[SA-exim] SA-Exim Header Question

Marc MERLIN marc at merlins.org
Thu Mar 20 16:08:13 2003


On Thu, Mar 20, 2003 at 10:03:14AM -0500, Jeff Clark wrote:
> it got me wondering how this all works.  I know people on the list have
> raised the concern about what would happen if a spammer put those headers in
> their messages.  One suggestion I saw was to, in the sa-exim conf file, set
> these headers to something non-guessable.  I'm sure this would work but I'm

Right.

> a little confused as to why this is needed.  That is, I though SA-Exim was
> supposed to strip all X-SA headers before scanning the message anyway?  From
> the v 2.2 Changelog: "Now strips any X-SA-Exim-* headers already present in
> the message before scanning it."  Furthermore, I was under the impression

Right, X-SA-Exim-*, not X-SA-Do-Not-Run
X-SA-Do-Not-Run is left in because for incoming mail, you want to be able to
have a record that the mail didn't get scanned if it's spam
Also, if you had X-SA-Do-Not-Run: Yes, well, SA-Exim doesn't get run, so it
can't remove the headers now, can it? :)

But SA-Exim can't really know if X-SA-Do-Not-Run was added by your ACLs
or was injected into the mail before it hit your system.

> from looking at the sample exim.conf on Marc's site that another way to
> handle this was to have exim strip off any X-SA headers on incoming smtp
> messages with:
> 
> headers_remove = "X-SA-Do-Not-Run:X-SA-Exim-Scanned"
> in the remote_smtp: transport
 
Yes, but you don't want to strip this on incoming mail as much as you want
to strip it on mail that leaves your system.
(ah, I see what you mean, I mean on incoming mail after it went through your
ACLs and SA-Exim, so that you know when a mail ends up in a mailbox whether
it was received or not)
 
> But doing this only seems to remove these headers in outgoing smtp mail, not
> in incoming smtp mail.  

Absolutely, that was the idea.

> So this wouldn't seem to prevent a spammer from entering a X-SA-Do-Not...
> header and fooling sa-exim.
 
Correct.
For now, if this becomes a problem you can rename the header to anything
you want.
Note too that if you are correctly configured, you are not going to leak
that header out of your system, so this shouldn't be a big problem.

What you want to do is remove arbitrary headers in exim's rcpt_to ACL, and I
don't quite remember if you can do that.
I'm sure Philip could add the feature if it's not there and you ask him.
 
> Could someone please explain what the best way to prevent spammers from
> fooling sa-exim with forged X-SA-Do-No headers is?  And also dispel any

Call the header something else if you are worried.

> misconceptions I have about how any of the above mechanisms work?  Thanks!
> :)

Hopefully I just did.

Cheers,
Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/   |   Finger marc_f@merlins.org for PGP key



More information about the SA-Exim mailing list