Author: Tor Slettnes Date: To: Leonardo Boselli CC: Exim Users Subject: Re: [Exim] odd error after upgrade
On Mar 31, 2004, at 13:47, Leonardo Boselli wrote: > Il 31 Mar 2004 alle 22:25 Tim Jackson immise in rete
>> Hi Leonardo, on Wed, 31 Mar 2004 21:40:54 +0200 you wrote:
>>> Such message are message caught by system filter and sent back due
>>> presence of .exe or .scr attachments.
>>
>> I'm guessing this originates from Nigel's system_filter. If you are
>> indeed using that, please be careful to make sure that you're not
>> "sending back" e-mails to the supposed (fake) senders. (There's a good
>> chance you are, at least some of the time; why they're ending up on
>> your root account in this case I'm not sure, perhaps due to the
>> configuration options/routers/filters/whatever you have set)
>
> This filter is on and never gave a false positive, so i have no reason
> not to
> use it !
The problem is not false positives. The problem is that _you_ become a
spammer when using this filter, because you are sending bogus virus
warnings to innocent third parties (whose e-mail address was forged in
the original virus-containing message).
This has nothing to do with your upgrade to Exim 4 -- you seemingly
were spamming before the upgrade as well.
>> With Exim 4.x, you have the excellent and widely-used option of
>> Exiscan to do additional policy-based rejection. You would be well
>> advised to compile Exim with the Exiscan patch included, and you can
>> then do rejection based on attachment type (and *much* more) reliably
>> and without generating spurious bounce messages.
>
> let me be accomplished with exim4 before ...
> but why the messages are bounced here a new excerpt from log, for
> better indagation.
>
> 2004-03-31 23:36:32 1B8gS6-0008Rw-Me cancelled by system filter:
> \n===== WARNING! WARNING! WARNING! - POSSIBLE VIRUS! -
> ALERT!
> =====\n\nWe do not accept email with executable attachments! You
> attempted to send the executable file:\n\n[Content-Type: app
> lication/octet-stream; name="mails.exe" ]\n\nIf you didn't intend to
> send
> this executable file, you may have a VIRUS! If so -
> please run anti-virus software on your system immediately to prevent
> damage to your system and prevent you from infecting othe
> r computers. If you need to send executables - please put them inside a
> ZIP file.\n
This is a perfect example of the stupidity in bouncing such messages.
With 99.9% certainty, you are "bouncing" this message back to someone
who did not send anything to you, and whose machine probably is not
infected.
(I don't know how often I get such messages, claiming that "my machine"
-- which incidentally all run either Mac OS X, Solaris, or Linux -- are
infected by SoBig etc.)
This is why you _need_ Exim 4 above any other MTA, and furthermore why
you _need_ ExiScan-ACL for filtering incoming mail.
> 2004-03-31 23:36:32 1B8gS6-0008Rw-Me User 0 set for address_reply
> transport is on the never_users list
Look in your 'address_reply' transport (on a Debian system, this would
be in /etc/exim4/conf.d/transport/30_exim4-config_address_reply),
and/or the "userforward" (or similarly named) router
(/etc/exim4/conf.d/router/600_exim4-config_userforward), to ensure that
you don't set anything like 'user = root'.
