Re: [exim] block emails with more than one 'Received: from' …

Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMMCharlie at <-
.MDave Evans at ->
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: exim-users
Subject: Re: [exim] block emails with more than one 'Received: from' header
On 26/01/2010 07:20, Charlie wrote:

> I am currently providing an email service to a hotel.
> All SMTP traffic from the hotel is redirected to my Exim server, which
> authenticates it based on the hotel's IP address.
> This all works great, except recently we have found that spammers have found
> a way to access a computer within the hotel's network, and have thus been
> able to use my server to send emails.
> The only means by which I think I can restrict traffic so that it *truly*
> comes from within the hotel's IP address, is to make it so that the emails
> must have *only one* 'Received: from' header.
>
> To further illustrate what I'm talking about, here is a sample header of a
> spam email sent through the hotel network (I've changed IP addresses/server
> names):
>
> Received: from [83.22.55.77] (helo=freha.pl)
> by myeximserver.com with smtp (Exim 4.69)
> (envelope-from<portuneeeqo@???>)
> id 1NZTrC-000846-N1; Mon, 25 Jan 2010 18:40:15 +0000
> Received: from unknown (156.209.88.22)
> by mts.locks.grgtween.net with QMQP; Sat, 23 Jan 2010 20:33:05 -1100
> Received: from mts.locks.grgtween.net ([Sat, 23 Jan 2010 20:21:36 -1100])
> by smtp-server1.cfdenselr.com with ESMTP; Sat, 23 Jan 2010 20:21:36 -1100
> Received: from m1.gns.snv.thisdomainl.com ([14.45.232.93]) by
> relay37.vosimerkam.net with NNFMP; Sat, 23 Jan 2010 20:04:57 -1100
>
> If the email was truly from just within the hotel's network, it would only
> have the header below (i.e. only one 'Received: from' header)
>
> Received: from [83.22.55.77] (helo=freha.pl)
> by myeximserver.com with smtp (Exim 4.69)
> (envelope-from<portuneeeqo@???>)
> id 1NZTrC-000846-N1; Mon, 25 Jan 2010 18:40:15 +0000
>
> Any way to do this?

I think you should be able to put this in your acl_smtp_data acl: 

deny condition = ${if !eq{$h_Received:}{}}
      message   = Received headers not allowed


MUAs shouldn't be adding their own received headers before submitting
messages to your server. 

-- 
Mike Cardwell    : UK based IT Consultant, Perl developer, Linux admin
Cardwell IT Ltd. : UK Company - http://cardwellit.com/       #06920226
Technical Blog   : Tech Blog  - https://secure.grepular.com/
Spamalyser       : Spam Tool  - http://spamalyser.com/


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] [ADMIN] List policyRe: [exim] block emails with more than one 'Received: from' header->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)