[exim] heads-up: some spam bots started RCPT flooding
Hi! Maybe you've already noticed some spam bots trying to deliver spam to exactly 100 recipients in one wash up. They take a list of common user names, add your domain name, and then loop through 100 RCPT TOs per mail. To slow them down you could use the settings smtp_ratelimit_hosts and smtp_ratelimit_rcpt. Be careful not to bother your customers/users with too large delays. Lowering recipients_max is not really feasible as RFC 5321 clearly states a minimum of 100. ciao Markus -- / Markus Reschke \ \ madi...@theca-tabellaria.de / -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: heads-up: some spam bots started RCPT flooding
On Sun, 14 May 2023, Jeremy Harris via Exim-users wrote:
Hi!
On 14/05/2023 18:56, Markus Reschke via Exim-users wrote:
They take a list of common user names, add your domain name, and then loop
through 100 RCPT TOs per mail.
An escalating delay per RCPT *reject* isn't hard.
I was able to keep each spambot's connection about 6 hours open. >:) The
drawback is that you run the same amount of exim processes all that time.
So I moved to a simple ACL rule to drop the connection when the first x
recipients are rejected:
drop message = Too many bad recipients
condition = ${if and
{{>{$rcpt_count}{5}}{=={$recipients_count}{0}}}{yes}{no}}
ciao
Markus
--
/ Markus Reschke \
\ madi...@theca-tabellaria.de /
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: heads-up: some spam bots started RCPT flooding
Hi!
On 2023-05-20 01:20, James via Exim-users wrote:
I use:
condition = ${if and
{{>{$rcpt_count}{2}}{>{${eval:$rcpt_count-$recipients_count}}{2}}}{yes}{no}}
Nice refinement!
On Sun, 21 May 2023, Alexander Carver via Exim-users wrote:
Which of the ACLs should this actually be in? I tried (though I may have made
typos) each of check_mail, check_rcpt, and check_data but it didn't trigger
at all.
Should be one of the first rules in check_rcpt to stop the RCPT flooding,
as check_rcpt is run for each RCPT TO.
ciao
Markus
--
/ Markus Reschke \
\ madi...@theca-tabellaria.de /
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Unexpected 're-routed to' in require verify = recipient?
On Wed, 24 May 2023, Sander Smeenk via Exim-users wrote: Hi! Indeed it seems to be related to CNAME chains like in your situation and the ones discussed before this. Same here: $ exim -bt i...@email.postcodeloterij.nl i...@postcodeloterij.slgnt.eu <-- i...@email.postcodeloterij.nl router = dns_lookup, transport = remote_smtp host mx1.slgnt.eu [194.213.114.251] MX=10 $ host -t MX email.postcodeloterij.nl email.postcodeloterij.nl is an alias for postcodeloterij.slgnt.eu. postcodeloterij.slgnt.eu is an alias for postcodeloterij.slgnt.eu.cdn.cloudflare.net. postcodeloterij.slgnt.eu.cdn.cloudflare.net mail is handled by 10 mx1.slgnt.eu. And addressed to the first CNAME: $ exim -bt i...@postcodeloterij.slgnt.eu i...@postcodeloterij.slgnt.eu router = dns_lookup, transport = remote_smtp host mx1.slgnt.eu [194.213.114.251] MX=10 ciao Markus -- / Markus Reschke \ \ madi...@theca-tabellaria.de / -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Completely remove any name in From: header for inbound email?
Hello Sebastian! On Fri, 26 May 2023, Sebastian Arcus via Exim-users wrote: Hello. As so many scams around are based on impersonating someone inside the company, I am wondering if anyone here has considered the more extreme solution of completely removing any name in the From: header for incoming emails? I already have SPF/DKIM/DMARC in place, so the scammers can't actually impersonate the sending email address, but they keep on using the names of people with positions high up in the company. The risks of falling for such emails are much reduced at this stage, but now I'm wondering if the next step would be to just strip all names in the From: field altogether and just leave the email address? Can Exim do that, and has anyone considered it? Have you heard of IDNs (domain names with unicode characters)? For example, your domain is company.com and the bad guy registers cunicode character looking like an o>mpany.com. Then he sets up SPF/DKIM/DMARC for that domain and sends you an email. Could you tell just from the email address if it's from your CEO or a scammer? Removing the names to force users to look at the email address can help to the lower the risk of falling for less sophisticated scams, but it wouldn't work for more professional frauds. ciao Markus -- / Markus Reschke \ \ madi...@theca-tabellaria.de / -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Tackling Bot Blasts
Hi Slavko! On Mon, 29 May 2023, Slavko via Exim-users wrote:A Anyway, that must be enough: condition = $host_lookup_failed or: !verify = reverse_host_lookup ciao Markus -- / Markus Reschke \ \ madi...@theca-tabellaria.de / -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: tainted uux transport
Hi Randy!
