[exim] Spoofed email address in From: header

Page principale
Supprimer ce message
Répondre à ce message
Auteur: web
Date:  
À: exim-users
Sujet: [exim] Spoofed email address in From: header
Hello

I'm dealing with spoofed email addresses in From header of emails I've
recive.

Here are sample headers of such message:

Return-path: <fountains7@???>
Envelope-to: my.email@???
Delivery-date: Wed, 01 May 2013 03:25:09 +0200
Received: from [186.37.26.103] (port=63085
helo=client-186-37-26-103.imovil.entelpcs.cl)
by main.network.szczecin.pl with esmtp (Exim 4.80)
(envelope-from <fountains7@???>)
id 1UXLnA-0003Kn-Gw
for my.email@???; Wed, 01 May 2013 03:25:09 +0200
Received: from [44.83.98.143] (account zaniesr@??? HELO
brqpl.fotnwccj.info)
by client-186-37-26-103.imovil.entelpcs.cl (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 958422789 for my.email@???; Tue, 30 Apr 2013
21:25:08 -0400
Date:Tue, 30 Apr 2013 21:25:08 -0400
From: <<my.email@???>>
X-Mailer: The Bat! (v2.00.8) Business
X-Priority: 3 (Normal)
Message-ID: <5345923582.S3JHHE94578792@???>
To: <my.email@???>
MIME-Version: 1.0
Content-Type: text/html;
charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
Subject: *** SPAM *** do CV # 9823


I changed my email address to: my.email@???

Please take a look at From: header:

From: <<my.email@???>>

Until today I've successfuly denied messages with from like this:

From: my.email@???

But now, when it has multiple << and >> signs - my ACL rules does not help.

I used such ACL rules to stop spoofed email:

          condition = ${if or {\
          {match_domain{${domain:$rh_from:}}{+local_domains}}\
          {match_domain{${domain:${address:$rh_from:}}}{+local_domains}}\
          {match_domain{${domain:${reduce{${addresses:$h_from:}}{}{$item}}}}{+local_domains}}\
          {match_domain{${domain:${reduce{${addresses:$h_from:}}{}{${if
eq{$value}{}{$item}{$value}}}}}}{+local_domains}}\
          }{yes}{no}}


Can anyone help me why above rules does not prevent emails with from like:

From: <<my.email@???>>

?

Any help would be appreciated.

Mike