Re: [Exim] Forged addresses from virus detectors

Pàgina inicial
Delete this message
Reply to this message
Autor: Greg Ward
Data:  
A: exim-users
Assumpte: Re: [Exim] Forged addresses from virus detectors
On 04 June 2002, dman said:
> | This is not the first one I've seen that, when sending a
> | virus warning to X@???, forges a sender of
> | postmaster@???.
>
> Are they really different scanners or the same junkware on different
> hosts?


Not clear. The forged notifications were completely different-looking,
so I would assume different scanners. Either that or we have one piece
of stupidware that's highly configurable, whose clueless admins take the
time and trouble to craft notification messages. I'm inclined to
believe in multiple pieces of stupidware.

Oh, it gets better: naturally, I complained to the postmaster at each
site that has sent me a forged virus notification. You'll never believe
this, but those postmaster addresses bounce. No *wonder* they had to
forge somebody else's! ;-) Welcome to rfc-ignorant.org, my friends...

[me]
> My original ACL:
>
>   deny    hosts   = !127.0.0.1
>           senders = postmaster@???:\
>                     postmaster@???:\
>                     webmaster@???:\
>                     webmaster@???
>           message = forged sender address

>
> seems to work just fine, although I do plan to elaborate it somewhat.


...I have since changed this to

   deny    hosts   = !127.0.0.1
           senders = python.org
           senders = !user1@??? : \
                     ...
                     !userN@???
           message = forged sender address


where the userX addresses are addresses actually used by people out on
the 'net. There are only about half a dozen such addresses, compared to
~1000 valid @python.org addresses for incoming mail. So evil/stupid
people can still forge userX@??? to any MTA, including
mail.python.org. And they can still forge, say, postmaster@???
-- *except* to mail.python.org itself. It's a small step, but I *think*
it's a step forward.

> Oh, you're the postmaster for python.org? That keeps the number of
> "bogus" domains from growing rapidly. I still think the content check
> is good to have since it can (possibly) drop extra junk too.


Yes, content checks might help too. Haven't gone there yet. I think
I'll try to figure out how to embed a Python interpreter in Exim via
local_scan() first. You can get surprisingly far with Exim's config
language, but it's still just a config language.

        Greg
--
Greg Ward - software developer                gward@???
MEMS Exchange                            http://www.mems-exchange.org