On Fri, 8 Feb 2002, David Broome wrote:
> Hello,
>
> I am being swamped with "unknown local-part" bounces by someone using my
> host name in a collection of spams as the From:. The username they use
> does not match a local user name.
>
> I have been reading through Phillip's book, the FAQ and the list archives
> for a solution to manually handling the frozen bounces where "The sender
> is <>" and the From: is a spoofed unknown local-part. I think this is the
> combination that is the problem.
>
> The docs lead me to add "sender_verify" and "headers_sender_verify" and
> this is catching only some of the still incoming message bounces due to
> other problems with the sender addresses.
You want "receiver_verify" to prevent your host from accepting the
bounce messages addressed to invalid local users.
>
> I use 'Mailscanner' to check for virii and so have a 2 queue system but
> each has the same config apart from the mail queue locations and one doing
> "-bd" and the other "-C /etc/exim_outgoing.conf -q10m"
>
> Any ideas on how to not allow these
>
> I have my config info and some examples to share, even the headers for the
> mail that is forging my mailserver host name and a local account.:
>
> 1. My config: exim -bP
>
> no_accept_8bitmime
> accept_timeout = 0s
> admin_groups =
> no_always_bcc
> auth_hosts =
> auto_thaw = 35m
> bi_command =
> check_log_inodes = 0
> check_log_space = 0
> check_spool_inodes = 0
> check_spool_space = 0
> no_collapse_source_routes
> daemon_smtp_port =
> debug_level = -1
> delay_warning = 1d
> delay_warning_condition = ${if
> match{$h_precedence:}{(?i)bulk|list|junk}{no}{yes}}
> deliver_load_max = 4.0
> deliver_queue_load_max =
> delivery_date_remove
> dns_again_means_nonexist =
> dns_check_names
> dns_check_names_pattern =
> (?i)^(?>(?(1)\.|())[^\W_](?>[a-z0-9-]*[^\W_])?)+$
> dns_retrans = 0s
> dns_retry = 0
> envelope_to_remove
> errmsg_file =
> errmsg_text =
> errors_address = postmaster
> errors_copy =
> errors_reply_to =
> exim_group = mail
> exim_path = /usr/sbin/exim
> exim_user = mail
> extract_addresses_remove_arguments
> finduser_retries = 0
> no_forbid_domain_literals
> freeze_tell_mailmaster
> gecos_name = $1
> gecos_pattern = ^([^,:]*)
> headers_check_syntax
> headers_checks_fail
> headers_sender_verify
> no_headers_sender_verify_errmsg
> helo_accept_junk_hosts =
> no_helo_strict_syntax
> helo_verify =
> hold_domains =
> host_accept_relay =
> localhost:127.0.0.1/32:142.104.0.0/16:net-lsearch;/var/state/access:!0.0.0.0/0
> host_auth_accept_relay =
> host_lookup = !net-lsearch;/var/state/access:0.0.0.0/0
> host_reject =
> host_reject_recipients =
> hosts_treat_as_local =
> no_ignore_errmsg_errors
> ignore_errmsg_errors_after = 0s
> ignore_fromline_hosts =
> no_ignore_fromline_local
> keep_malformed = 4d
> kill_ip_options
> ldap_default_servers =
> local_domains =
> localhost:finearts.uvic.ca:*.finearts.uvic.ca:cfuv.uvic.ca:khan.uvic.ca:nero.uvic.ca:maltwood.uvic.ca:kafka.uvic.ca:butterfly.uvic.ca:club.uvic.ca:phoenixtheatres.ca:telebody.ws:cura.ca:[142.104.26.1]
> local_domains_include_host
> local_domains_include_host_literals
> local_interfaces = 142.104.26.1
> localhost_number =
> locally_caseless
> no_log_all_parents
> no_log_arguments
> log_file_path = /var/log/exim/%slog
> log_ip_options
> log_level = 5
> log_queue_run_level = 0
> no_log_received_recipients
> no_log_received_sender
> no_log_refused_recipients
> no_log_rewrites
> no_log_smtp_confirmation
> no_log_smtp_connections
> no_log_smtp_syntax_errors
> no_log_subject
> lookup_open_max = 25
