Re: [exim] Spam not being spam checked

Top Page
Delete this message
Reply to this message
Author: Peter Bowyer
Date:  
To: exim users
Subject: Re: [exim] Spam not being spam checked
On 2 June 2010 12:58, <a.smith@???> wrote:
> Quoting a.smith@???:
>
>> Ok,
>>
>>   think Ive got it
>>
>> with protocol spam-scanned and my dumb mail config accepts the mails
>> without spam checking them. What I can do is change the spam-scanned
>> string to some other value
>
> I changed the value of spam-scanned to spam-scannedukgsa and within a
> few minutes a spam mail arrived with "P=spam-scannedukgsa" (this is in
> the logs). I wonder how they do that, it must be an exploit of some
> time.
> Anyway, if theres no easy way to sort this then it may require a total
> reconfiguration of spam handling in the config as suggested :(


Before you reconfigure it, it would be as well to understand how it works.

From the details you've provided, it seems you have a config that
scans incoming spam (perhaps with mailscanner, which is commonly
configured this way) via an exim local delivery, and re-injects the
message into Exim for final delivery with a protocol of
'spam-scanned'. The 'P=' line in your log shows the re-injections.
'They' didn't do anything (it's not something that comes in the SMTP
transaction or payload, so 'they' couldn't). 'You' set that protocol
on the re-injection so that your router condition could pick it up,
detect the message has already been scanned, and not scan it again.

If a mail that says 'P=spam-scanned' is spam by your definition, then
it's the configuration of the spam scanner that's wrong, not Exim. All
Exim knows is that the scanner said it has been scanned - it's not
involved in the scanning.

So I suggest you look at how your scanner is configured before hacking
around with the Exim config - your original router looked sane, what
it said in plain language is to send every message for scanning except
those that have already been scanned, and those that arrived via
authenticated SMTP (so I presume you want to trust your authenticated
users not to send spam).

Hope this helps.

Peter


--
Peter Bowyer
Email: peter@???
Follow me on Twitter: twitter.com/peeebeee