Over the past while I have noticed a few common things for the Spam, Phishing and Malware emails. Most of these because they are sent from Zombied home computers while often have the IP addresses in the Domain Name for site.
With Exim, I have created a couple of rules that drastically reduces the number of emails that are received. One rule set if for on the connection phase, this will reduce the amount of traffic right at the onset so that the mail server doesn't have to process any of the traffic related to these connections. The second though not RFC Compliant, drops after the HELO stage, again to reduce the amount of processing as possible. Again since my mail server isn't suppose to be recieving email from any DSL or Cable connections, I personally feel this is an advantage.
ACL's for ACL_SMTP_CONNECT
acl_check_connect:
# 1.2.3.4 is listed as .1-2-3-4.domainname
drop message = This site has the IP Address in Hostname, which is common to Broadband Connections
hosts =
condition = ${if match{$sender_host_name}\
{\
${extract{1}{.}{$sender_host_address}}-\
${extract{2}{.}{$sender_host_address}}-\
${extract{3}{.}{$sender_host_address}}-\
${extract{4}{.}{$sender_host_address}}}}
# 1.2.3.4 is listed as .4-3-2-1.domainname
drop message = This site has the IP Address in Hostname, which is common to Broadband Connections
hosts =
condition = ${if match{$sender_host_name}\
{\
${extract{4}{.}{$sender_host_address}}-\
${extract{3}{.}{$sender_host_address}}-\
${extract{2}{.}{$sender_host_address}}-\
${extract{1}{.}{$sender_host_address}}}}
# 1.2.3.4 is listed as .1.2.3.4.domainname
drop message = This site has the IP Address in Hostname, which is common to Broadband Connections
hosts =
condition = ${if match{$sender_host_name}\
{\
${extract{1}{.}{$sender_host_address}}.\
${extract{2}{.}{$sender_host_address}}.\
${extract{3}{.}{$sender_host_address}}.\
${extract{4}{.}{$sender_host_address}}.*}}
# 1.2.3.4 is listed as .4.3.2.1.domainname
drop message = This site has the IP Address in Hostname, which is common to Broadband Connections
hosts =
condition = ${if match{$sender_host_name}\
{\
${extract{4}{.}{$sender_host_address}}.\
${extract{3}{.}{$sender_host_address}}.\
${extract{2}{.}{$sender_host_address}}.\
${extract{1}{.}{$sender_host_address}}.*}}
ACL's for ACL_SMTP_CONNECT
acl_check_helo:
# Drops if the HELO name ends with .lan
drop condition = ${if match{$sender_helo_name}{\N\S+\.lan$\N} {1}}
message = Invalid Greeting from $sender_helo_name
# Drops if the HELO name ends with .home
drop condition = ${if match{$sender_helo_name}{\N\S+\.home$\N} {1}}
message = Invalid Greeting from $sender_helo_name
# Drops if the HELO name if it does not contain a domain name
drop condition = ${if !match{$sender_helo_name}{\N\S+\.\S+$\N} {1}}
message = Missing Domain Name in $sender_helo_name
# The following contains the matches for the IP Address similar to above
drop message = This site has the IP Address in HELO, which is common to Broadband Connections
hosts =
condition = ${if match{$sender_helo_name}\
{\
${extract{1}{.}{$sender_host_address}}-\
${extract{2}{.}{$sender_host_address}}-\
${extract{3}{.}{$sender_host_address}}-\
${extract{4}{.}{$sender_host_address}}}}
drop message = This site has the IP Address in HELO, which is common to Broadband Connections
hosts =
condition = ${if match{$sender_helo_name}\
{\
${extract{4}{.}{$sender_host_address}}-\
${extract{3}{.}{$sender_host_address}}-\
${extract{2}{.}{$sender_host_address}}-\
${extract{1}{.}{$sender_host_address}}}}
drop message = This site has the IP Address in HELO, which is common to Broadband Connections
hosts =
condition = ${if match{$sender_helo_name}\
{\
${extract{1}{.}{$sender_host_address}}.\
${extract{2}{.}{$sender_host_address}}.\
${extract{3}{.}{$sender_host_address}}.\
${extract{4}{.}{$sender_host_address}}...*}}
drop message = This site has the IP Address in HELO, which is common to Broadband Connections
hosts =
condition = ${if match{$sender_helo_name}\
{\
${extract{4}{.}{$sender_host_address}}.\
${extract{3}{.}{$sender_host_address}}.\
${extract{2}{.}{$sender_host_address}}.\
${extract{1}{.}{$sender_host_address}}...*}}
