[exim] Denying spam with forged from

Etusivu
Poista viesti
Vastaa
Lähettäjä: Patryk
Päiväys:  
Vastaanottaja: Exim-users
Aihe: [exim] Denying spam with forged from
Hello,

I've been running exim 4.96 + spamassassin very successfully over the
last year, however recently a big amount of spam is received - because
it forges the from field to my own hostname, which is of course in the
whitelist of spamd (it has to be, a lot of traffic looks like spam but
isn't).

In this case I reviewed a sample header of a spam message, they look
like this:

Return-path: <przemysl@???>
Envelope-to: przemyslaw.zak@???
Delivery-date: Thu, 27 Nov 2008 15:58:06 +0100
Received: from [212.62.52.156] (helo=BMARINKOVIC)
    by ostc-pl.com with smtp (Exim 4.69)
    (envelope-from <przemysl@???>)
    id 1L5iJh-00020E-NU
    for przemyslaw.zak@???; Thu, 27 Nov 2008 15:58:06 +0100
X-Originating-IP: [61.706.92.425]
X-Originating-Email: [przemyslaw.zak@???]
X-Sender: przemyslaw.zak@???
To: <przemyslaw.zak@???>
Subject: RE:ci.Doctor Katy
From: <przemyslaw.zak@???>
MIME-Version: 1.0
Importance: High
Content-Type: text/html


with the local_part being a valid username on my server, and ostc-pl.com
being my hostname, this message was unfortunately delivered. So to block
it I've added an acl check that would compare return-path field and the
from field. If they are different, it most probably is spam.

begin acl
acl_check_rcpt:
# first accept local mail traffic
  accept  hosts = :
# drop forged spam
  deny    condition     = ${if !match{$header_from:}{$header_return-path:}}
              message      = return path is not equal to from field, so
I suspect spam, sir
(...)


Despite this, such mail is still being delivered. Could anyone please
explain why is it letting it through? Thanks in advance!

--
Regards,

Patryk Rządziński