I’ve been more than usually annoyed by a particular set of spammers who keep pushing press releases of their Windows blogging software – annoyed because it slips though SpamAssassin and has no clear sender for each new run (if I’m fast I can block it for a set, but it seems to come back every 90 days or so) but it’s 100% identifiable by the Receieved: header lines – no, I’m not going to mention the domains as they don’t deserve any more Google hits.

There’s a really neat new {exim} ACL command called forany which can be used to help out here, but be aware that these tests run on all Received: lines, and so if normal spam detection is like firing a shotgun wearing a blindfold whilst having directions shouted at you by an assistant, using this is pretty much like pointing the gun directly down and firing repeatedly: I’m sure there would be collateral damage from this at some stage, but I’m not an ISP or a company so I’m prepared to tolerate that. For now.

Anyway, put this in your main content ACL:

  deny message = This message has come via machines used to spam me in the past, and will not be delivered.
       condition = ${if def:h_Received:}
       condition = ${if forany{${readfile{/etc/exim/received_deny.list}{:}}}{match{$h_Received:}{$item}}}

And populate a plain text file (in the above example, /etc/exim/received_deny.list) with a one string per line that you’d like to ban, ie:

somedomain.tld
someotherdomain.tld

So in the above case anything that mentions either of those domains in any Received: line will cause a match and the email to be rejected with the custom error show above, so somedomain.tld, mail.somedomain.tld and blah.someotherdomain.tld will all give a positive match.

As this is a text match, putting IP addresses in there is perfectly possible too, and because the lookup is to an external file there is no need to HUP exim when adding to the file: they’ll be seen the next time the ACL is run.

Enjoy !