Re: [exim] Backscatter - NDR Spam

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Grant Peel
Datum:  
To: exim-users
CC: exim-users
Betreff: Re: [exim] Backscatter - NDR Spam
----- Original Message -----
From: "Phil Pennock" <exim-users@???>
To: "Grant Peel" <gpeel@???>
Cc: <exim-users@???>
Sent: Friday, February 29, 2008 5:57 AM
Subject: Re: [exim] Backscatter - NDR Spam


> On 2008-02-28 at 08:40 -0500, Grant Peel wrote:
>> My system uses exim. I have the stock check_rcpt_acl, along with several
>> routers and transports that support virtual pop and virtual aliases.
>>
>> Each domain on my server has its own IP address.
>>
>> I was wondering if there is an addition to the check_rcpt_acl that can be
>> added to elimate the NDR spaming tecnique.
>>
>> Also, how does one elimiate bounces in Exim, and just reject the mail
>> altogether?
>
> Exim should be doing this by default. It sounds as though you have a
> Router which happily verifies all email addresses in the domain, but
> which then fails to route some of those addresses.
>
> Can you post the Routers section of your config file?
>
> -Phil, about to go to bed, so anyone who spots the problem with the
>       config: just jump in

>
>
>


Thanks for the time up front everyone!

If I understand the backscatter spam definition correctly:

A spammer sends spam to my server, using a forged from address (witch is the
actual target of the spammer), using arbitrary To: someone@???
(where the 'someone' does not exist), creating the bounce. The bounce is
sent to (the target) because he used the targets email address (forged) in
the From: field.

So what I am looking to do is:

1. Turn off bounce messages, and just reject the email up front,

or,

2. Create a router or ACL that checks that the bounce would only happen IF
is will be comming back to a local domain.

Here is my configure file (to the end of 'Routers':

######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################
primary_hostname = defiant.thenetnow.com
domainlist local_domains = /etc/virtual/domains
domainlist relay_to_domains =
hostlist   relay_from_hosts = /etc/virtual/domains
hostlist blacklisted_domains = /etc/virtual/blacklist
acl_smtp_rcpt = acl_check_rcpt
trusted_users = mailnull:root:www:webmail
exim_user = mailnull
exim_group = mail
never_users =
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 0s
timeout_frozen_after = 1d
return_path_remove
untrusted_set_sender = *
helo_allow_chars = _
daemon_smtp_ports = 25 : 109
bounce_message_file = /usr/local/etc/exim/bounce_message_file
warn_message_file = /usr/local/etc/exim/warn_message_file
return_size_limit = 10000
delay_warning = 72h
######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################
begin acl
acl_check_rcpt:
  accept  hosts = :
  deny    local_parts   = ^.*[@%!/|] : ^\\.
  accept  local_parts   = postmaster
          domains       = +local_domains
  require verify        = sender
  deny    message       = rejected because $sender_host_address was \
                          found in our blacklist
          log_message   = domain found in $blacklisted_domains
          hosts         = +blacklisted_domains
  accept  domains       = +local_domains
          endpass
          message       = unknown user
          verify        = recipient
  accept  domains       = +relay_to_domains
          endpass
          message       = unrouteable address
          verify        = recipient
  accept  hosts         = +relay_from_hosts
  accept  authenticated = *


######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
# An address is passed to each router in turn until it is accepted.  #
######################################################################
begin routers


dnslookup_(a domain name here removed):
driver = dnslookup
domains = ! +local_domains
condition = ${if eq {$sender_address_domain}{a domain name here
removed}{Yes}{No}}
transport = remote_a domain name here removed
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

dnslookup_owm:
driver = dnslookup
domains = ! +local_domains
condition = ${if eq {$sender_host_address}{127.0.0.1}{yes}{no}}
transport = remote_smtp_owm
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

spamcheck_router:
driver = accept
no_verify
condition = "${if and { {!def:h_X-Spam-Flag:} {!eq
{$received_protocol}{spam-scanned}}} {1}{0}}"
transport = spamcheck

virtual_alias:
driver = redirect
allow_defer
allow_fail
data = ${lookup {$local_part} lsearch {/home/$domain/mail/aliases}}
domains = /etc/virtual/domains
require_files = /home/$domain/mail/aliases
qualify_preserve_domain
retry_use_local_part
check_ancestor
# one_time
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

autoreply_router:
driver = accept
require_files = /home/$domain/mail/auto-replies/$local_part
transport = autoreply_transport
unseen

virtual_localuser:
driver = accept
require_files = /etc/virtual/$domain/passwd
domains = /etc/virtual/domains
condition = ${lookup {$local_part} lsearch
{/etc/virtual/$domain/passwd}{$value}}
transport = virtual_localdelivery

virtual_catchall:
driver = redirect
allow_defer
allow_fail
data = ${lookup {catchall} lsearch {/home/$domain/mail/aliases}}
domains = /etc/virtual/domains
require_files = /home/$domain/mail/aliases
qualify_preserve_domain
retry_use_local_part
check_ancestor
one_time
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

localuser:
driver = accept
check_local_user
condition = ${lookup {$sender_helo_name} lsearch
{/etc/virtual/domains}{YES}{NO}}
transport = local_deliver