[exim] using system_filter to divert known spams (does not w…

Top Page
Delete this message
Reply to this message
Author: Christoph (Stucki) von Stuckrad
Date:  
To: exim-users
Subject: [exim] using system_filter to divert known spams (does not work?)
Hi!

I' the admin of small exim4 installation which is used to relay
Mail between a few hosts inside the department and up to the
university central smarthost.

Recently I begun to receive 'register form spams' from our
own webservers and due to the needed software I can not
simply take the site down or edit the webpages.

So because I already have a working system-filter to 'munge'
some internal headers, I tried to simply shunt the 'known spams'
away to a dummy address by the following test(s)...
(slightly 'abstracted' by replacing real addresses and hosts):
###################################################################### snip
# some later checks may 'freeze' mail, which may be thawed, so
if not manually_thawed then ## allow to resend by hand if frozen
  # check webserver mails ...
    if $return_path contains "www-data@" then # normal debian webserver
        #- killing '... register webform' 2013-01-18
        if $h_Subject: contains "Your Registration" and
             $message_body contains "registering with ..." and
             $message_body contains "...link..." then
                logwrite "$tod_log $message_exim_id diverted ... form spam"
              # send to my Junkfolder
              seen deliver "USER+Junk@DOMAIN" errors_to postmaster@DOMAIN
              # assume this 'done' - so forget the rest ...
              seen finish
        endif
    # ... more webserver checks
  endif
endif
###################################################################### snip


BUT the result is:
1) logwrite reacts on the correct mails (the 'if's are correct):
------------------------------------------------------------------------------
2013-01-25 07:01:14 1TycLK-0008R8-EE diverted ... form spam
------------------------------------------------------------------------------
2) I see the mail in the logs:
------------------------------------------------------------------------------
2013-01-25 07:00:56 1TycLK-0008R8-EE <= www-data@DOMAIN H=HOST.DOMAIN [CORRECT_IP] P=esmtps X=TLS1.0:RSA_AES_256_CBC_SHA1:32 S=1545 id=465d6dd46240c3a0e4cca2a3345de4fe@DOMAIN from <www-data@DOMAIN> for DESTINATION@DOMAIN
2013-01-25 07:01:14 1TycLK-0008R8-EE original recipients ignored (system filter)
2013-01-25 07:01:14 1TycLK-0008R8-EE => USER+junk (USER+Junk@DOMAIN) <system-filter> F=<www-data@DOMAIN> R=debug_archive_router T=debug_archive_transport S=2076 QT=24s
2013-01-25 07:01:16 1TycLK-0008R8-EE => DESTINATION@DOMAIN F=<www-data@DOMAIN> R=smarthost T=remote_smtp S=2006 H=mail.fu-berlin.de [130.133.4.67] C="250 OK id=1TycLk-003bVP-Re" QT=26s
2013-01-25 07:01:16 1TycLK-0008R8-EE Completed QT=26s
------------------------------------------------------------------------------
3) 'My copy' seems to be generated
4) *** but the spam-victim get the mail too!

I assumed 'seen finish' would suppress the original delivery ?

Is there a correct way to realize a diversion of mail as:
a) check by some 'if's
b) send a copy to a special address
c) forget the rest of the deliveries

Thanks, Stucki


-- 
Christoph von Stuckrad      * * |nickname |Mail <stucki@???> \
Freie Universitaet Berlin   |/_*|'stucki' |Tel(Mo.,Mi.):+49 30 838-75 459|
Mathematik & Informatik EDV |\ *|if online|  (Di,Do,Fr):+49 30 77 39 6600|
Takustr. 9 / 14195 Berlin   * * |on IRCnet|Fax(home):   +49 30 77 39 6601/