Re: [Exim] .forward files and spam counterfeits

Top Page
Delete this message
Reply to this message
Author: Pat Lashley
Date:  
To: Alan J. Flavell, Exim users list
Subject: Re: [Exim] .forward files and spam counterfeits
--On Thursday, November 27, 2003 17:13:03 +0000 "Alan J. Flavell" <a.flavell@???> wrote:

> ...
>
> The forwarding MTA's non-delivery report *does* contain the wording of
> our original rejection notice, so - if we could detect this situation
> in the original mail - then we could consider including some magic
> incantation in our SMTP response, and recognise that incantation when
> the non-delivery report came back. But I'm at a loss to know how to
> recognise the situation in the mail headers, since the envelope-sender
> is set to their victim@??? address, whereas the
> recipient address is their address locally at our server, and we don't
> in general know the correspondence between the one and the other.


My first thought would be to ensure that there's something unique to
your site in the 5xx rejection response; then set up an ACL for null-
sender messages, with a condition that does a match on $message_body
looking for your rejection notice. (I'm assuming you use exiscan-ACL
to recognize the spam.)


In my setups, I'd also attempt to attack the problem at first delivery.
I'm using Cyrus 2.2 and encouraging all users to use IMAP rather than
POP so that they can easily access sub-mailboxes. Cyrus supports detail
notation for direct delivery to a sub-mailbox. (E.g., me+lists.exim@...
would be delivered into the INBOX.lists.exim for user 'me') In a
situation like this, you could suggest that your users set up sub-
mailboxes for delivery of forwarded messages. You could then set up
your ACLs so that spam to a single address with a detail portion is
dropped instead of denied. (You'll probably need to set an ACL variable
in the rcpt ACL to remember the presence of the detail.)


If it were my own mailbox being forwarded, and the forwarding mechanism
allowed it, I'd add an 'X-Drop-If-Spam: yes' header at forwarding time
and check it in the local ACL. But that's probably a total non-starter
your situation...



-Pat