Auteur: James P. Roberts Date: À: Jerry M. Howell II, exim-users Sujet: Re: [Exim] a log entry and strange e-mail
<snip>
I'm trying to help my wife administrate a webserver that came with
exim 3.36.
Today I checked my e-mail and got this strange e-mail. I am not
extreamly familiar
with exim and might just be jumping to conclusions so if someone can
explain what
this all meens and mabe point me to the area in the manual, or if
someone has the
exim book by oreily I'd greatly apreciate it
------- e-mail source ----------------
Return-path: <jmhowell@???>
Envelope-to: jmhowell@???
Delivery-date: Tue, 10 Dec 2002 08:29:01 -0700
Received: from host217-39-71-148.in-addr.btopenworld.com
([217.39.71.148] helo=jmhowell.com)
by gamma.hostbyk.com with smtp (Exim 3.36 #1)
id 18LmJV-0004Yf-00
for jmhowell@???; Tue, 10 Dec 2002 08:28:49 -0700
FROM: Liang <jmhowell@???>
DATE: Tue, 10 Dec 2002 15:32:10+0000
X-Mailer: EBT Reporter v 2.x
TO: jmhowell@???
subject: Netbirds
<snip>
Content-Type: audio/x-wav;
Name = "README.EXE"
Content-Transfer-Encoding: base64
<snip>
Jerry:
Right there is a big clue. This email contained an executable
attachment (README.EXE). It is very likely a virus, and you should
avoid executing it, especially on any Windows machine. Thank you for
not including the entire thing!
More clues are the spoofed return address, and fake "helo," both of
which try to pretend the message came from yourself. As you can see, it
came from outside your system. (If it's not a virus, then it's
certainly spam.)
One method of dealing with this is the "system filter." There is a very
useful, although currently unmaintained, sample filter out there
someplace, which blocks emails with executable attachments. I use it.
So far, I've only had two questions from legitimate correspondents,
wanting to know why their email was rejected, when they simply didn't
realize they were sending an executable attachment, which the filter
dutifully blocked. (It's amazing how many people can quote you a
precise error message, verbatim, and still utterly fail to absorb its
meaning.) On the other hand, the filter has blocked quite a few
virus-laden pieces of junk.
Another good method is the RBL (Realtime Blocking List). I haven't
checked, but I'd bet the source of this junk will be found on such
lists. I highly recommend the RBL concept, as it provides a pretty
quick way (a simple DNS lookup on the source) to reject a lot of junk,
without ever having to look at the contents. It also means your
internet connection bandwidth isn't wasted downloading all this junk
onto your server.