[exim] Fw: Backscatter - NDR Spam

Top Page
Delete this message
Reply to this message
Author: Grant Peel
Date:  
To: exim-users
Subject: [exim] Fw: Backscatter - NDR Spam
>> On 2008-02-28 at 08:40 -0500, Grant Peel wrote:
>>> My system uses exim. I have the stock check_rcpt_acl, along with several
>>> routers and transports that support virtual pop and virtual aliases.
>>>
>>> Each domain on my server has its own IP address.
>>>
>>> I was wondering if there is an addition to the check_rcpt_acl that can
>>> be
>>> added to elimate the NDR spaming tecnique.
>>>
>>> Also, how does one elimiate bounces in Exim, and just reject the mail
>>> altogether?
>>
>> Exim should be doing this by default. It sounds as though you have a
>> Router which happily verifies all email addresses in the domain, but
>> which then fails to route some of those addresses.
>>
>> Can you post the Routers section of your config file?
>>
>> -Phil, about to go to bed, so anyone who spots the problem with the
>>       config: just jump in

>>
>>
>>
>
> Thanks for the time up front everyone!
>
> My server is been said to have been used for backscatter spam, i.e. I am
> sending spam unwittingly.
>
> If I understand the backscatter spam definition correctly:
>
> A spammer sends spam to my server, using a forged from address (witch is
> the
> actual target of the spammer), using arbitrary To: someone@???
> (where the 'someone' does not exist), creating the bounce. The bounce is
> sent to (the target) because he used the targets email address (forged) in
> the From: field.
>
> So what I am looking to do is:
>
> 1. Turn off bounce messages, and just reject the email up front,
>
> or,
>
> 2. Create a router or ACL that checks that the bounce would only happen IF
> is will be comming back to a local domain.
>
> Here is my configure file (to the end of 'Routers':
>
> ######################################################################
> #                    MAIN CONFIGURATION SETTINGS                     #
> ######################################################################
> primary_hostname = defiant.thenetnow.com
> domainlist local_domains = /etc/virtual/domains
> domainlist relay_to_domains =
> hostlist   relay_from_hosts = /etc/virtual/domains
> hostlist blacklisted_domains = /etc/virtual/blacklist
> acl_smtp_rcpt = acl_check_rcpt
> trusted_users = mailnull:root:www:webmail
> exim_user = mailnull
> exim_group = mail
> never_users =
> host_lookup = *
> rfc1413_hosts = *
> rfc1413_query_timeout = 0s
> ignore_bounce_errors_after = 0s
> timeout_frozen_after = 1d
> return_path_remove
> untrusted_set_sender = *
> helo_allow_chars = _
> daemon_smtp_ports = 25 : 109
> bounce_message_file = /usr/local/etc/exim/bounce_message_file
> warn_message_file = /usr/local/etc/exim/warn_message_file
> return_size_limit = 10000
> delay_warning = 72h
> ######################################################################
> #                       ACL CONFIGURATION                            #
> #         Specifies access control lists for incoming SMTP mail      #
> ######################################################################
> begin acl
> acl_check_rcpt:
>  accept  hosts = :
>  deny    local_parts   = ^.*[@%!/|] : ^\\.
>  accept  local_parts   = postmaster
>          domains       = +local_domains
>  require verify        = sender
>  deny    message       = rejected because $sender_host_address was \
>                          found in our blacklist
>          log_message   = domain found in $blacklisted_domains
>          hosts         = +blacklisted_domains
>  accept  domains       = +local_domains
>          endpass
>          message       = unknown user
>          verify        = recipient
>  accept  domains       = +relay_to_domains
>          endpass
>          message       = unrouteable address
>          verify        = recipient
>  accept  hosts         = +relay_from_hosts
>  accept  authenticated = *

>
> ######################################################################
> #                      ROUTERS CONFIGURATION                         #
> #               Specifies how addresses are handled                  #
> ######################################################################
> #     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
> # An address is passed to each router in turn until it is accepted.  #
> ######################################################################
> begin routers

>
> dnslookup_(a domain name here removed):
> driver = dnslookup
> domains = ! +local_domains
> condition = ${if eq {$sender_address_domain}{a domain name here
> removed}{Yes}{No}}
> transport = remote_a domain name here removed
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> no_more
>
> dnslookup_owm:
> driver = dnslookup
> domains = ! +local_domains
> condition = ${if eq {$sender_host_address}{127.0.0.1}{yes}{no}}
> transport = remote_smtp_owm
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> no_more
>
> dnslookup:
> driver = dnslookup
> domains = ! +local_domains
> transport = remote_smtp
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> no_more
>
> spamcheck_router:
> driver = accept
> no_verify
> condition = "${if and { {!def:h_X-Spam-Flag:} {!eq
> {$received_protocol}{spam-scanned}}} {1}{0}}"
> transport = spamcheck
>
> virtual_alias:
> driver = redirect
> allow_defer
> allow_fail
> data = ${lookup {$local_part} lsearch {/home/$domain/mail/aliases}}
> domains = /etc/virtual/domains
> require_files = /home/$domain/mail/aliases
> qualify_preserve_domain
> retry_use_local_part
> check_ancestor
> # one_time
> file_transport = address_file
> pipe_transport = address_pipe
> reply_transport = address_reply
>
> autoreply_router:
> driver = accept
> require_files = /home/$domain/mail/auto-replies/$local_part
> transport = autoreply_transport
> unseen
>
> virtual_localuser:
> driver = accept
> require_files = /etc/virtual/$domain/passwd
> domains = /etc/virtual/domains
> condition = ${lookup {$local_part} lsearch
> {/etc/virtual/$domain/passwd}{$value}}
> transport = virtual_localdelivery
>
> virtual_catchall:
> driver = redirect
> allow_defer
> allow_fail
> data = ${lookup {catchall} lsearch {/home/$domain/mail/aliases}}
> domains = /etc/virtual/domains
> require_files = /home/$domain/mail/aliases
> qualify_preserve_domain
> retry_use_local_part
> check_ancestor
> one_time
> file_transport = address_file
> pipe_transport = address_pipe
> reply_transport = address_reply
>
> localuser:
> driver = accept
> check_local_user
> condition = ${lookup {$sender_helo_name} lsearch
> {/etc/virtual/domains}{YES}{NO}}
> transport = local_deliver
>
>
>
>