Re: [exim] Ideas for blocking addresses with quotation marks…

Góra strony
Delete this message
Reply to this message
Autor: Daryl Richards
Data:  
Dla: exim-users
Temat: Re: [exim] Ideas for blocking addresses with quotation marks in them?
On 2022-12-26 7:58 p.m., Jarland Donnell via Exim-users wrote:
> Hey friends,
>
> I'e been getting some weird spam/virus email that seems to be causing an
> unexpected result with exim. I'll show you what I'm seeing, and I'm
> wondering if anyone has any ideas on how I can ACL out email addresses
> that actually have quotations in their envelope sender address as a
> result. I added [breakforfilters] in parts of the log that might
> rightfully trigger spam filters for list users.
>
> 2022-12-26 18:20:59 1p9s5q-0007aL-2S <=
> ""@???[breakforfilters]ineamarket.com
> H=server12.sistemthflineamarket.com [91.234[breakforfilters].198.105]
> P=esmtps X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=no S=9286
> id=20221226182019.B64DB27DEC@???[breakforfilters]ineamarket.com T="Facturacion Electricidad Automatica 42267" from <""@???[breakforfilters]hflineamarket.com> for spot@???
> 2022-12-26 18:20:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc
> 1p9s5q-0007aL-2S
> 2022-12-26 18:20:59 1p9s5q-0007aL-2S => me <recipient_censored>
> F=<""@???> R=virtual_user_unseen
> T=dovecot_lmtp_udp S=9559 C="250 2.0.0 <recipient_censored>
> IMDDBgvmqWPNRQAA0ZZHbw Saved"
> 2022-12-26 18:20:59 1p9s5q-0007aL-2S SIGSEGV (fault address: (nil))
> 2022-12-26 18:20:59 1p9s5q-0007aL-2S SIGSEGV (null pointer indirection)
> 2022-12-26 18:20:59 1p9s5q-0007aL-2S SIGSEGV (  776 delivering
> 1p9s5q-0007aL-2S
>
> The full headers: https://clbin.com/4KsO4
>
> The email was delivered by Dovecot but exim keeps the email in it's
> queue, and just keeps spitting out this part until it reaches the end of
> retry times or I remove it:
>
> 2022-12-26 18:20:59 1p9s5q-0007aL-2S SIGSEGV (fault address: (nil))
> 2022-12-26 18:20:59 1p9s5q-0007aL-2S SIGSEGV (null pointer indirection)
> 2022-12-26 18:20:59 1p9s5q-0007aL-2S SIGSEGV (  776 delivering
> 1p9s5q-0007aL-2S
>
> That doesn't seem good. I welcome any thoughts on the subject.
>


Great pointers in the thread about ways to filter these - but the fact
that is causes a null pointer deference is not good. I've been seeing
crashing processes on my server the last few days and it would seem to
be caused by the same double quote senders..

Perhaps time to file a bug?