[SA-exim] Klezmail with forged envelope

Tim Jackson lists at timj.co.uk
Tue Apr 6 23:30:42 PDT 2004


Hi Rick, on Mon, 5 Apr 2004 12:37:28 -0700 you wrote:

> It would seem ignominious to have to run a scanner for MS-Windows
> malware:  I have no clueless-weenie, responsibility-allergic desktop
> users I need to protect from themselves.  

My feelings precisely, way back when I first started looking into all this
stuff (though things have since changed). But back then I decided that
although it may not harm me, the fact is that there *are* viruses around
and I don't want the junk in my inbox - it may not hurt but it's as bad as
spam. Since ClamAV was/is free, and easy to integrate, I decided to do it.
It's been useful, and kept out lots of junk. And it's probably less hassle
than crafting your own ACL rules/system filters (such as that which
started the thread) to reject particularly annoying viruses, since ClamAV
is fairly low maintenance (thanks to the great guys who do a fantastic job
of keeping it up to date, and the automatic "freshclam" updater)

(Of course, a virus scanner won't stop the endless array "you sent us a
virus" messages and similar bounces - like the one which started this
thread - which is why I started maintaining a SpamAssassin rule list,
which works beautifully with SA-Exim, to keep that kind of junk away -
http://www.timj.co.uk/linux/bogus-virus-warnings.cf if you're interested)

> It should be possible to 55x-reject mail with forged envelope headers at
> SMTP time using Exim4 alone, I would think.

There certainly is a lot you can do with just Exim to reject viruses; if
mail doesn't originate from anywhere else (including mailing lists that
might not rewrite the env sender, bear in mind) then you can of course
reject mails with your own env sender as "fake". Even without that, these
days fairly little viral stuff reaches my ClamAV daemon by the time it's
been through various tests; the obvious ones being:

- reject your own domain name(s) given in remote HELOs (this catches a lot
  of recent viral junk)

- use Exiscan to block "bad" extensions

Those alone clean up a lot of rubbish.


Tim



More information about the SA-Exim mailing list