Wandering Thoughts archives


How we make Exim discard bounces of spam

Making Exim discard things in general is simple: you create an Exim router using the redirect driver that blackholes messages, and guard it with a suitable set of conditions. I decided to be safe, so we only discard locally generated bounces of spam that are going to an outside domain.

(You can detect locally generated bounces with the condition 'and {{!eq{$interface_port}{25}} {!def:return_path}}'. The easy way to discard messages is to use 'data = :blackhole:' in the router; we actually use an Exim filter, because it lets us do somewhat better logging and makes for an easier way to check the 'is a bounce of spam' condition.)

The tricky bit is detecting that this bounce is a bounce of spam, and doing so reliably. Exim routers and filters only have convenient access to headers, and when you're dealing with a bounce this means the headers of the bounce itself, not the headers of the message that bounced. You can dig into the body a bit, but that's unstructured text with all of the problems that that implies.

However, Exim lets you customize the generated bounce message via the bounce_message_file main configuration setting; in particular, you can add headers to it, and when the bounce message is generated you do have access to the original message's headers. Our spam filter tags the Subject: header, so we have a custom bounce message that copies the original message's Subject: into the bounce as X-Original-Subject:. Our bounce-discarding router then recognizes bounces of spam by looking for this header and then checking to see if it starts with the magic tags.

(We don't have to worry about users accidentally putting this header in their messages and having them get discarded, because we only trigger for locally-generated messages with the null envelope sender. Technically a user that tried hard enough could generate such a message, but then they could just send it to /dev/null directly.)

sysadmin/EximSpamBounceDiscarding written at 23:10:20; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.