On Mon, 31 Jul 2023, Randy Bush via Exim-users wrote:
force_uucp:
driver = manualroute
domains = ! +local_domains
route_data = ${lookup{$domain}partial-lsearch{/usr/local/etc/exim/ro.uucp}}
In case you can't create a list of known domains, e.g. when routing to a
UUCP smarthost, this might help:
https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/
randy, who may be the last uucp dinosaur
Another one over here. :)
ciao
Markus
--
/ Markus Reschke \
\ madi...@theca-tabellaria.de /
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: List headers [Was: DKIM does not work]
Hi! I'm also looking into optimizing my DKIM configuration, especially which headers to sign. Unfortunately, DMARC reports tell you only that the DKIM verification failed but not why. The default for dkim_sign_headers doesn't work well for me. On Mon, 23 Oct 2023, Andreas Metzler via Exim-users wrote: I think it depends on which the header would be added. Some additions should be allowed. Exim's default setting for dkim_sign_headers is extremely conservative and imho does not make sense. I had tried to discuss this in https://bugs.exim.org/show_bug.cgi?id=2394. I personally am using +From:+Sender:+Reply-To:+Subject:+Date:+Message-ID:+To:+Cc:+MIME-Version:+Content-Type:+Content-Transfer-Encoding:+Content-ID:+Content-Description:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:=Resent-Message-ID:+In-Reply-To:+References:=List-Id:=List-Help:=List-Post I am sure this set is not perfect and I have missed something, though. There some changes between the RFCs: RFC4871, Section 5.5., Recommended Signature Content The following header fields SHOULD be included in the signature, if they are present in the message being signed: o From (REQUIRED in all signatures) o Sender, Reply-To o Subject o Date, Message-ID o To, Cc o MIME-Version o Content-Type, Content-Transfer-Encoding, Content-ID, Content- Description o Resent-Date, Resent-From, Resent-Sender, Resent-To, Resent-Cc, Resent-Message-ID o In-Reply-To, References o List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive RFC6376, Section 5.4.1, Recommended Signature Content o From (REQUIRED; see Section 5.4) o Reply-To o Subject o Date o To, Cc o Resent-Date, Resent-From, Resent-To, Resent-Cc o In-Reply-To, References o List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive Wouldn't it make sense to update the default for dkim_sign_headers accordingly? Anyway, I'll try RFC6376's recommended headers and hope it will decrease my DKIM verification issues. ciao Markus -- / Markus Reschke \ \ madi...@theca-tabellaria.de / -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: List headers [Was: DKIM does not work]
Hi! On Mon, 23 Oct 2023, Andrew C Aitchison via Exim-users wrote: I believe that the default for dkim_sign_headers should have '=' at least for each of the List-* headers, as Andreas has done. Yes, that would be reasonable. BTW, RFC6376 comes with inconsistencies about the headers to sign. In section 5.4. 'Determine the Header Fields to Sign' it notes: INFORMATIVE OPERATIONS NOTE: The choice of which header fields to sign is non-obvious. One strategy is to sign all existing, non- repeatable header fields. An alternative strategy is to sign only header fields that are likely to be displayed to or otherwise be likely to affect the processing of the message at the receiver. A third strategy is to sign only "well-known" headers. Note that Verifiers may treat unsigned header fields with extreme skepticism, including refusing to display them to the end user or even ignoring the signature if it does not cover certain header fields. For this reason, signing fields present in the message such as Date, Subject, Reply-To, Sender, and all MIME header fields are highly advised. But in 5.4.1. it neither lists 'Sender' nor any MIME related headers. And the note above indicates to sign present headers. A lot of leeway on how to interpret the RFC. ciao Markus -- / Markus Reschke \ \ madi...@theca-tabellaria.de / -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: List headers [Was: DKIM does not work]
Hi!
