Hi,
As part of my anti-phishing filtering I'm using a system filter to
identify scams. When the filter identifies a message as bad it looks for
key features which are known to be used by only by scammers (mails from
the Security "Detartment" [sic], for example).
If the message matches this list then I use the "deliver" command to send
the mail on to a handful of people who collect phishing scam mails for
blacklists and the like. In most cases this works well but on occassion the
e-mail cannot be delivered to one of the addresses specified in the
"deliver" command.
When this happens the message hangs out in the queue (waiting for a retry
timer to exipre?). But it seems as though the recipient of the message is
still set to the original recipient, rather than the new recipients
specified by the deliver command, because if a queue run starts, the message
is delivered to its original recipient:
2006-12-12 18:17:51 1GuGsh-00073O-Fy <= nobody@???
H=moneypenny.commanderbond.net [216.32.81.138] P=esmtp S=2407
id=E1GuGsd-0003m3-D3@???
2006-12-12 18:17:51 1GuGsh-00073O-Fy U> T=xxx@yyy
PHISH URLBL:
http://72.22.69.137 Subj: Your Lloyds TSB Online Internet
Banking Access Blocked
2006-12-12 18:17:51 1GuGsh-00073O-Fy I> BAD PHISH: F=Lloyds TSB Bank
<helpdesk.lloydstsb@???> SIP=216.32.81.138
SH=moneypenny.commanderbond.net
R=Forged sender (Lloyds TSB Bank <helpdesk.lloydstsb@???>)
2006-12-12 18:17:51 1GuGsh-00073O-Fy original recipients ignored
(system filter)
2006-12-12 18:17:51 1GuGsh-00073O-Fy => /tmp/spool/unprocessed_scams/
<system-filter> T=system_filter_save_directory
2006-12-12 18:17:52 1GuGsh-00073O-Fy => pirt@??? <system-filter>
R=dnslookup T=remote_smtp H=mail.castlecops.com [66.227.46.235]
2006-12-12 18:17:52 1GuGsh-00073O-Fy => reports@???
<system-filter> R=dnslookup T=remote_smtp H=banksafeonline.org.uk
[83.138.191.36]
2006-12-12 18:17:52 1GuGsh-00073O-Fy => reportphishing@???
<system-filter> R=dnslookup T=remote_smtp H=ikmta.ironkey.com
[69.90.211.76]
2006-12-12 18:18:22 1GuGsh-00073O-Fy => admin@???
<system-filter> R=dnslookup T=remote_smtp H=smtp.ilisys.com.au
[203.202.10.84]
2006-12-12 18:21:01 1GuGsh-00073O-Fy mail3.netcraft.com [194.72.238.12]
Connection timed out
2006-12-12 18:24:11 1GuGsh-00073O-Fy mail2.netcraft.com [212.95.252.15]
Connection timed out
2006-12-12 18:24:11 1GuGsh-00073O-Fy == scam@??? <system-filter>
R=dnslookup T=remote_smtp defer (110): Connection timed out
2006-12-12 18:32:11 Start queue run: pid=30352
2006-12-12 18:32:11 1GuGsh-00073O-Fy => xxx@yyy
R=dnslookup T=remote_smtp H=mail.hagenhosting.com [63.97.115.202]
2006-12-12 18:32:11 1GuGsh-00073O-Fy Completed
As you can see from the log entry the message times out talking to
netcraft's mail servers (which seems to happen not infrequently). When this
happens the message seems to be held in the queue (waiting for a retry
timer?) but if a queue run occurs before that time then the message is
sent to the original recipient rather than the new recipients, even though
the message was processed by the system filter which stated that the
original recipients would be ignored.
It seems that this is a bug because if you look at the message sent to the
new recipients the messages are fine and indicate no connection to the
original recipient. Similarly if the messages to all of the new recipients
are sent correctly then the message has reached all of its recipients and
so Exim deletes it. It is only when the message is resent but that delivery
fails and the message is requeued for a second attempt that this becomes a
problem - which makes it seem as though this occurs because Exim doesn't
rewrite the recipient information for the message back to disk, so when a
queue run is started (as happens every 30 min for me) the message, which
wasn't deleted because the delivery had errors, is still seen as waiting to
be delivered to the original recipient, so that's where it is sent.
Normally this wouldn't be a problem because either the original recipient
is still going to receive the message because we're only taking a copy of
it, or because the message is successfully sent to all of the new
recipients and because it is then marked as seen/finish it gets removed.
In this situation, however, the recipient's list has changed and doesn't
include the original recipient any more. The fact that the message is still
delivered to the original recipient's address suggests that that was the only
address in the on-disk -H file for this message.
How can I change this behvaiour so that the rerouted scams don't make it to
my customers? I'd be fine with failling messages from
abuse@??? which couldn't be delievered right away if this is
only option.
Thank you,
Colin.
I'm using this entry in the system filter:
[conditionals to see if the message uses a known scam header]
then
# Save first as we're altering the headers
save /tmp/spool/unprocessed_scams/
logwrite "$tod_log $message_id I> BAD PHISH: F=$h_from: SIP=$sender_host_address SH=$sender_host_name R=Forged sender ($h_from:)"
if $message_body matches
"\\Nhref=\"(h(?:\\s+ttp|t\\s+tp|tt\\s+p|\\s+t\\s+tp|\\s+tt\\s+p|t\\s+t\\s+p):.{100})\\N"
then
logwrite "$tod_log $message_id XU> PHISH URL: $0"
endif
headers add "NSubject: [SCAM REPORT] ${escape:$h_subject:}"
headers add "X-Original-From: ${escape:$h_from:}"
headers add "X-Original-To: ${escape:$h_to:}"
headers remove "Subject"
headers remove "From"
headers remove "To"
headers remove "Sender"
headers remove "Return-path"
headers add "Subject: $h_nsubject:\n\
Return-path: abuse@???\n\
Sender: abuse@???\n\
From: abuse@???"
headers remove "NSubject"
headers add "To: <scam@???>, <admin@???>, <reportphishing@???>, <pirt@???>, <reports@???>"
[ conditionals to match the scammed company's address with a known
abuse contact, for eg
elif $h_X-Original-From: contains "paypal" then
headers add "To: <spoof@???>"
deliver spoof@??? errors_to abuse@???
elif...
]
deliver scam@??? errors_to abuse@???
deliver reportphishing@??? errors_to abuse@???
deliver admin@??? errors_to abuse@???
deliver pirt@??? errors_to abuse@???
deliver reports@??? errors_to abuse@???
seen finish
endif
Exim version 4.63 #1 built 31-Oct-2006 12:58:49
Copyright (c) University of Cambridge 2006
Berkeley DB: Sleepycat Software: Berkeley DB 4.4.20: (January 10, 2006)
Support for: iconv() move_frozen_messages Content_Scanning Experimental_SPF
Experimental_SRS
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb
Authenticators:
Routers: accept dnslookup redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /usr/exim/configure
--
"Developers are like artists; they produce their best work if they
have the freedom to do so" - Werner Vogels, CTO Amazon.com