Autor: Patrick Starrenburg Fecha: A: exim-users Asunto: [Exim] Re: Blocking fake virus generated "bounces" not caught by Exiscan
Giuliano Gavazzi wrote: > The bounces are not fake (if you exclude the possibility of IP
> spoofing), rather the messages that caused them had a fake sender
> (your address), or you have a virus...
> I would investigate.
Hi, as I mentioned to Tom in reply to his message - yes you are correct,
the bounces are not fake as they appear to be coming from valid AOL IP
address/servers. But their origin is suspect - and given that our user
is getting 30+ a day with different (obvious virus) attachments then we
have to consider that they are getting into AOL somehow and being pushed
to our server. His machine has been virus checked plus he is behind
corporate firewall which blocks port 25 from him. So I don't think they
are bounces from him sending out viruses to AOL accounts.
However even if that was the case, we get back to my initial question -
how can we block these messages?
The exim log shows..
---
2003-05-16 17:04:45 19GglD-00072c-9i <= <> H=omr-d03.mx.aol.com
[205.188.159.1] P=esmtp S=223993
id=200305161504.LAD11517@???
---
Headers are...
---
Received: from omr-d03.mx.aol.com ([205.188.159.1])
by mx01.benq-eu.com with esmtp (Exim 4.20)id 19GglD-00072c-9i
for XXXX@???; Fri, 16 May 2003 17:04:39 +0200
Received: from rly-xe02.mx.aol.com (rly-xe02.mail.aol.com
[172.20.105.194]) by omr-d03.mx.aol.com (v90_r2.6) with ESMTP id
RELAYIN1-0516110416; Fri, 16 May 2003 11:04:16 -0500
Received: from localhost (localhost)
by rly-xe02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
with internal id LAD11517;
Fri, 16 May 2003 11:04:16 -0400 (EDT)
Date: Fri, 16 May 2003 11:04:16 -0400 (EDT)
From: Mail Delivery Subsystem <MAILER-DAEMON@???>
Message-Id: <200305161504.LAD11517@???>
To: <XXXX@???>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="LAD11517.1053097456/rly-xe02.mx.aol.com"
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)
---