>Any lateral thoughts/ideas?
Would it be possible and RFC compliant to reject the bounce if the message
ID did not match the pattern that your system generates for a message with
5xx saying "originating message ID not local". Hopefully wiser heads will be
able to expound or nix the concept. If it is legal, the ACL should be a
default or an easily configured option.
Best Regards,
Bob
Robert J. Strickler
Sr. Consultant
Net56
1266 W. Northwest Hwy.
Suite 740
Palatine, IL 60067
-----Original Message-----
From: Patrick Starrenburg
[
mailto:patrick-sender-8d20fc@starrenburgs.homeip.net]
Sent: Friday, May 16, 2003 2:08 PM
To: exim-users@???
Subject: [Exim] Blocking fake virus generated "bounces" not caught by
Exiscan
Dear All
We have a situation with one of the latest viruses where they are sending
fake "bounces" to our system. We are using Exim 4.20 + Exiscan (ACL mode) to
block emails with the usual dangerous attachments but with the "bounces",
i.e. from = <>, Exisan is not scanning and therefore *not* blocking the
emails.
This is from the exim main log (sensitive stuff replaced with XXXX)...
---
2003-05-16 17:04:45 19GglD-00072c-9i <= <> H=omr-d03.mx.aol.com
[205.188.159.1] P=esmtp S=223993
id=200305161504.LAD11517@???
2003-05-16 17:04:45 19GglD-00072c-9i => XXXX@??? R=benq_domains
T=remote_smtp H=XXXX[XXXX] 2003-05-16 17:04:45 19GglD-00072c-9i Completed
---
and these are the headers from the actual e-mail.
---
Received: from omr-d03.mx.aol.com ([205.188.159.1])
by mx01.benq-eu.com with esmtp (Exim 4.20)
id 19GglD-00072c-9i
for XXXX@???; Fri, 16 May 2003 17:04:39 +0200
Received: from rly-xe02.mx.aol.com (rly-xe02.mail.aol.com [172.20.105.194])
by omr-d03.mx.aol.com (v90_r2.6) with ESMTP id RELAYIN1-0516110416; Fri, 16
May 2003 11:04:16 -0500
Received: from localhost (localhost)
by rly-xe02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
with internal id LAD11517;
Fri, 16 May 2003 11:04:16 -0400 (EDT)
Date: Fri, 16 May 2003 11:04:16 -0400 (EDT)
From: Mail Delivery Subsystem <MAILER-DAEMON@???>
Message-Id: <200305161504.LAD11517@???>
To: <XXXX@???>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="LAD11517.1053097456/rly-xe02.mx.aol.com"
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)
---
Question:
What would be the best/is there way to block these emails, either using
Exiscan or Exim or combination of both. Obviously Exiscan (whether agreed
with or not) is not scanning "bounces" (personally I would prefer to have
the choice) perhaps solution may be to rewrite the empty bounce <> from to
something else?
Any lateral thoughts/ideas?
Patrick
--
## List details at
http://www.exim.org/mailman/listinfo/exim-users Exim
details at
http://www.exim.org/ ##