[Exim] Blocking bogus bounces caused by viruses

Top Page
Delete this message
Reply to this message
Author: Sheldon Hearn
Date:  
To: exim-users
Subject: [Exim] Blocking bogus bounces caused by viruses
Hi folks,

It looks like a common tactic of modern email viruses is to use
MAILER-DAEMON at the domain of the intended recipient as the sender
address.

When the exiscan content scanner finds a virus in these messages, it
sends a bounce message to the sender, which ends up coming to postmaster
at a local domain, which I have to read.

In my environment, it is never legitimate for hosts outside of the
servers network to send mail from MAILER-DAEMON at one of the local
domains.

So I'm thinking of adding this to my acl_smtp_rcpt ACL:

 # Deny messages from the outside world with MAILER-DAEMON at a local
 # domain as the sender address, to weed out messages from virus SMTP
 # engines (which have a tendency to use such sender addresses) before
 # they reach the content scanner and result in bounce messages that the
 # postmaster has to read.
 #
 deny    message       = invalid use of sender <$sender_address>
         sender_domains= +local_domains
         hosts         = !127.0.0.1/32 : !10.0.0.0/24 : *
         condition     = ${if eq \
                           {${lc:$sender_address_local_part}} \
                           {mailer-daemon} \
                           {yes}{no} \
                         }


Comments?

Ciao,
Sheldon.