[exim] Spammers abusing Delivered-To to send spam by bounces

Pàgina inicial
Delete this message
Reply to this message
Autor: Paul Dekkers
Data:  
A: Exim-Users (E-mail)
Assumpte: [exim] Spammers abusing Delivered-To to send spam by bounces
Hi,

Analysing my logs (and a few bounces in frozen messages) I noticed that
spammers are trying to send spam using bounces caused by the
Delivered-To -header on one of my MTAs. In short:
MAIL From:<destination@victim>
RCPT To:<existinguser@mydomain>
DATA
Delivered-To: existinguser@mydomain

This happends not that often, let's say 10-15 messages a day, for now.

My exim setup forwards the mail to a downstream MTA (which is postfix).
Postfix creates a bounce message as soon as the Delivered-To-header
matches the user that the message should be delivered to, just to
prevent looping. I think it has a point there, Postfix adds the
Delivered-To header itself as soon as the mail gets forwarded to an
external process (like a mailing-list) or another user by aliases or
.forward in order to make this work.

The best way to block this abuse (at SMTP time) on my exim box seems to
me rejecting the message if one of the RCPT's is in the Delivered-To:
header. That would be a loop, or a spammer trying to use the loop, right?
I'm afraid though that in the acl_smtp_data-acl's there is no variable
or list that contains all recipients, so I couldn't check on that.
(Maybe I can make such a list in the acl_smtp_rcpt?) So the next thing I
could think of is to check if the mail comes from outside and has
"mydomain" in the Delivered-To. Something like:

  drop    message       = Forwarding loop detected
          hosts         = !+relay_from_hosts
          condition     = ${if match{$h_Delivered-To:}{@mydomain\$}}


Would this be a safe thing to do?

I can also just strip of the Delivered-To:-header in the transport, of
course (and maybe add a header that SA can use to make it likely spam),
but I think I'd rather block it earlier because this should not happen...

Regards,
Paul