Tom Allison wrote:
> John Rudd wrote:
>>
>> Matt wrote:
>>>> ExiScan has been part of exim for quite a while now. We reject spam
>>>> at SMTP
>>>> with exim and SA when it scores above 15. We have not, as of yet,
>>>> had a FP
>>>> near that high. The spams are logged in such a way it makes it easy to
>>>> create a report including the SA report, the from, to, subject, etc and
>>>> review the hits from the previous day just in case there is a FP but it
>>>> hasn't happened yet.
>>>
>>> Could you share your modifications to exim.conf you did to accomplish
>>> this? I am running Directadmin webgui which uses exim for a MTA.

>>
>>
>> Matt,
>>
>> I can't find the reply that you quoted. Can you tell me where that
>> came from?

>
> I was under the impression that you really don't want to do this.
>
> If you bounce the spam then all you do is deliver the payload that was
> sent to you to some saps address that is claiming to the be Sender of
> the email. It's a bad practice and one that is likely to bring the ire
> of many mail admins.
>



We're not talking about bouncing, we're talking about rejecting.


bouncing == accept the message, decide you don't like it, and then try
to send it back to the (probably forged) sender. Bad practice, as it
leads to backscatter and could cause you to be participating in a
joe-job attack.

rejecting == looking at the message as it is being submitted, and then
deciding based on some criteria (RBL, anti-virus scanner, anti-spam
scanner) to not give a successful SMTP code.


The differences are:

1) if it's a direct submission (from a virus-bot, spam-bot, or spam
house), then the message just disappears when you reject it.

2) if it's being relayed through an intermediate server, then THEY are
the ones who took responsibility for the disposition of that message,
and not you. It's up to them to "do the right thing" with the message.
As a result, THEY will get black listed if they do the wrong thing
with it, and not you.


The ONLY responsible things to do are either: deliver the message
(marked and/or disinfected are ok, but either way the message is still
delivered), quarantine the message, or reject it. Every other action is
an RFC violation or backscatter.