My exim is used to receive and emit email for a mailing lists software.
In order to check incoming emails for spam, I have added this block to the acl_check_data section of my exim.conf:
# Bypass SpamAssassin checks if the message is too large (4 million).
warn condition = ${if >={$message_size}{ 4000000 } {1}}
add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
add_header = Subject: [L] $h_Subject:
# Run SpamAssassin, but allow for it to fail or time out. Add a warning message
# and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
# score exceeds the SA system threshold.
warn spam = nobody/defer_ok
add_header = X-Spam-Flag: YES
warn condition = ${if !def:spam_score_int {1}}
add_header = X-Spam-Note: SpamAssassin invocation failed
# Unconditionally add score and report headers
warn add_header = X-Spam-Score: $primary_hostname: $spam_score ($spam_bar)\n\
X-Spam-Report: $spam_report
# And reject if the SpamAssassin score is greater than reject score.
deny condition = ${if >{ $spam_score_int }{ 59 } {1}}
message = Your message scored $spam_score SpamAssassin points. Report follows:\n\
$spam_report
# Trigger greylisting (if enabled) if the SpamAssassin score is greater than greylist score.
warn condition = ${if >{ $spam_score_int }{ 20 } {1}}
set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons
# Tag the subject if the SpamAssassin score is greater than the warn score
warn condition = ${if >{ $spam_score_int }{ 49 } {1}}
add_header = Subject: *SPAM* $h_Subject:
The problem I just noticed with this configuration is that it does not only scan incoming emails, but outgoing one as well. Since there is a mailing list software behind exim, that means a single email can be scanned hundreds of time when it's sent to subscribers.
I'm trying to modify this configuration to have only incoming emails being scanned but I've not managed to make anything work. What I tried:
- testing
eq{$received_protocol}{SMTP}(doesn't work) - testing for the content of the return_path header to check for the mailing list domain. Testing for other headers leave the risk of spammers adding verified headers to bypass scan, while spoofing this one would have SPF fail anyway. However, I've not managed to make the conditional work:
accept condition = ${if and {{def:header_return_path:} {match{$header_return_path:}{\N^.*@list\.example\.com$\N}}}}
Am I on the right path? If so, what's wrong with my conditional?
As testing the Return-Path header somehow didn't work, I used the X-Spam-Score header with the right domain instead.
This is not a perfect solution because spammers can add this header to bypass scanning, but that would require a lot of efforts that spammers won't take anyway.
So basically, what my solution does is check whether the email has already been scanned on the current machine.