Re: [exim] How to stop spoofed "From" address

Wed, 17 Oct 2007 21:19:55 -0700 

Terry Calie wrote:
> 
>>
>>    After
>>>> all, this access control is happening after the DATA section, so all 
>>>> the
>>>> info is there, right?
>>
>> *After* the data section is too late if you wish to avoid backscatter 
>> bounces.
>>
> 
> Not sure I under stand this response.  Why is it too late?  The DATA 
> hasn't received a response yet, correct?  So my server could still issue 
> a 5xx based on my data ACL's and not create a bounce, right?
> 

So long as you are still *IN* 'DATA' and have not done an 'accept' yet, yes.


'fakrereject is technically a violation of the standard, and should be used 
sparingly, and with due care and attention to what it does, ELSE not at all.


Ex: The acl and error message we issue if/as/when we use it:
  (watch out for MUA linewrap, as the the 'CONTROL' is all on one line in 
production):


# DATA_SCAN_14A: Accept with 'fakereject' IF most-paranoid OF recipients
# would reject but least-paranoid of the recipients would accept.
#
accept
        condition       = ${if >{${eval:$acl_m18}}{${eval:$acl_m5}}{1}{0}}
        control         = fakereject/HAS BEEN DELIVERED, but marked as Spam \
                          so MIGHT NOT BE READ!

        logwrite        = DS14A Fake Rejected

Even so, not all senders will have bothered to read the 'message' when they get 
the rejection.

FWIW, in this example, acl_m18 and acl_m5 are carrying the MIN and MAX 
per-recipient cumulative 'demerit' score threshold integers.

Determining those for any given group of recipients is a slightly more complex 
bit of acl math that is not needed for singleton arrivals.

CAVEAT: Using the same policy for all member of a given domain is far simpler, 
as traffic can be expected to be grouped per-domain on arrival, hence all have 
the same threshold integer - if that is the policy....

> 
> 
>> True - but a copy is 'in hand' WEF the DATA phase. 'fakereject' is the 
>> tool.
> searching the web seems this is not default in Exim but is part of an 
> "exiscan' patch.  Ohhhhh.... I've never applied a patch before :(
>

That sounds like stale info. Very stale!

'Exiscan' has been integral to Exim for a very long time now. No patching 
needed.

HTH,

Bill

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to