[exim] No MAIL verb before RCPT

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MM 
MMMike Brudenell at ->
Delete this message
Reply to this message
Author: Phillip Carroll
Date:  
To: exim-users
Subject: [exim] No MAIL verb before RCPT
Hi all,

A fairly exhaustive search of past logs revealed that almost all
non-spamming hosts have helo/ehlo that match the host domain in at least
the top two domain levels. On the other hand, the vast majority of fake
hosts fail the criterion.

Just to be clear:
These match:
host = whatever.mta1.example.com
helo = something.mta2.example.com

These do not match:
host = whatever.mta1.crooksRus.net
helo = whatever.mta1.amazon.com

A whitelist file of wild-carded host domains was set up to accept the
tiny few "good guys" that fail the criterion. A following test was added
in the MAIL time ACL to DENY if the last two host domain components fail
to match with the helo. Also in the MAIL ACL are a variety of other host
tests including ZEN.

The problem is that some (very small) number of bad actors are managing
to get by all of the MAIL time tests. A recent example:

HOST = 47-48-213-250.static.gwnt.ga.charter.com
HELO = amazon-sales.com
The email received from this joker purports to be an acknowledgment by
Amazon that "Your Amazon Order has Shipped", the order being a very
expensive retail iPhone. (No doubt hoping to cause someone a panic
attack and accompanying brain freeze) A convenient link to "Amazon" of
course actually links to a site with a Chilean TLD that certainly has no
connection to Amazon, but surely does have an unpleasant surprise for
the innocent that clicks the link. (The latter actually makes no logical
sense to me, in that the whole point of checking at MAIL time is to
avoid redundant checking (particularly redundant conversations with DNS
and ZEN) in case of multiple recipients.)

Although the number of these is small, the example is precisely the kind
of emails my MAIL ACL checking was intended to deny.

The only way that I can see that the tests are being bypassed is that
the host is going straight from connection to RCPT, with no MAIL verb. I
can find no example in my logs of any "good" host that jumps to RCPT
without MAIL.

Some questions:
Should my mta deny RCPT from any host that did not send a MAIL verb? Is
that sequence even permitted by RFC? Even if not RFC-permitted, is it
fairly common practice (other than by bad actors)? Should I repeat all
the MAIL tests in the RCPT ACL, or simply move all the tests to the RCPT
ACL? It appears that the sample conf file avoids this issue by having no
MAIL time checking at all. However, checking at MAIL time avoids
redundant conversations with DNS and ZEN in the case of multiple
recipients. Seemed to me the logical place for it.

Phil Carroll

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Please check for SSL transport errorsRe: [exim] No MAIL verb before RCPT->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)