[Exim] Forged addresses from virus detectors

Top Page
Delete this message
Reply to this message
Author: Greg Ward
Date:  
To: exim-users
Subject: [Exim] Forged addresses from virus detectors
Forged envelope senders from viruses are bad enough, but now I'm seeing
mail (apparently) from "friendly" virus detectors with forged senders
(and "From" headers too).

Eg. it appears that at 30 May 2002 22:47 +0200, software on
webmail.fmcf.fr detected a virus that it thought had something to do
with either or both of python-dev@??? and postmaster@???.
So, naturally, it sent a "friendly notification" to those two addresses,
with forged envelope sender and "From" header of postmaster@???:

------------------------------------------------------------------------
>From postmaster@??? Thu May 30 16:48:12 2002

Return-path: <postmaster@???>
Received: from smtp1.fmcf.fr ([160.92.109.45] helo=webmail.fmcf.fr)
        by mail.python.org with esmtp (Exim 4.02)
        id 17DWq5-0003GJ-00; Thu, 30 May 2002 16:48:05 -0400
Received: by webmail.fmcf.fr (5.5.029) id 3CEE5C170000964D; Thu, 30 May 2002
22:47:59 +0200
Message-ID: <3CEE5C170000964D@???> (added by
postmaster@???)
Date: Thu, 30 May 2002 22:47:58 +0100
From: postmaster <postmaster@???>
To: python-dev@???, postmaster@???
Subject: Returned mail--"on Tue 4 Jul 2000 17"
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable


*** A virus was detected by the security administrator; this message was
discarded ***
------------------------------------------------------------------------

Boy, this kind of thing ticks me off. Not only does the stupid thing
tell the ~300 people on python-dev about a virus that they had nothing
to do with and don't care about, it *lies* about itself, presumably to
sneak past filters!

So now I'm thinking there has to be a way to disallow this with Exim 4
ACLs. I can think of no reason in the universe why any agent on any
host other than mail.python.org (ok, maybe www.python.org) should be
allowed to originate a message claiming
MAIL FROM:<postmaster@???>. I can't do anything about the other X
bazillion Internet hosts in the world, but at least I can defend
mail.python.org from this kind of forgery. Ditto for other
non-human addresses: webmaster@???, *-admin@??? (for
Mailman lists), etc.

[...a few moments pass...]

OK, that was easy to add to the check_recipient ACL:

  deny    hosts   = !127.0.0.1
          senders = postmaster@???:\
                    webmaster@???
          message = forged sender address


I'll probably factor the list of "local-only senders" out to a separate
file, but I'm happy with the proof of principle.

Two questions for the crowd:

* can anyone think of any reason why this might be a bad idea?

  * short of local_scan(), is it possible to extend this to the message
    headers?  Ie. never mind the envelope sender, if the message
    contains "From: postmaster@???" I'd like to bounce it as
    well.


Thanks --

        Greg
--
Greg Ward - software developer                gward@???
MEMS Exchange                            http://www.mems-exchange.org