Re: [Exim] Forged addresses from virus detectors

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Greg Ward
Date:  
À: exim-users
Sujet: Re: [Exim] Forged addresses from virus detectors
On 01 June 2002, dman said:
> The only identifying feature of this mail is the (rather worthless)
> body :
>
> | *** A virus was detected by the security administrator; this message was
> | discarded ***


Yes, it's somewhat less than helpful.

> Was this really split on 2 lines in the original? If so that makes it
> a bit more complicated ... hmm, not much since exim compresses
> newlines into whitespace, a regex could easily handle that (but it
> would get ugly fast if you allow for variations in the line breaks).


No, I munged it. Oops.

> In the "data" acl :
>
> deny    condition = ${if contains {$message_body} {"*** A virus was detected by the security administrator; this message was discarded ***"} {1}{0}}
>         message   = "I hate stupid virus alerts.  I don't have a virus, don't alert me!"


But that only protects against this one particular stupid virus
detector. This is not the first one I've seen that, when sending a
virus warning to X@???, forges a sender of
postmaster@???. That's just so utterly completely wrong that I
want to ban it completely. My original ACL:

  deny    hosts   = !127.0.0.1
          senders = postmaster@???:\
                    postmaster@???:\
                    webmaster@???:\
                    webmaster@???
          message = forged sender address


seems to work just fine, although I do plan to elaborate it somewhat.

        Greg
--
Greg Ward - software developer                gward@???
MEMS Exchange                            http://www.mems-exchange.org