[Exim] Blocking fake virus generated "bounces" not caught by…

Página Inicial
Delete this message
Reply to this message
Autor: Patrick Starrenburg
Data:  
Para: exim-users
Assunto: [Exim] Blocking fake virus generated "bounces" not caught by Exiscan
Dear All

We have a situation with one of the latest viruses where they are sending
fake "bounces" to our system. We are using Exim 4.20 + Exiscan (ACL mode) to
block emails with the usual dangerous attachments but with the "bounces", i.e.
from = <>, Exisan is not scanning and therefore *not* blocking the emails.

This is from the exim main log (sensitive stuff replaced with XXXX)...
---
2003-05-16 17:04:45 19GglD-00072c-9i <= <> H=omr-d03.mx.aol.com
[205.188.159.1] P=esmtp S=223993
id=200305161504.LAD11517@???
2003-05-16 17:04:45 19GglD-00072c-9i => XXXX@??? R=benq_domains
T=remote_smtp H=XXXX[XXXX]
2003-05-16 17:04:45 19GglD-00072c-9i Completed
---

and these are the headers from the actual e-mail.
---
Received: from omr-d03.mx.aol.com ([205.188.159.1])
by mx01.benq-eu.com with esmtp (Exim 4.20)
id 19GglD-00072c-9i
for XXXX@???; Fri, 16 May 2003 17:04:39 +0200
Received: from rly-xe02.mx.aol.com (rly-xe02.mail.aol.com [172.20.105.194])
by omr-d03.mx.aol.com (v90_r2.6) with ESMTP id RELAYIN1-0516110416; Fri, 16
May 2003 11:04:16 -0500
Received: from localhost (localhost)
by rly-xe02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
with internal id LAD11517;
Fri, 16 May 2003 11:04:16 -0400 (EDT)
Date: Fri, 16 May 2003 11:04:16 -0400 (EDT)
From: Mail Delivery Subsystem <MAILER-DAEMON@???>
Message-Id: <200305161504.LAD11517@???>
To: <XXXX@???>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="LAD11517.1053097456/rly-xe02.mx.aol.com"
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)
---

Question:

What would be the best/is there way to block these emails, either using Exiscan
or Exim or combination of both. Obviously Exiscan (whether agreed with or not)
is not scanning "bounces" (personally I would prefer to have the choice)
perhaps solution may be to rewrite the empty bounce <> from to something else?

Any lateral thoughts/ideas?

Patrick