Re: [Exim] Forged addresses from virus detectors

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MGreg Ward at <-
MGreg Ward at ->
Delete this message
Reply to this message
Author: dman
Date:  
To: exim-users
Subject: Re: [Exim] Forged addresses from virus detectors
--
On Mon, Jun 03, 2002 at 09:34:51AM -0400, Greg Ward wrote:
| On 01 June 2002, dman said:
| > The only identifying feature of this mail is the (rather worthless)
| > body :
| >
| > | *** A virus was detected by the security administrator; this message was
| > | discarded ***
|
| Yes, it's somewhat less than helpful.
|
| > Was this really split on 2 lines in the original? If so that makes it
| > a bit more complicated ... hmm, not much since exim compresses
| > newlines into whitespace, a regex could easily handle that (but it
| > would get ugly fast if you allow for variations in the line breaks).
|
| No, I munged it. Oops.

Good. That simplifies it :-). 

| > In the "data" acl :
| >
| > deny    condition = ${if contains {$message_body} {"*** A virus was detected by the security administrator; this message was discarded ***"} {1}{0}}
| >         message   = "I hate stupid virus alerts.  I don't have a virus, don't alert me!"
|
| But that only protects against this one particular stupid virus
| detector.

Yeah, regardless of what host it is forging :-).

| This is not the first one I've seen that, when sending a
| virus warning to X@???, forges a sender of
| postmaster@???.

Are they really different scanners or the same junkware on different
hosts?

| That's just so utterly completely wrong that I want to ban it
| completely.

Good plan :-).

| My original ACL:
|
|   deny    hosts   = !127.0.0.1
|           senders = postmaster@???:\
|                     postmaster@???:\
|                     webmaster@???:\
|                     webmaster@???
|           message = forged sender address
|
| seems to work just fine, although I do plan to elaborate it somewhat.

Oh, you're the postmaster for python.org? That keeps the number of
"bogus" domains from growing rapidly. I still think the content check
is good to have since it can (possibly) drop extra junk too.

-D

-- 

Come to me, all you who are weary and burdened, and I will give you
rest.  Take my yoke upon you and learn from me, for I am gentle and
humble in heart, and you will find rest for your souls.  For my yoke
is easy and my burden is light.
        Matthew 11:28-30


GnuPG key : http://dman.ddts.net/~dman/public_key.gpg

--
[ Content of type application/pgp-signature deleted ]
--


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] Please unsubscribe me off your mailing list.Re: [Exim] relay based on mx in exim4->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)