[SA-exim] Klezmail with forged envelope

Rick Moen rick at linuxmafia.com
Tue Apr 6 14:11:18 PDT 2004 

Quoting Marc MERLIN (marc at merlins.org):

> Mmmh, this sounds more like a job for exiscan-acl, which you have in
> exim-daemon-heavy in debian.

OK, I've now ditched exim4-daemon-light in favour of exim4-daemon-heavy
(without breakage), and will be glad to Read The Fine Docs to write
whatever rulesets are required, but was hoping that this was a
bog-standard problem with a bog-standard fix that someone would refer me
to.  (Yes, I'm being lazy.)

> You could write SA rules to force virus Emails to be found as spam and
> rejected, but exiscan-acl would just do a better job by default.

Obviously default isn't _quite_ to be understood literally, here, since
I've just received the following (below).

I suspect you mean I should go study
/usr/share/doc/exim4-daemon-heavy/exiscan-acl-examples.txt.gz
/usr/share/doc/exim4-daemon-heavy/exiscan-acl-spec.txt.gz
...right?  ;->


>From MAILER-DAEMON Tue Apr 06 12:59:41 2004
Return-path: <>
Envelope-to: abuse at gov.us
Delivery-date: Tue, 06 Apr 2004 12:59:41 -0700
Received: from Debian-exim by linuxmafia.com with local (Exim 4.30 #1)
        id 1BAwjV-0002hf-N3
        for <abuse at gov.us>; Tue, 06 Apr 2004 12:59:41 -0700
X-Failed-Recipients: rick at linuxmafia.com
Auto-Submitted: auto-generated
From: Mail Delivery System <Mailer-Daemon at linuxmafia.com>
To: abuse at gov.us
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1BAwjV-0002hf-N3 at linuxmafia.com>
Date: Tue, 06 Apr 2004 12:59:41 -0700
X-SA-Exim-Mail-From:
X-SA-Exim-Scanned: No; SAEximRunCond expanded to false
Lines: 288

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:        

  rick at linuxmafia.com
    This message has been rejected because it has
    a potentially executable attachment "list.scr"
    This form of attachment has been used by
    recent viruses or other malware.
    If you meant to send this file then please
    package it up as a zip file and resend it.
    If you didn't mean to send this file, and you are
    using microsoft outlook, you are probably infected.
    Please stop using outlook, it is inherently insecure
    and you are generating lots of wasted bandwidth and                         
    support headackes by using it, and you are jeopardizing
    your files and your data
    Please seriously consider using another mail client

------ This is a copy of the message, including all the headers. ------
------ The body of the message is 40577 characters long; only the first
------ 16384 or so are included here.

Return-path: <abuse at gov.us>
Received: from ppp-66-139-42-48.dsl.tulsok.swbell.net
([66.139.42.48]:1215
+helo=linuxmafia.com)
        by linuxmafia.com with esmtp (Exim 4.30 #1)
        id 1BAwjE-0002hW-05
        for <rick at linuxmafia.com>; Tue, 06 Apr 2004 12:59:24 -0700
From: abuse at gov.us
To: rick at linuxmafia.com
Date: Tue, 6 Apr 2004 14:59:24 -0500
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-SA-Exim-Mail-From: abuse at gov.us
Subject: Internet Provider Abuse
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on 
        uncle-enzo.linuxmafia.com
X-Spam-Level: *********
X-Spam-Status: Yes, hits=9.0 required=5.0
tests=BAYES_50,MICROSOFT_EXECUTABLE,
        MIME_BOUND_NEXTPART,MISSING_MIMEOLE,NO_DNS_FOR_FROM,NO_REAL_NAME,
        PRIORITY_NO_NAME,RAZOR2_CF_RANGE_51_100,RCVD_IN_DYNABLOCK,
        RCVD_IN_SORBS autolearn=no version=2.63
Content-Type: multipart/mixed; boundary="----------=_40730C2D.B10B1EFE"
X-SA-Exim-Version: 3.1 (built Wed Aug 20 09:38:54 PDT 2003)
X-SA-Exim-Scanned: Yes

[snip malware attachment]

More information about the SA-Exim mailing list