On Fri, 24 May 2002, Jim Savoy wrote:
>
> Hello all - I am running exim 4.04 with Redhat 7.2. There is a
> certain type of spam getting through that is baffling me. In the
> exim logs it looks like this:
>
> 2002-05-24 13:42:06 17BKwp-0007yZ-00 <= Drugs@???
> H=(211.34.117.62) [211.34.117.62]:2987 I=[142.66.3.44]:25
> P=smtp S=7927 T="Please verify your identity for this drug offers"
> from <Drugs@???> for savoy@???
>
>
> 211.34.117.62 is the sending site, 142.66.3.44 is our mail
> gateway, a machine called mensa.uleth.ca, and savoy@???
> is where this message winds up (hg.uleth.ca being one of the
> domains mensa relays mail to).
>
> But when I login to my hg.uleth.ca account and view all the
> headers, there is no mention of this message being destined
> to savoy@???. The only relevant headers are:
>
> To: recipients@???
>
> or sometimes, something like:
>
> To: dvincent@???
Welcome to the difference between the SMTP envelope and the messages
headers. The headers DO NOT have anything to do with where a mesasge
gets delivered - only the envlope does.
BTW, this is not anything new. Most spam this days has junk or forged
To and From headers.
Actually, one of my more effective spam filters specifically counts on
it. I check the To and Cc lines for all the addresses that are supposed
to come to me, including exceptions for certains lists and whatnot, and
if none of them are there, it gets thrown into a junk folder that I look
at once in a while to see if anything legit went there - nothing ever
had (well, some messages to a list that I forgot to add to my exceptions
once, but that was my fault, and it wasnt all that terribly an important
list anyway, which probably explains why I forgot to include it)
>
> and that's it!
>
> I want to write a filter to turf this stuff, but I am not sure how to
> do it. I don't think the sending site is actually putting
> "mensa.uleth.ca" in the headers. I think they are somehow
> putting nothing but "recipients" or "dvincent" in the To: headers,
> and the "qualify_domain" is getting tacked on (since there is no
> domain part). But even that isn't exactly clear to me. I would actually
> like to prevent exim from adding mensa.uleth.ca to anything, since
> that machine has no local users and does nothing but relay mail to
> valid domains. But I am not sure how to do this. If I leave
> "qualify_domain" blank (in the exim configure file) it uses the
> "primary_domain" setting instead, and this is also set to mensa.uleth.ca.
> Is there a way to tell exim that the mail should be rejected if
> it contains only a local part and no domain?
>
>
> If anyone has any ideas on what is happening and how I can
> block it, I would appreciate it. I do not want to use smtp_callbacks
> (which would block this mail immediately, since Drugs@???
> does not exist) but would rather figure out a way to accept the
> mail and then freeze it or bit-bucket it. Thanks in advance!
>
> - jim -
>
>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>
--
