[Exim] Rejecting messages to <>: where do they go?

Top Page
Delete this message
Reply to this message
Author: Greg Ward
Date:  
To: exim-users
Subject: [Exim] Rejecting messages to <>: where do they go?
I'm curious about what's happening to some of the rejection messages
sent by my system filter. Brief rundown: exim 3.12 on a Debian 2.2
system, with a system filter that catches and rejects a variety of
Windows worms and viruses (based on Nigel's filter, of course). I use
the "mail" command instead of "fail" because it's more flexible, and I
log a couple lines to rejectlog for every viral message caught and
rejected. I also save each rejected message to /var/spool/mail/reject.

Now, some SirCam-infected machines are pretending to send MAILER-DAEMON
messages. Here's an example -- looks like the virus was sent to
webmaster@???, which expands to akuchlin@??? (among
others) -- that's how the message is getting into our mail system.

  Return-path: <>
  Envelope-to: message filter
  Delivery-date: Wed, 22 Aug 2001 06:26:37 -0400              
  Received: from mail.python.org ([63.102.49.29])          
          by kronos.mems-exchange.org with esmtp (Exim 3.12 #1)
          id 15ZVDY-0007IP-00                  
          for akuchlin@???; Wed, 22 Aug 2001 06:26:36 -0400
  Received: from [212.33.76.3] (helo=amb.ac.bialystok.pl ident=root)
          by mail.python.org with esmtp (Exim 3.21 #1)             
          id 15ZVD4-00072v-00
          for webmaster@???; Wed, 22 Aug 2001 06:26:06 -0400
  Received: from Farmakognozja2.amb.ac.bialystok.pl ([212.33.76.166])
          by amb.ac.bialystok.pl (8.11.3/8.11.3) with SMTP id f7MAUDU10219
          for <webmaster@???>; Wed, 22 Aug 2001 12:30:13 +0200
  Message-Id: <200108221030.f7MAUDU10219@???>           
  To: webmaster@???
  Subject: Projekt pracy 2001
  date: Wed, 22 Aug 2001 12:20:24 +0200
  MIME-Version: 1.0
  X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
  X-Mailer: Microsoft Outlook Express 5.50.4133.2400  
  Content-Type: multipart/mixed; boundary="----3768E118_Outlook_Express_message_boundary"
  Content-Disposition: Multipart message
  From: Remote Mail Delivery System <>
  X-Envelope-To: akuchlin@???


OK, so the worm is doing a fair job of imitating a bounce message,
presumably to sneak past filters that do "if error_message then finish
endif" or the moral equivalent. For better or worse, our system filter
has no such clause, so the message is caught by my SirCam trap. Here's
what said trap does with messages it catches:

  save /var/spool/mail/reject
  logwrite "$tod_log $message_id rejected (SirCam signature)"
  logwrite "$tod_log subject: $header_subject"
  logwrite "$tod_log recipients: $recipients"
  logwrite "$tod_log returned to: $return_path"
  logwrite "------------------------------------------------------------------------------"
  mail to $return_path
       subject "Mail returned: virus detected" 
       file /etc/exim/sircam-reject.txt 
       return message
  seen finish


And here is what was logged (in rejectlog) for the rejection of the
message whose headers I have shown above:

2001-08-22 06:26:37 15ZVDY-0007IP-00 rejected (executable attachment)
2001-08-22 06:26:37 subject: Projekt pracy 2001
2001-08-22 06:26:37 recipients: akuchlin@???
2001-08-22 06:26:37 returned to:

So I'm confused: what happens to the reject message -- bit-bucket? Does
Exim just ignore messages to "<>"? There are no frozen messages in my
queue.

Just curious -- the important thing is that the worm is filtered out,
not that the rejection message is succesfully delivered.

        Greg
-- 
Greg Ward - software developer                gward@???
MEMS Exchange                            http://www.mems-exchange.org