I'm curious about what's happening to some of the rejection messages
sent by my system filter. Brief rundown: exim 3.12 on a Debian 2.2
system, with a system filter that catches and rejects a variety of
Windows worms and viruses (based on Nigel's filter, of course). I use
the "mail" command instead of "fail" because it's more flexible, and I
log a couple lines to rejectlog for every viral message caught and
rejected. I also save each rejected message to /var/spool/mail/reject.
Now, some SirCam-infected machines are pretending to send MAILER-DAEMON
messages. Here's an example -- looks like the virus was sent to
webmaster@???, which expands to akuchlin@??? (among
others) -- that's how the message is getting into our mail system.
Return-path: <>
Envelope-to: message filter
Delivery-date: Wed, 22 Aug 2001 06:26:37 -0400
Received: from mail.python.org ([63.102.49.29])
by kronos.mems-exchange.org with esmtp (Exim 3.12 #1)
id 15ZVDY-0007IP-00
for akuchlin@???; Wed, 22 Aug 2001 06:26:36 -0400
Received: from [212.33.76.3] (helo=amb.ac.bialystok.pl ident=root)
by mail.python.org with esmtp (Exim 3.21 #1)
id 15ZVD4-00072v-00
for webmaster@???; Wed, 22 Aug 2001 06:26:06 -0400
Received: from Farmakognozja2.amb.ac.bialystok.pl ([212.33.76.166])
by amb.ac.bialystok.pl (8.11.3/8.11.3) with SMTP id f7MAUDU10219
for <webmaster@???>; Wed, 22 Aug 2001 12:30:13 +0200
Message-Id: <200108221030.f7MAUDU10219@???>
To: webmaster@???
Subject: Projekt pracy 2001
date: Wed, 22 Aug 2001 12:20:24 +0200
MIME-Version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Content-Type: multipart/mixed; boundary="----3768E118_Outlook_Express_message_boundary"
Content-Disposition: Multipart message
From: Remote Mail Delivery System <>
X-Envelope-To: akuchlin@???
OK, so the worm is doing a fair job of imitating a bounce message,
presumably to sneak past filters that do "if error_message then finish
endif" or the moral equivalent. For better or worse, our system filter
has no such clause, so the message is caught by my SirCam trap. Here's
what said trap does with messages it catches:
save /var/spool/mail/reject
logwrite "$tod_log $message_id rejected (SirCam signature)"
logwrite "$tod_log subject: $header_subject"
logwrite "$tod_log recipients: $recipients"
logwrite "$tod_log returned to: $return_path"
logwrite "------------------------------------------------------------------------------"
mail to $return_path
subject "Mail returned: virus detected"
file /etc/exim/sircam-reject.txt
return message
seen finish
And here is what was logged (in rejectlog) for the rejection of the
message whose headers I have shown above:
2001-08-22 06:26:37 15ZVDY-0007IP-00 rejected (executable attachment)
2001-08-22 06:26:37 subject: Projekt pracy 2001
2001-08-22 06:26:37 recipients: akuchlin@???
2001-08-22 06:26:37 returned to:
So I'm confused: what happens to the reject message -- bit-bucket? Does
Exim just ignore messages to "<>"? There are no frozen messages in my
queue.
Just curious -- the important thing is that the worm is filtered out,
not that the rejection message is succesfully delivered.
Greg
--
Greg Ward - software developer gward@???
MEMS Exchange http://www.mems-exchange.org