We recently adapted the config here:
https://github.com/Exim/exim/wiki/BlockCracking
to help us limit the impact of compromised hosts on our network that are
sending via our mailhubs. We naively replaced the line that appends the
offender to the list with this:
continue = ${run{SHELL -c "echo $sender_host_address \
>>$spool_directory/blocked_relay_ips; \
[...]
This worked brilliantly until an offender submitted mail to us over
IPv6, because we're looking up hosts using lsearch which uses colon as
its key/value separator. This is, of course, documented, and the
specific issue of IPv6 addresses is even mentioned under iplsearch.
This gave us a particularly fun failure mode, as it sends a mail to our
support queue every time a new address gets added, and relies on the
lookup working to not add the same address twice. Net result: a support
ticket opened for each spam email attempt.
Anyway, this is fixable if you can figure out just the right combination
of quotes and backslashes to actually get double quotes into the file:
continue = ${run{SHELL -c 'echo \\\"$sender_host_address\\\"
>>$spool_directory/blocked_relay_ips; \
(and FWIW, the BlockCracking page above makes exactly the same mistake
in the code to resist brute-forcing of SMTP AUTH credentials)
My question: is there a better way to add entries to a file like this?
It would be very helpful if there was something that could add keys and
values to such a file, take care of the escaping for you, and avoid any
risks from including potentially user-supplied data in a command line.
Paul
