On Wed, Feb 18, 2004 at 11:24:55AM +0100, R.B. (Rick) wrote:
> Hi Guys,
>
> i'm using exim 4.30 with exiscan patch with spamassassin 2.63.
> I use to forward spam email to a special accounts with acls:
>
> warn message = X-Redirect-To: spam@???
> spam = nobody
>
Just an aside .... if this is implemented the way I think it is, any
spammers reading this list will be able to relay spam through your system
by simply addressing the email to whomever@??? and adding their
own X-Redirect header to have it relayed to the desired destination.
I was looking into the same recipe in my exim config and came up with a
few thoughts.
1) Use a wierd X- header instead of something obvious. Not perfect by any
stretch but it might avoid an X-header dictionary attack to find the
interesting one.
2) Only allow localpart to be set via that header. So, my normal header
addition would just be, say, "spambox" and the router would add "@domain".
Anyone injecting this header would only be able to redirect to a different
local user, not a remote one.
3) Add a DATA acl to check for the presence of this X- header on inbound
email.
Dave
--
- Dave Baker : dave@??? : http://dsb3.com/ -
GnuPG: 1024D/D7BCA55D / 09CD D148 57DE 711E 6708 B772 0DD4 51D5 D7BC A55D
