Hello,
I am being swamped with "unknown local-part" bounces by someone using my
host name in a collection of spams as the From:. The username they use
does not match a local user name.
I have been reading through Phillip's book, the FAQ and the list archives
for a solution to manually handling the frozen bounces where "The sender
is <>" and the From: is a spoofed unknown local-part. I think this is the
combination that is the problem.
The docs lead me to add "sender_verify" and "headers_sender_verify" and
this is catching only some of the still incoming message bounces due to
other problems with the sender addresses.
I use 'Mailscanner' to check for virii and so have a 2 queue system but
each has the same config apart from the mail queue locations and one doing
"-bd" and the other "-C /etc/exim_outgoing.conf -q10m"
Any ideas on how to not allow these
I have my config info and some examples to share, even the headers for the
mail that is forging my mailserver host name and a local account.:
1. My config: exim -bP
no_accept_8bitmime
accept_timeout = 0s
admin_groups =
no_always_bcc
auth_hosts =
auto_thaw = 35m
bi_command =
check_log_inodes = 0
check_log_space = 0
check_spool_inodes = 0
check_spool_space = 0
no_collapse_source_routes
daemon_smtp_port =
debug_level = -1
delay_warning = 1d
delay_warning_condition = ${if
match{$h_precedence:}{(?i)bulk|list|junk}{no}{yes}}
deliver_load_max = 4.0
deliver_queue_load_max =
delivery_date_remove
dns_again_means_nonexist =
dns_check_names
dns_check_names_pattern =
(?i)^(?>(?(1)\.|())[^\W_](?>[a-z0-9-]*[^\W_])?)+$
dns_retrans = 0s
dns_retry = 0
envelope_to_remove
errmsg_file =
errmsg_text =
errors_address = postmaster
errors_copy =
errors_reply_to =
exim_group = mail
exim_path = /usr/sbin/exim
exim_user = mail
extract_addresses_remove_arguments
finduser_retries = 0
no_forbid_domain_literals
freeze_tell_mailmaster
gecos_name = $1
gecos_pattern = ^([^,:]*)
headers_check_syntax
headers_checks_fail
headers_sender_verify
no_headers_sender_verify_errmsg
helo_accept_junk_hosts =
no_helo_strict_syntax
helo_verify =
hold_domains =
host_accept_relay =
localhost:127.0.0.1/32:142.104.0.0/16:net-lsearch;/var/state/access:!0.0.0.0/0
host_auth_accept_relay =
host_lookup = !net-lsearch;/var/state/access:0.0.0.0/0
host_reject =
host_reject_recipients =
hosts_treat_as_local =
no_ignore_errmsg_errors
ignore_errmsg_errors_after = 0s
ignore_fromline_hosts =
no_ignore_fromline_local
keep_malformed = 4d
kill_ip_options
ldap_default_servers =
local_domains =
localhost:finearts.uvic.ca:*.finearts.uvic.ca:cfuv.uvic.ca:khan.uvic.ca:nero.uvic.ca:maltwood.uvic.ca:kafka.uvic.ca:butterfly.uvic.ca:club.uvic.ca:phoenixtheatres.ca:telebody.ws:cura.ca:[142.104.26.1]
local_domains_include_host
local_domains_include_host_literals
local_interfaces = 142.104.26.1
localhost_number =
locally_caseless
no_log_all_parents
no_log_arguments
log_file_path = /var/log/exim/%slog
log_ip_options
log_level = 5
log_queue_run_level = 0
no_log_received_recipients
no_log_received_sender
no_log_refused_recipients
no_log_rewrites
no_log_smtp_confirmation
no_log_smtp_connections
no_log_smtp_syntax_errors
no_log_subject
lookup_open_max = 25
max_username_length = 0
message_body_visible = 500
message_filter =
message_filter_directory2_transport =
message_filter_directory_transport =
