Re: [exim] Blocking e-mail checking headers

Top Page
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Subject: Re: [exim] Blocking e-mail checking headers
> From: "Ronaldo Luiz de Carvalho" <ronaldol@???>

> I want to do a Exim filter where the headers need to be the same if they are
> set.
>
> The headers are: from, sender, reply and disposition-notification-to (maybe
> use others)
>
> I'm receiving hundreds/minute connections using some of my email accounts
> and the reply are going to someone else.
>
>
> The headers from one of these e-mails are:
>
> 1RHFJd-0008Ev-AK-H
> mailnull 47 12
> <atest@???>
> 1319204357 0
> -helo_name 100927a
> -host_address 123.11.70.14.3455
> -host_auth courier_login
> -interface_address 201.36.96.221.25
> -received_protocol esmtpa
> -body_linecount 7
> -max_received_linelength 72
> -auth_id atest@???
> -host_lookup_failed
> XX
> 1
> aaa@???
>
> 225P Received: from [123.11.70.14] (helo=100927a)
>                 by ns1.cybernet.com.br with esmtpa (Exim 4.69)
>                 (envelope-from <atest@???>)
>                 id 1RHFJd-0008Ev-AK
>                 for aaa@???; Fri, 21 Oct 2011 11:39:17 -0200
> 051  disposition-notification-to: tarzen180@???
> 017  returnreceipt: 1
> 018  mime-version: 1.0
> 049F from: atest <atest@???>
> 051S sender: atest <atest@???>
> 040T to: aaa <aaa@???>
> 033  date: 21 Oct 2011 21:40:02 +0800
> 038  subject: =?utf-8?B?YnVvbmdpb3Jubyk=?=
> 039  content-type: text/html; charset=utf-8
> 034  content-transfer-encoding: base64

>
> How could I do that. I want to block these kind of e-mail but I don't know
> what to do.


At first, change the password of compromised user:
> -auth_id atest@???


Then add following two fragments into your Exim config. This code
catches such spammers automatically. The code is based on the fact that
spam is sent to huge lists of email addresses, and very many of addresses
in such lists are nonexistent. The code watches not rate of sending all
messages, but only rate of attempts to send to nonexistent addresses.
If rate of attempts to send to nonexistent addresses exceeds limit,
the authenticated user is authomatically blocked, and an alert is
emailed to you. When you get an alert, examine content of frozen messages
in the queue using `exipick`. In unlikely case if it's not spam, delete the
line with the user ID from the $spool_directory/blocked_authenticated_users
file (or you can delete the file if it contains only one line)
and unfreeze messages also using `exipick`.
If it's spam then change the user's password or otherwise block the user,
then fine the user according to contract and using frozen evidence.

1. In the beginning of Exim config:

LIM = 100
PERIOD = 1h
WARNTO = ronaldol@???
EXIMBINARY = /usr/local/sbin/exim -f root
SHELL = /bin/sh
local_from_check = false

2. In acl_check_rcpt instead of usual "accept authenticated = *" :

  accept authenticated = *
        set acl_m_user = $authenticated_id
        condition = ${if exists{$spool_directory/blocked_authenticated_users}}
        condition = ${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_authenticated_users}{1}{0}}
        control = freeze/no_tell
        add_header = X-Authenticated-As: $acl_m_user


  accept authenticated = *
        !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
        ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
        continue = ${run{SHELL -c "echo $acl_m_user \
           >>$spool_directory/blocked_authenticated_users; \
           \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
           has sent mail to LIM invalid recipients during PERIOD.; \
           \N}\N | EXIMBINARY WARNTO"}}
        control = freeze/no_tell
        add_header = X-Authenticated-As: $acl_m_user


  accept authenticated = *
        control = submission/domain=