Re: [exim] How to stop spoofed "From" address

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] How to stop spoofed "From" address
Terry Calie wrote:
>
>>
>>    After
>>>> all, this access control is happening after the DATA section, so all 
>>>> the
>>>> info is there, right?

>>
>> *After* the data section is too late if you wish to avoid backscatter
>> bounces.
>>
>
> Not sure I under stand this response. Why is it too late? The DATA
> hasn't received a response yet, correct? So my server could still issue
> a 5xx based on my data ACL's and not create a bounce, right?
>


So long as you are still *IN* 'DATA' and have not done an 'accept' yet, yes.


'fakrereject is technically a violation of the standard, and should be used
sparingly, and with due care and attention to what it does, ELSE not at all.


Ex: The acl and error message we issue if/as/when we use it:
(watch out for MUA linewrap, as the the 'CONTROL' is all on one line in
production):


# DATA_SCAN_14A: Accept with 'fakereject' IF most-paranoid OF recipients
# would reject but least-paranoid of the recipients would accept.
#
accept
    condition    = ${if >{${eval:$acl_m18}}{${eval:$acl_m5}}{1}{0}}
      control        = fakereject/HAS BEEN DELIVERED, but marked as Spam \
              so MIGHT NOT BE READ!


    logwrite    = DS14A Fake Rejected


Even so, not all senders will have bothered to read the 'message' when they get
the rejection.

FWIW, in this example, acl_m18 and acl_m5 are carrying the MIN and MAX
per-recipient cumulative 'demerit' score threshold integers.

Determining those for any given group of recipients is a slightly more complex
bit of acl math that is not needed for singleton arrivals.

CAVEAT: Using the same policy for all member of a given domain is far simpler,
as traffic can be expected to be grouped per-domain on arrival, hence all have
the same threshold integer - if that is the policy....

>
>
>> True - but a copy is 'in hand' WEF the DATA phase. 'fakereject' is the
>> tool.
> searching the web seems this is not default in Exim but is part of an
> "exiscan' patch. Ohhhhh.... I've never applied a patch before :(
>


That sounds like stale info. Very stale!

'Exiscan' has been integral to Exim for a very long time now. No patching needed.

HTH,

Bill