Author: W B Hacker Date: To: exim users Subject: Re: [exim] How to stop spoofed "From" address
John W. Baxter wrote: > On 10/17/07 9:00 PM, "W B Hacker" <wbh@???> wrote:
>
>> accept
>> condition = ${if >{${eval:$acl_m18}}{${eval:$acl_m5}}{1}{0}}
>> control = fakereject/HAS BEEN DELIVERED, but marked as Spam \
>> so MIGHT NOT BE READ!
>>
>> logwrite = DS14A Fake Rejected
>>
>> Even so, not all senders will have bothered to read the 'message' when they
>> get
>> the rejection.
>
> And some wouldn't have a chance to, if they use one of the Exchange/Outlook
> combinations which helpfully replace the message with a generic unknown user
> message (not quoted since I forget the exact wording).
ACK .. though, as with most such things, 'hard core' spammers are handled way
further up the acl tree.
In use here at Chaos Court, this one triggers only when:
- message and sending host seem to be generally OK, ELSE they've not made it to
acl_smtp_data anyway.
- there are AT LEAST two recipients in the same local domain AND they have
'different enough' preferences that one or more would accept, one or more NOT.
That combination is rare enough that about the only thing that generates a 'hit'
is a well-known correspondent who has composed in hmtl AND 'cc'ed' another local
user.
Almost not worth maintaining the code, as I have set the MUA' to apply a style
sheet to hmtl anyway. White text, white background. Soothing content...
>
> But that's nearly moot, since Terry's legit correspondents would have no
> reason to spoof his From: information.
>
Absent an overly 'clever' MLM, generally so for most folk.
> And the overall idea is pretty safe for Terry, since he knows he hasn't, for
> example, set up GMail to spoof his From: and with CCs to him. (That's
> another valid use case for the From: coming in seemingly "spoofed".)
>
I'm no fan of forging 'From:' to match the recipient in any case.
But clearly a test message or reminder note or quick-n-dirty way to store an
attached file that one sends 'From:' to oneself 'To:' oneself should be allowed,
so 'authenticated' is a more important tool IMNSHO.
> On the other hand, I haven't gotten any spam to any of my accounts for quite
> a while that has that account (or any of my accounts) as a From: I guess my
> addresses are known to a different subset of spammers.
>
> --John
>
Spamming *anyone* in this 'user community' is a sure way to cause yet more new
and clever tools to be created, tested, and published that block them 'Real Soon
Now'.