3

I want to force users sending mail to my server to use BCC (we're getting a lot of internal spam created by mailings to 30+ mailing lists which then reply to all).

I thought spamassassin could be a good place to start since it is already used for spam filtering. However, I'm not sure how to do this (or if spamassassin is really the right place to do it). My idea was to just make a bccfilter.cf which checks the number of To+Cc recipients and mark the mail as spam if it is larger than a number (e.g. 10). What is the best way to do this?

The only thing I came up whit is something like this:

header  LOCAL_FORCE_BCC_TO      To =~ /(.*?,){9,}/
header  LOCAL_FORCE_BCC_CC      Cc =~ /(.*?,){9,}/
meta    LOCAL_FORCE_BCC         (LOCAL_FORCE_BCC_TO || LOCAL_FORCE_BCC_CC)
score   LOCAL_FORCE_BCC         15.0

It basically counts the number of comma's in the To and Cc header and if either one is larger than 9 (=10 recipients) is marks the message as spam. However I don't really like the approach and have the feeling it can be done better. Also I'd like to count the total number of recipients (To+Cc) instead of seperatly.

Does anyone know how to do that? Also I'd like to return a custom error message but that doesn't really matter much.

JdeBP
  • 3,970
  • 17
  • 17
dtech
  • 621
  • 2
  • 9
  • 26
  • 2
    Marking the mails as spam seems like the exact wrong approach. What would be far better would be a mail queue for mail messages with > 10 recipients. Hold the mail in a queue, reply to the user with an email that gives an URL to a web-based administrative interface, and clearly list each and every recipient. Make them click another silly "confirm" button there. No click, no mail. It'd also save the CEO from embarrassing emails to all staff. – sarnold Jul 03 '11 at 09:15
  • 1
    @sarnold the problem is not that the mails are *accidentally* To/CC'ed, they are To/CC'ed *on purpose* to generate more mail and thus advertising for the internal event – dtech Jul 03 '11 at 09:16
  • 1
    you mean they _intentionally_ hit Reply To All when replying? I've seen hundreds of cases of people _accidentally_ hitting it (the stupid default for too many email clients), but .. wow. – sarnold Jul 03 '11 at 09:24
  • 1
    @sarnold Yes well that's why we want to stop it. We're a fraternity+sorrority with >1000 members of which ~50 enjoy the massive spamming and the other ~600 subscribers members hate it – dtech Jul 03 '11 at 09:26
  • 1
    My condolences! Postfix's `smtpd_recipient_limit` might do the trick: "The maximal number of recipients that the Postfix SMTP server accepts per message delivery request." See `postconf(5)`. – sarnold Jul 03 '11 at 09:38
  • @sarnold Nice, but we use exim4. It has a simalar option but it only rejects the message for the surplus recipients, and not the whole message like I want to. – dtech Jul 03 '11 at 10:38
  • 1
    @sarnold and that Postfix restriction wouls also prevent the usage of that many BCCs. – mailq Jul 03 '11 at 17:24
  • @mailq: ah! Thanks for the information. It makes sense when I think about it a bit. – sarnold Jul 03 '11 at 20:57
  • What mailing-list software are you using? – Mark Jul 05 '11 at 15:19
  • 1
    This is trying to solve behavioural problems with a technical solution and that rarely ends as well as is hoped; if the abusers are determined to find a way to abuse your list then they will find a way around this filter. I'd suggest a better approach is to kick the abusers off the list. – Rob Moir Jul 06 '11 at 06:50
  • @Mark ecartis @Robert that is not really an option, as they are not ON every list (we have a lot and the spam comes from people who Cc to all). Banning them from sending mail altogether was barred by "management" – dtech Jul 06 '11 at 07:40

1 Answers1

2

I think this is a great time to look into exim ACL's. You can use them to do your cc: to bcc rewriting.

http://tldp.org/HOWTO/Spam-Filtering-for-MX/exim-smtpdelays.html

n8whnp
  • 1,316
  • 7
  • 9
  • Interesting, I'll look into it. Of course a problem is that if users get no message they might be suprised and consider it a bug and come complaining to us. – dtech Jul 06 '11 at 07:40