Re: [exim] block emails with more than one 'Received: from' …

Top Page
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: Charlie, exim-users
Subject: Re: [exim] block emails with more than one 'Received: from' header


--On 26 January 2010 18:20:26 +1100 Charlie <mi6@???> wrote:

> Hello,
> I am currently providing an email service to a hotel.
> All SMTP traffic from the hotel is redirected to my Exim server, which
> authenticates it based on the hotel's IP address.


That's a very bad idea. It's completely contrary to best practice for
Message Submission.

What you should do is this:

Block outbound port 25 at your firewall - except for your mail server.
Require your staff to connect to your message submission service on port
587 with authentication. Don't permit anyone to connect to this port
without authenticating.
Check that outbound port 587 is open, so that your guests can reach the
message submission servers of their domains. Port 587 should always require
authentication. Modern email clients will default to port 587. Also leave
465 open for some cranky Microsoft clients.
Provide documentation for your guests, in case they need to reconfigure
their email clients to use port 587. Or, advise them to use web mail.

If you still have people requiring to send email on port 25, you may wish
to intercept and relay the traffic, but you should be aware that you may
not be able to deliver the email since it WILL look like you are spoofing
the sender address. In any event, you should use Exim's rate limiting to
limit the number of outbound emails from any local computer. A limit of 100
recipients per day might be suitable.

> This all works great, except recently we have found that spammers have
> found a way to access a computer within the hotel's network, and have
> thus been able to use my server to send emails.


You need to remove that computer from service, and thoroughly disinfect it.
Also, review your firewall settings to better protect your network. If
third parties are using machines on your network to relay email, they could
be doing anything with them.

> The only means by which I think I can restrict traffic so that it *truly*
> comes from within the hotel's IP address, is to make it so that the
> emails must have *only one* 'Received: from' header.


No, you must require them to authenticate. Clearly you can only do this for
your staff.

> To further illustrate what I'm talking about, here is a sample header of
> a spam email sent through the hotel network (I've changed IP
> addresses/server names):
>
> Received: from [83.22.55.77] (helo=freha.pl)
> by myeximserver.com with smtp (Exim 4.69)
> (envelope-from <portuneeeqo@???>)
> id 1NZTrC-000846-N1; Mon, 25 Jan 2010 18:40:15 +0000
> Received: from unknown (156.209.88.22)
> by mts.locks.grgtween.net with QMQP; Sat, 23 Jan 2010 20:33:05 -1100
> Received: from mts.locks.grgtween.net ([Sat, 23 Jan 2010 20:21:36 -1100])
> by smtp-server1.cfdenselr.com with ESMTP; Sat, 23 Jan 2010 20:21:36 -1100
> Received: from m1.gns.snv.thisdomainl.com ([14.45.232.93]) by
> relay37.vosimerkam.net with NNFMP; Sat, 23 Jan 2010 20:04:57 -1100
>
> If the email was truly from just within the hotel's network, it would
> only have the header below (i.e. only one 'Received: from' header)
>
> Received: from [83.22.55.77] (helo=freha.pl)
> by myeximserver.com with smtp (Exim 4.69)
> (envelope-from <portuneeeqo@???>)
> id 1NZTrC-000846-N1; Mon, 25 Jan 2010 18:40:15 +0000
>
> Any way to do this?




--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/