Re: [exim] How to stop spoofed "From" address

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] How to stop spoofed "From" address
Dean Brooks wrote:
> On Mon, Oct 15, 2007 at 07:58:59PM -0500, eximlearning@???
> wrote:
>> Thanks again Dean. I will definitely test it before keeping it live. Just
>> curious... is there a way to silently save the email somewhere before
>> rejecting it, so that I can watch the results of the rejection over the
>> next few weeks to make sure that it is only junk getting rejected?


Yes - the full headers and body are 'on box' as at the data phase - that's what
gets handed-off to ClamAV, Spam Assassin or whatever fro message-body scanning.

Keeping a copy means replicating, intercepting, or tapping inot that process,
INSERTING into a DB, or some such custom work.

Not worth it, and no need..

Suggest using Exim's 'fakereject' instead.


After
>> all, this access control is happening after the DATA section, so all the
>> info is there, right?
>


*After* the data section is too late if you wish to avoid backscatter bounces.

Far-end may very well have motored off already...

> I'm not aware of any way to do that in the ACLs. The message isn't
> officially accepted while the ACLs are running, so there's nothing to save at
> that point.
>


True - but a copy is 'in hand' WEF the DATA phase. 'fakereject' is the tool.

> It's possible to do this via routers, but the complexity increases obviously.
>
>
> Perhaps you should just use the "warn" tag instead of "deny", and simply log
> the deliver so you can check them later?
>
> warn ! authenticated = * condition = ${if
> match_domain{${domain:${address:$h_from:}}}{+localdomains}} log_message =
> REMOTE SENDER USED LOCAL DOMAIN USE IN FROM: HEADER
>
> -- Dean Brooks dean@???
>


That works also.

For testing or problem solving, we keep a structure in place but
enabled/disabled with a MACRO.

It consists of configurable acl's and an extra 'unseen' router that drops copies
of the selected traffic into an 'analyze' dirtree for later manual inspection.

One can then readily tune the acls to focus on a specific issue, switch them
on/off as needed, and find what is to be looked at in a predictable location.


HTH,

Bill