message_filter_file_transport =
message_filter_group =
message_filter_pipe_transport =
message_filter_reply_transport =
message_filter_user =
message_id_header_text =
message_size_limit = 0
no_message_size_limit_count_recipients
never_users = root
nobody_group =
nobody_user =
percent_hack_domains =
pid_file_path = /var/run/exim/exim%s.pid
no_preserve_message_logs
primary_hostname = finearts.uvic.ca
no_print_topbitchars
prod_requires_admin
prohibition_message =
qualify_domain = finearts.uvic.ca
qualify_recipient = finearts.uvic.ca
queue_list_requires_admin
queue_only
queue_only_file =
queue_only_load = 3.0
queue_remote_domains =
no_queue_run_in_order
queue_run_max = 5
queue_smtp_domains =
rbl_domains =
Spews.relays.OsiruSoft.com/reject:relays.ordb.org/reject:blackholes.mail-abuse.org/reject:dialups.mail-abuse.org/reject:relays.mail-abuse.org/reject:inputs.orbz.org/reject
rbl_hosts = !142.104.0.0/16:!net-lsearch;/var/state/access:0.0.0.0/0
rbl_log_headers
rbl_log_rcpt_count
rbl_reject_recipients
rbl_warn_header
received_header_text = Received: ${if def:sender_rcvhost {from
${sender_rcvhost}\n\t}{${if def:sender_ident {from ${sender_ident} }}${if
def:sender_helo_name {(helo=${sender_helo_name})\n\t}}}}by
${primary_hostname} ${if def:received_protocol {with
${received_protocol}}} (Exim)\n\tid ${message_id}${if def:received_for
{\n\tfor <$received_for>}}
received_headers_max = 30
no_receiver_try_verify
receiver_unqualified_hosts =
no_receiver_verify
receiver_verify_addresses =
receiver_verify_hosts = *
receiver_verify_senders =
recipients_max = 0
no_recipients_max_reject
recipients_reject_except = postmaster@???
recipients_reject_except_senders =
refuse_ip_options
relay_domains = *.finearts.uvic.ca
no_relay_domains_include_local_mx
no_relay_match_host_or_sender
remote_max_parallel = 1
remote_sort =
retry_data_expire = 1w
retry_interval_max = 1d
return_path_remove
return_size_limit = 100K
rfc1413_hosts = *
rfc1413_query_timeout = 30s
security = setuid+seteuid
sender_address_relay =
sender_reject =
sender_reject_recipients =
no_sender_try_verify
sender_unqualified_hosts = 142.104.0.0:net-lsearch;/var/state/access
sender_verify
no_sender_verify_batch
no_sender_verify_fixup
sender_verify_hosts = *
sender_verify_max_retry_rate = 12
sender_verify_reject
smtp_accept_keepalive
smtp_accept_max = 20
smtp_accept_max_per_host = 0
smtp_accept_queue = 0
smtp_accept_queue_per_connection = 100
smtp_accept_reserve = 0
smtp_banner = ${primary_hostname} ESMTP Exim ${version_number}
#${compile_number} ${tod_full}
smtp_check_spool_space
smtp_connect_backlog = 5
smtp_etrn_command =
smtp_etrn_hosts =
smtp_etrn_serialize
smtp_expn_hosts =
smtp_load_reserve =
smtp_receive_timeout = 5m
smtp_reserve_hosts =
smtp_verify
no_split_spool_directory
spool_directory = /var/spool/exim_incoming
no_strip_excess_angle_brackets
no_strip_trailing_dot
trusted_groups =
trusted_users = mail:www-data
unknown_login =
unknown_username =
uucp_from_pattern =
^From\s+(\S+)\s+(?:[a-zA-Z]{3},?\s+)?(?:[a-zA-Z]{3}\s+\d?\d|\d?\d\s+[a-zA-Z]{3}\s+\d\d(?:\d\d)?)\s+\d\d?:\d\d?
uucp_from_sender = $1
warnmsg_file =
2. An example mail with forged and unknown-local part.
cat mainlog | grep 16ZPml-0000c9-00:
2002-02-08 21:10:52 16ZPml-0000c9-00 <= <> H=(simplerliving.com)
[216.122.250.126] P=esmtp S=8223
id=200202090510.g195Akk26237@???