On Mon, 23 Oct 2023, Ian Z via Exim-users wrote:
On Mon, Oct 23, 2023 at 11:51:21AM +0200, Andreas Metzler via Exim-users wrote:
Kind of. The RFC has big fat disclaimer that it only provides very
rough guidance ("The choice of which header fields to sign is
non-obvious.") and is very very thin on details, afaict it does not
say a thing about oversigning.
Right, in the sub-section cites it says (lightly paraphrased):
The following headers SHOULD be signed *if they are present* in the
message.
Emph mine. So, like Andreas writes, if they are *not* present, this is
vacuous.
When you check out the h tag of the DKIM signature header of the large
email services you'll see that they usually have only a few signed headers
(less processing load) and some oversign specific headers. E.g. gmail
seems to oversign from:to:cc:subject:date:message-id:reply-to, and Yahoo
From:Subject:Reply-To. Based on the DKIM RFCs and the current reality I'd
say that exim's default for dkim_sign_headers is simply overkill and we
should add a bunch of '=' prefixes, maybe a few '+' for essential headers.
ciao
Markus
--
/ Markus Reschke \
\ madi...@theca-tabellaria.de /
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Destination address in a transport
Hi! On Thu, 26 Oct 2023, Thomas Andrews via Exim-users wrote: The destination address could be g...@wimzail.org or anything - ie I have no way to de-taint it as it is not a local address. Therefore using $local_part and $domain is not an option. What are my other options? (By the way, it doesn't actually matter if the destination address is tainted in my case - the external program my_proggie will deal with that.) There are two solutions available. One is a dirty hack (https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/) which can be set up within exim. And the other one is a wrapper which uses the environment variables set by exim when run. The env variables include the receipient's email address. This way the wrapper is called without any tainted variables, exim is happy, and the wrapper still gets the receipient's email address. ciao Markus -- / Markus Reschke \ \ madi...@theca-tabellaria.de / -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: detainting a sender address in a router/transport
Hello Jürgen! On Fri, 29 Dec 2023, Jürgen Edner via Exim-users wrote: I've now spent several hours to read through all kind of Exim documentation and mailing list postings, to find-out how to fix my specific router/transport configuration to get rid of tainted data, without success. print_transport: driver = pipe command = /usr/bin/mail2print -sender "$sender_address" -queue "$local_part" Since you're already running a script you could drop the arguments and use the environment variables set by exim in your script. Please see the exim specs document, chapter 'The pipe transport', section 'Environment variables'. ciao Markus -- / Markus Reschke \ \ madi...@theca-tabellaria.de / -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: block_hosts question as it's not working in certain situations
Hi Andy! On Fri, 25 Apr 2025, Andy Firman via Exim-users wrote: My question is, why is the block_hosts not working here? Usually such a filter is meant to reject emails when a sending MTA listed in the file connects to your MTA, i.e. it will work only for a direct TCP session, not for any header entries. The new SPAM variant uses Google as email provider and circumvents your filter. Simply adding Google to the filter list won't help since there should be also valid email from other gmail users. BTW, Google Groups (mailing lists) are another source of SPAM. SPAMmers started to misuse that service. It's easy to unsubscribe but the opt-out nature is quite annoying. And Google doesn't care. :( ciao Markus -- / Markus Reschke \ \ madi...@theca-tabellaria.de / -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Proper ACL condition to block failed rDNS lookup
Hi! On Sat, 7 Jun 2025, AC via Exim-users wrote: I want to block any connection that doesn't have a successful rDNS (logs report "no host name found") but searching around results in so many different variants of an ACL rule to do this. I've got following in acl_check_rcpt (because I want to log/see the sender and recipient): # deny hosts without reverse mapping denyhosts = !+relay_from_hosts !authenticated = * message= Reverse DNS lookup failed for host $sender_host_address. !verify= reverse_host_lookup ciao Markus -- / Markus Reschke \ \ madi...@theca-tabellaria.de / -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