> max_username_length = 0
> message_body_visible = 500
> message_filter =
> message_filter_directory2_transport =
> message_filter_directory_transport =
> message_filter_file_transport =
> message_filter_group =
> message_filter_pipe_transport =
> message_filter_reply_transport =
> message_filter_user =
> message_id_header_text =
> message_size_limit = 0
> no_message_size_limit_count_recipients
> never_users = root
> nobody_group =
> nobody_user =
> percent_hack_domains =
> pid_file_path = /var/run/exim/exim%s.pid
> no_preserve_message_logs
> primary_hostname = finearts.uvic.ca
> no_print_topbitchars
> prod_requires_admin
> prohibition_message =
> qualify_domain = finearts.uvic.ca
> qualify_recipient = finearts.uvic.ca
> queue_list_requires_admin
> queue_only
> queue_only_file =
> queue_only_load = 3.0
> queue_remote_domains =
> no_queue_run_in_order
> queue_run_max = 5
> queue_smtp_domains =
> rbl_domains =
> Spews.relays.OsiruSoft.com/reject:relays.ordb.org/reject:blackholes.mail-abuse.org/reject:dialups.mail-abuse.org/reject:relays.mail-abuse.org/reject:inputs.orbz.org/reject
> rbl_hosts = !142.104.0.0/16:!net-lsearch;/var/state/access:0.0.0.0/0
> rbl_log_headers
> rbl_log_rcpt_count
> rbl_reject_recipients
> rbl_warn_header
> received_header_text = Received: ${if def:sender_rcvhost {from
> ${sender_rcvhost}\n\t}{${if def:sender_ident {from ${sender_ident} }}${if
> def:sender_helo_name {(helo=${sender_helo_name})\n\t}}}}by
> ${primary_hostname} ${if def:received_protocol {with
> ${received_protocol}}} (Exim)\n\tid ${message_id}${if def:received_for
> {\n\tfor <$received_for>}}
> received_headers_max = 30
> no_receiver_try_verify
> receiver_unqualified_hosts =
> no_receiver_verify
> receiver_verify_addresses =
> receiver_verify_hosts = *
> receiver_verify_senders =
> recipients_max = 0
> no_recipients_max_reject
> recipients_reject_except = postmaster@???
> recipients_reject_except_senders =
> refuse_ip_options
> relay_domains = *.finearts.uvic.ca
> no_relay_domains_include_local_mx
> no_relay_match_host_or_sender
> remote_max_parallel = 1
> remote_sort =
> retry_data_expire = 1w
> retry_interval_max = 1d
> return_path_remove
> return_size_limit = 100K
> rfc1413_hosts = *
> rfc1413_query_timeout = 30s
> security = setuid+seteuid
> sender_address_relay =
> sender_reject =
> sender_reject_recipients =
> no_sender_try_verify
> sender_unqualified_hosts = 142.104.0.0:net-lsearch;/var/state/access
> sender_verify
> no_sender_verify_batch
> no_sender_verify_fixup
> sender_verify_hosts = *
> sender_verify_max_retry_rate = 12
> sender_verify_reject
> smtp_accept_keepalive
> smtp_accept_max = 20
> smtp_accept_max_per_host = 0
> smtp_accept_queue = 0
> smtp_accept_queue_per_connection = 100
> smtp_accept_reserve = 0
> smtp_banner = ${primary_hostname} ESMTP Exim ${version_number}
> #${compile_number} ${tod_full}
> smtp_check_spool_space
> smtp_connect_backlog = 5
> smtp_etrn_command =
> smtp_etrn_hosts =
> smtp_etrn_serialize
> smtp_expn_hosts =
> smtp_load_reserve =
> smtp_receive_timeout = 5m
> smtp_reserve_hosts =
> smtp_verify
> no_split_spool_directory
> spool_directory = /var/spool/exim_incoming
> no_strip_excess_angle_brackets
> no_strip_trailing_dot
> trusted_groups =
> trusted_users = mail:www-data
> unknown_login =
> unknown_username =
> uucp_from_pattern =
> ^From\s+(\S+)\s+(?:[a-zA-Z]{3},?\s+)?(?:[a-zA-Z]{3}\s+\d?\d|\d?\d\s+[a-zA-Z]{3}\s+\d\d(?:\d\d)?)\s+\d\d?:\d\d?
> uucp_from_sender = $1
> warnmsg_file =
>
>
> 2. An example mail with forged and unknown-local part.
