Re: [exim] Seeking advice how to deal with spam faked to app…

Top Page
Delete this message
Reply to this message
Author: Exim User
Date:  
To: Exim User's Mailing List
Subject: Re: [exim] Seeking advice how to deal with spam faked to appear as coming from my domain
Looks like I'm not the only one weird by this?
To get things clear, this is the process as it explores to me:

Somebody sends spam with a faked sender of my domain.
This spam bounces back to my mailserver (Exim 4.5.1).

Example here:
----------------------------------
> Delivery-date: Mon, 14 Nov 2005 04:26:51 +0100
> Received: from [195.161.113.101] (helo=inc.ru)
>     by stamp.lbd.de with smtp (Exim 4.51)
>     id IPXDKM-000KV5-KU
>     for debian@???; Mon, 14 Nov 2005 04:26:51 +0100
> Subject: Undeliverable mail:
> =?windows-1251?B?x+js7ejlIOrg7ejq8+v7IOIg7eXs5fbq6PUgwOv87+D1?=
> From: MAILER-DAEMON@???
> To: <debian@???>
> Date: Mon, 14 Nov 2005 06:26:28 +0300
> Message-ID: <receipt-42829316@???>
> MIME-Version: 1.0
> Content-Type: multipart/report; report-type="delivery-status";
> boundary="_===42829316====inc.ru===_"
> X-Spam-Score: 0.1 (/)
> X-Spam-Report: 0.1/5.0 - SA 3.0.3
>     ---- Start SpamAssassin results
>     *  0.1 NO_REAL_NAME From: does not include a real name
>     ---- End of SpamAssassin results
> X-Virus-Scanned: Scanned with Clam AntiVirus

>
>
> --_===42829316====inc.ru===_
> Content-Type: text/plain; charset="utf-8"
>
> Failed to deliver to '<anthon@???>'
> LOCAL module(account mail@???) reports:
> account disabled
>
>
> --_===42829316====inc.ru===_
> Content-Type: message/delivery-status
>
> Reporting-MTA: dns; inc.ru
>
> Original-Recipient: rfc822;<anthon@???>
> Final-Recipient: LOCAL;<>
> Action: failed
> Status: 5.0.0
>
> --_===42829316====inc.ru===_
> Content-Type: text/rfc822-headers
>
> Received: from [221.2.194.86] (HELO gamemakers.de)
>   by inc.ru (CommuniGate Pro SMTP 4.1.8)
>   with SMTP id 42829309 for anthon@???; Mon, 14 Nov 2005 06:26:26
> +0300
> Received: from lbd.de (stamp.lbd.de [192.166.195.91])
>     by gamemakers.de (Postfix) with ESMTP id CFB65E2BF5
>     for <anthon@???>; Sun, 13 Nov 2005 22:29:43 -0500
> From: Àëüïû <debian@???>
> To: Anthon <anthon@???>
> Subject: =?windows-1251?B?x+js7ejlIOrg7ejq8+v7IOIg7eXs5fbq6PUgwOv87+D1?=
> Date: Sun, 13 Nov 2005 22:29:43 -0500
> Message-ID: <110101c5e8cb$35d701f3$c3e98fd7@???>
> MIME-Version: 1.0
> Content-Type: text/html;
>     charset=windows-1251
> Content-Transfer-Encoding: quoted-printable
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook, Build 10.0.2616
> Importance: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081
> X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.10; AVE: 6.20.0.1;
> VDF: 6.20.0.46; host: gamemakers.de)

>
> --_===42829316====inc.ru===_--


------------------------------------------
End example

Then my mailserver tries to deliver this bounce to the faked address, which
is non-existant. Somewhere here it loses the sender or whatsoever and can't
deliver it, so it gets frozen.

Example:
------------------------------
> Message IPXDKM-000KV5-KU has been frozen (delivery error message).
> The sender is <>.
>
> The following address(es) have yet to be delivered:
> debian@??? <debian@???>: User unknown

------------------------------
End example

My acl_check_rcpt contains " require verify = sender", or do you think about
something else?

Thanks
Sebastian


Am 14.11.2005 11:48 Uhr schrieb "Jeremy Harris" unter <jgh@???>:

> Exim User wrote:
>> Just the same here and a lot of them.
>> My special problem: The faked addresses are non existant, and I get the
>> following frozen messages from my own mailer-daemon for every single bounce:
>>
>>
>>> Message IPU3LU-00078D-LK has been frozen (delivery error message).
>>> The sender is <>.
>>
>>
>>> The following address(es) have yet to be delivered:
>>
>>> ittay@??? <ittay@???>: User unknown
>> where "ittay@???" was the fake address used by the spammer.
>>
>> My ACL already uses
>> require verify = header_syntax
>> !verify = header_sender
>>
>> so how can this happen?
>
> This is a bounce created by you?
> a) why did you accept the original mail, and then bounce it?
> b) did you do sender-verify callout on the original mail?
>
> - Jeremy