572 577
578 // outbound content filtering to prevent our own customers from sending spam
573 content on { 579 content on {
574 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; 580 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
575 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s"; 581 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s";
576 #uribl black.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; 582 #uribl black.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s";
577 ignore { include "hosts-ignore.conf"; }; 583 ignore { include "hosts-ignore.conf"; };
582 html_limit off; 588 html_limit off;
583 host_limit on 20 "Mail containing excessive host names rejected"; 589 host_limit on 20 "Mail containing excessive host names rejected";
584 host_limit soft 20; 590 host_limit soft 20;
585 }; 591 };
586 592
593 // backscatter prevention - don't send bounces for mail that we accepted but could not forward
594 // we only send bounces to our own customers
595 env_from unknown {
596 "<>" black;
597 };
598 };
599
600 context sample {
601 dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
602 dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
603 dnsbl xbl xbl.spamhaus.org "Mail from %s rejected - xbl; see http://www.spamhaus.org/query/bl?ip=%s";
604 dnsbl dul dul.dnsbl.sorbs.net "Mail from %s rejected - dul; see http://www.sorbs.net/lookup.shtml?%s";
605 dnsbl_list local sbl dul;
606
607 content on {
608 filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
609 uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s";
610 #uribl black.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s";
611 ignore { include "hosts-ignore.conf"; };
612 tld { include "tld.conf"; };
613 cctld { include "cctld.conf"; };
614 html_tags { include "html-tags.conf"; };
615 html_limit on 20 "Mail containing excessive bad html tags rejected";
616 html_limit off;
617 host_limit on 20 "Mail containing excessive host names rejected";
618 host_limit soft 20;
619 };
620
587 env_to { 621 env_to {
588 # child contexts are not allowed to specify recipient addresses outside these domains 622 # child contexts are not allowed to specify recipient addresses outside these domains
589 # leave this outer global context env_to empty to allow arbitrary recipients in child contexts 623 # leave this outer global context env_to empty to allow arbitrary recipients in child contexts
590 mydomain.com; 624 mydomain.com;
591 customer1.com; 625 customer1.com;