On Mon, 2005-11-14 at 12:20 +0100, Exim User wrote:
> Looks like I'm not the only one weird by this?
> To get things clear, this is the process as it explores to me:
>
> Somebody sends spam with a faked sender of my domain.
> This spam bounces back to my mailserver (Exim 4.5.1).
Ideally this stuff would have been rejected at SMTP time and not
generated a bounce message, but thats outside of your control - however
you are making this far worse by not doing SMTP time verification of
incoming recipient addresses, as this means that people doing call-back
style verification of senders are not rejecting the forged crap as your
system prevents them doing further verification.
> Example here:
...snipped...
> Then my mailserver tries to deliver this bounce to the faked address, which
> is non-existant.
Major problem one for you is that your system accepts that mail. You
should reject it early (ie at SMTP time) then you would not have to
generate a bounce
> Somewhere here it loses the sender or whatsoever and can't
> deliver it, so it gets frozen.
A bounce is sent to the envelope sender address.
A bounce is sent *with* its own envelope sender address set to <>
A bounce message cannot be generated for an undeliverable bounce
message, so exim is freezing the incoming bounce message.
> Example:
....snipped....
> My acl_check_rcpt contains " require verify = sender", or do you think about
> something else?
You need:-
* Recipient verification within your rcpt ACL
* local address routing that does not include any catch-all
routers
You might also benefit from sender address verification, possibly
including callback verification - however that does not address your
specific problem, which is that you are accepting mail for non-existent
local users from non-local senders (you might wish to accept invalid
addresses from local senders, and then generate a bounce, since many
MUAs react badly to being given SMTP errors, but folks should recognise
a bounce).
Nigel.
--
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]