Re: [exim] Spoofed email address in From: header

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
Mweb at <-
M 
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Spoofed email address in From: header
web@??? <web@???> (Mi 08 Mai 2013 11:37:01 CEST):
> Hi
>
> I've found that after checking header_syntax for incoming email, I
> have false positive rejections in email that have:
>
> <Undisclosed-Recipient:;>
>
> set as "To:" header , sample error:
>
>
> 2013-05-08 11:25:55 1Ua0dH-00055F-4O H=v095439.home.net.pl
> [79.96.175.189] F=<al@???> rejected after DATA: "@" or "."
> expected after "Undisclosed-Recipient": failing address in "To:"
> header is: <Undisclosed-Recipient:;>
>
> 2013-05-08 11:27:31 1Ua0eo-0006JM-QZ H=ans229.rev.netart.pl
> [85.128.227.229] F=<sekretariat@???> rejected after DATA:
> "@" or "." expected after "Undisclosed-Recipient": failing address
> in "To:" header is: <Undisclosed-Recipient:;>
>
> Do you have any solution for this? 

    https://github.com/Exim/exim/wiki/AclSmtpData


But my solution is to reject such messages, and neither me nor our
customers seem to miss anything. If the client is not able to produce a
RFC conformant group address, I do not like it's messages. 


    OK: To: Undisclosed Recipients:;
   !OK: To: <Undisclosed Recipients:;>


Just verfied with the micro sample config:
~~~[/tmp/x]
acl_smtp_rcpt = accept
acl_smtp_data = accept verify = header_syntax
~~~

sudo swaks --header 'To: Undisclosed Recipients:;' --pipe 'exim -bh 8.8.8.8 -C /tmp/x' -f luser@??? -t luser@???
vs.
sudo swaks --header 'To: <Undisclosed Recipients:;>' --pipe 'exim -bh 8.8.8.8 -C /tmp/x' -f luser@??? -t luser@???

I checked my reject logs. Mostly the senders look like known or unknown
spammers. If the header is technically correct (w/o the < and >) the
messages go through.

Maybe you should check it using a legitimate MUA and send a message only
via BCC. 


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Spoofed email address in From: header[exim] Block a domain by name->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)