2002-02-08 21:10:55 16ZPml-0000c9-00 ** J.Goodman@???:
unknown local-part "j.goodman" in domain "finearts.uvic.ca"
2002-02-08 21:10:55 16ZPmp-0000cs-00 <= <> R=16ZPml-0000c9-00 U=mail
P=local S=554
2002-02-08 21:10:55 16ZPml-0000c9-00 Frozen (delivery error message)
2002-02-08 21:12:36 16ZPml-0000c9-00 Message is frozen
--------------------------------
exim -C /etc/exim_outgoing.conf -Mvl 16ZPml-0000c9-00
2002-02-08 21:10:55 J.Goodman@???: directing failed: unknown
local-part "j.goodman" in domain "finearts.uvic.ca"
*** Frozen (delivery error message)
--------------------------------
exim -C /etc/exim_outgoing.conf -Mvh 16ZPml-0000c9-00
16ZPml-0000c9-00-H
root 0 0
<>
1013231451 0
-host_address 216.122.250.126
-helo_name simplerliving.com
-interface_address 142.104.26.1
-received_protocol esmtp
-body_linecount 193
-frozen 1013231455
-host_lookup_failed
XX
1
J.Goodman@???
185P Received: from [216.122.250.126] (helo=simplerliving.com)
by finearts.uvic.ca with esmtp (Exim)
id 16ZPml-0000c9-00
for <J.Goodman@???>; Fri, 08 Feb 2002 21:10:52 -0800
161P Received: from localhost (localhost)
by simplerliving.com (8.11.0/8.11.0) id g195Akk26237;
Fri, 8 Feb 2002 21:10:46 -0800 (PST)
(envelope-from MAILER-DAEMON)
043 Date: Fri, 8 Feb 2002 21:10:46 -0800 (PST)
064F From: Mail Delivery Subsystem <MAILER-DAEMON@???>
058I Message-Id: <200202090510.g195Akk26237@???>
033T To: <J.Goodman@???>
018 MIME-Version: 1.0
115 Content-Type: multipart/report; report-type=delivery-status;
boundary="g195Akk26237.1013231446/simplerliving.com"
051 Subject: Returned mail: see transcript for details
041 Auto-Submitted: auto-generated (failure)
060 X-VirusScanned-by-Sophos-via-MailScanner: Found to be clean
--------------------------------
This is the headers of the email someone is sending out. Arrrrrr. There
are now 5 distinct IP sources for these mails from all over the world
either hacked machines or ....
Return-Path: <J.Goodman@???>
Received: from mail.ecepdi.stn.sh.cn ([61.129.49.156])
by simplerliving.com (8.11.0/8.11.0) with ESMTP id g195Agk26233
for <booksales@???>; Fri, 8 Feb 2002 21:10:43 -0800
(PST)
(envelope-from J.Goodman@???)
Date: Fri, 8 Feb 2002 21:10:43 -0800 (PST)
Received: from khan.finearts.uvic.ca (61.129.53.123 [61.129.53.123]) by
mail.ecepdi.stn.sh.cn with SMTP (Microsoft Exchange Internet Mail Service
Version 5.5.1960.3)
id 1SJJ1R9G; Sat, 9 Feb 2002 11:13:21 +0800
From: "J.Goodman@???" <J.Goodman@???>
To: "6856@???" <6856@???>
Message-ID: <1013245860.0541612568@???>
Subject: Why Fly If You Don't Have To?
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD><TITLE>Take Control Of Your Conference Calls</TITLE>
Dave,
--
David Broome Programmer-Analyst.FineArts.UVic.CA /BSc /CNA /MCP
250.721-6307 dbroome@??? FIA 221
