Re: [exim] Seeking advice how to deal with spam faked to app…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Fred Viles
Datum:  
To: exim-users
Betreff: Re: [exim] Seeking advice how to deal with spam faked to appear as coming from my domain
On 16 Nov 2005 at 20:55, exim user wrote about
    "Re: [exim] Seeking advice how to de":


| The policy of this mailserver is, that first it sends the unknown recipients
| mail to the postmaster. This is to catch potentially important mail, denied
| perhaps because of typos.


Ah. Well then, you you must live with the consequences of that
decision.

| After that, it sends a copy of the error message to the postmaster for
| further investigation of what caused the trouble.


I don't think so.

| These are the last two routers:
|
| unknown_user:
| driver = redirect
| data = postmaster@???
| unseen
|
| errorcopy_postmaster:
| driver = redirect
| data = :fail: User unknown
| allow_fail


I don't think this last router does what you describe. It would
normally cause all messages that get this far to be failed, which
would normally case ACL verification to fail. I guess the preceeding
unseen router's acceptance prevents ACL verification from failing.

Since the message gets accepted, this router causes *delivery* to
fail, which results in the DSN (bounce) messages that you see frozen.
It is also presumably causing your server to generate and
successfully deliver collateral spam to innocent third parties whose
valid addresses are forged as the senders of spam and malware
delivered to your system.

(tests it...)

Yup. And since you return the full incoming message in the DSN, you
are running an abusable open relay. This will probably get you
blacklisted in due course.

| As Nigel Metheringham wrote:
| >A bounce is sent to the envelope sender address.
| >A bounce is sent *with* its own envelope sender address set to <>
| >A bounce message cannot be generated for an undeliverable bounce
| >message, so exim is freezing the incoming bounce message.
|
| So what do I have to add to these routers to keep them away from routing to
| an empty <> ???


Add 
    !senders = :
to your last two routers.  This should eliminate the specfic case you 
are asking about, but it will not result in a sane configuration.  
You will still generate collateral spam.


You should also delete the last router. I can't emphasize that
enough. You should *not* be generating bounces for messages you did,
after all, accept and deliver (to postmaster).

- Fred