>
> cat mainlog | grep 16ZPml-0000c9-00:
>
> 2002-02-08 21:10:52 16ZPml-0000c9-00 <= <> H=(simplerliving.com)
> [216.122.250.126] P=esmtp S=8223
> id=200202090510.g195Akk26237@???
> 2002-02-08 21:10:55 16ZPml-0000c9-00 ** J.Goodman@???:
> unknown local-part "j.goodman" in domain "finearts.uvic.ca"
> 2002-02-08 21:10:55 16ZPmp-0000cs-00 <= <> R=16ZPml-0000c9-00 U=mail
> P=local S=554
> 2002-02-08 21:10:55 16ZPml-0000c9-00 Frozen (delivery error message)
> 2002-02-08 21:12:36 16ZPml-0000c9-00 Message is frozen
> --------------------------------
>
> exim -C /etc/exim_outgoing.conf -Mvl 16ZPml-0000c9-00
>
> 2002-02-08 21:10:55 J.Goodman@???: directing failed: unknown
> local-part "j.goodman" in domain "finearts.uvic.ca"
> *** Frozen (delivery error message)
> --------------------------------
>
> exim -C /etc/exim_outgoing.conf -Mvh 16ZPml-0000c9-00
>
> 16ZPml-0000c9-00-H
> root 0 0
> <>
> 1013231451 0
> -host_address 216.122.250.126
> -helo_name simplerliving.com
> -interface_address 142.104.26.1
> -received_protocol esmtp
> -body_linecount 193
> -frozen 1013231455
> -host_lookup_failed
> XX
> 1
> J.Goodman@???
>
> 185P Received: from [216.122.250.126] (helo=simplerliving.com)
> by finearts.uvic.ca with esmtp (Exim)
> id 16ZPml-0000c9-00
> for <J.Goodman@???>; Fri, 08 Feb 2002 21:10:52 -0800
> 161P Received: from localhost (localhost)
> by simplerliving.com (8.11.0/8.11.0) id g195Akk26237;
> Fri, 8 Feb 2002 21:10:46 -0800 (PST)
> (envelope-from MAILER-DAEMON)
> 043 Date: Fri, 8 Feb 2002 21:10:46 -0800 (PST)
> 064F From: Mail Delivery Subsystem <MAILER-DAEMON@???>
> 058I Message-Id: <200202090510.g195Akk26237@???>
> 033T To: <J.Goodman@???>
> 018 MIME-Version: 1.0
> 115 Content-Type: multipart/report; report-type=delivery-status;
> boundary="g195Akk26237.1013231446/simplerliving.com"
> 051 Subject: Returned mail: see transcript for details
> 041 Auto-Submitted: auto-generated (failure)
> 060 X-VirusScanned-by-Sophos-via-MailScanner: Found to be clean
> --------------------------------
>
> This is the headers of the email someone is sending out. Arrrrrr. There
> are now 5 distinct IP sources for these mails from all over the world
> either hacked machines or ....
>
> Return-Path: <J.Goodman@???>
> Received: from mail.ecepdi.stn.sh.cn ([61.129.49.156])
> by simplerliving.com (8.11.0/8.11.0) with ESMTP id g195Agk26233
> for <booksales@???>; Fri, 8 Feb 2002 21:10:43 -0800
> (PST)
> (envelope-from J.Goodman@???)
> Date: Fri, 8 Feb 2002 21:10:43 -0800 (PST)
> Received: from khan.finearts.uvic.ca (61.129.53.123 [61.129.53.123]) by
> mail.ecepdi.stn.sh.cn with SMTP (Microsoft Exchange Internet Mail Service
> Version 5.5.1960.3)
> id 1SJJ1R9G; Sat, 9 Feb 2002 11:13:21 +0800
> From: "J.Goodman@???" <J.Goodman@???>
> To: "6856@???" <6856@???>
> Message-ID: <1013245860.0541612568@???>
> Subject: Why Fly If You Don't Have To?
> MIME-Version: 1.0
> Content-Type: text/html;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <HTML><HEAD><TITLE>Take Control Of Your Conference Calls</TITLE>
>
> Dave,
> --
> David Broome Programmer-Analyst.FineArts.UVic.CA /BSc /CNA /MCP
> 250.721-6307 dbroome@??? FIA 221
>
>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>
--
