Re: [exim] Spoofed email address in From: header

Góra strony
Delete this message
Reply to this message
Autor: Lena
Data:  
Dla: exim-users
Temat: Re: [exim] Spoofed email address in From: header
> From: <web@???>

> I'm dealing with spoofed email addresses in From header of emails I've
> recive.
>
> Here are sample headers of such message:
>
> Return-path: <fountains7@???>
> Envelope-to: my.email@???
> Delivery-date: Wed, 01 May 2013 03:25:09 +0200
> Received: from [186.37.26.103] (port=63085 helo=client-186-37-26-103.imovil.entelpcs.cl)
> by main.network.szczecin.pl with esmtp (Exim 4.80)
> (envelope-from <fountains7@???>)
> id 1UXLnA-0003Kn-Gw
> for my.email@???; Wed, 01 May 2013 03:25:09 +0200
> Received: from [44.83.98.143] (account zaniesr@??? HELO brqpl.fotnwccj.info)
> by client-186-37-26-103.imovil.entelpcs.cl (CommuniGate Pro SMTP 5.2.3)
> with ESMTPA id 958422789 for my.email@???; Tue, 30 Apr 2013 21:25:08 -0400
> Date:Tue, 30 Apr 2013 21:25:08 -0400
> From: <<my.email@???>>
> X-Mailer: The Bat! (v2.00.8) Business
> X-Priority: 3 (Normal)
> Message-ID: <5345923582.S3JHHE94578792@???>
> To: <my.email@???>
> MIME-Version: 1.0
> Content-Type: text/html;
> charset=us-ascii
> Content-Transfer-Encoding: 7bit
> X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
> Subject: *** SPAM *** do CV # 9823
>
>
> I changed my email address to: my.email@???
>
> Please take a look at From: header:
>
> From: <<my.email@???>>
>
> Until today I've successfuly denied messages with from like this:
>
> From: my.email@???
>
> But now, when it has multiple << and >> signs - my ACL rules does not help.


My acl_check_data contains:

  deny  !senders = MAILER-DAEMON@??? : \N^\w+@slando\.\N
        !verify = header_sender


I ran `exim -bh ...` and fed it the spam header you quoted.
My Exim rejected that spam:

>>> check !verify = header_sender
>>> verifying From: header address <<web@???>>
>>> deny: condition test succeeded in ACL "acl_check_data"

...
550-Rejected after DATA: syntax error in 'From:' header when scanning for
550 sender: missing or malformed local part in "<<web@???>>"
LOG: +0300 1UXtO0-000DzZ-BO H=rusanovka.proline.net.ua [194.187.130.132] F=<fountains7@???> rejected after DATA: syntax error in 'From:' header when scanning for sender: missing or malformed local part in "<<web@???>>"

> I used such ACL rules to stop spoofed email:
>
>           condition = ${if or {\
>           {match_domain{${domain:$rh_from:}}{+local_domains}}\
>           {match_domain{${domain:${address:$rh_from:}}}{+local_domains}}\
>           {match_domain{${domain:${reduce{${addresses:$h_from:}}{}{$item}}}}{+local_domains}}\
>           {match_domain{${domain:${reduce{${addresses:$h_from:}}{}{${if
> eq{$value}{}{$item}{$value}}}}}}{+local_domains}}\
>           }{yes}{no}}


This condition catches also messages from your users to mailing lists
(the copy back to the author),
tests users may send to their forwarders (to be forwarded back)
and emails from one of your users to another (directly and via mailing lists).

I think that in the spam you quoted the second Received is fake,
and that the spam was sent by a Windows bot/trojan directly to
main.network.szczecin.pl. My Exim would selectively greylist this spam
(even before acl_check_data) because client-186-37-26-103.imovil.entelpcs.cl
doesn't resolve back to 186.37.26.103 (also, HELO looks dynamic).
Usually greylisting of suspicious sending IPs stops Windows bot spam.
My config: http://lena.kiev.ua/Lena-eximconf-run.txt
(uses https://github.com/Exim/exim/wiki/DbLessGreyListingRun ).