[SA-exim] Klezmail with forged envelope

[Tim Jackson]

Hi Rick, on Tue, 6 Apr 2004 21:37:39 -0700 you wrote:

> As far as I can tell, the same SMTP-callout, header-sanity, and
> body-text semantics checks effective against other junkmail should catch
> idiotic mail directly and indirectly resulting from malware.

I'm not so sure. Certainly, some viruses will hit on SA header tests of
various kinds, and callouts etc. may also help. But, at least for SA, it's
intended to catch spam, not viruses (even if to you and me they are pretty
much the same). Bayesian learning will no doubt help, though.
 
> I haven't yet gotten around to writing Exim4 ACLs
> to eliminate arriving-from-elsewhere mail with my own env sender.
<snip>
> Honestly, has nobody on this list yet written and tested such a thing?

Almost certainly. However, they probably wouldn't have thought to post it
anywhere as it's so trivial. If you just want to eliminate your own
sender:

deny message = Mail from $sender_address_domain only originates from here
     sender_domains = example.com

Like I said, this is a little risky though: consider mailing lists,
forwarders, people sending mail to themselves or other users of your
services from unusual locations etc. If you're going to do it, you may
want to whitelist certain hosts or senders, maybe like this:

deny message        = blah
     sender_domains = example.com
     !senders       = some at mailing.list.example.com
     !hosts         = 255.1.2.3
 
> > - reject your own domain name(s) given in remote HELOs
> > - use Exiscan to block "bad" extensions
> Would you do me the favour of posting those, just so I can see a working
> model?  Thanks.

This would probably be better on the main Exim list if you want to
continue the discussion, but here goes:

In the RCPT ACL:

(this assumes you are looking up domains in a DBM file
/etc/exim/local_domains.db; adjust to suit. This is where the Wishlisted
feature to search domainlists in conditions would be useful):

  deny   message        = Forged hostname in HELO: $sender_helo_name
         hosts          = !+relay_from_hosts
         !authenticated = *
         condition      = ${lookup {$sender_helo_name} \
                          dbm{/etc/exim/local_domains.db}{yes}{no}}


In the DATA ACL (this is pretty similar to the default as supplied by
Exiscan when you patch it into Exim):

  deny  message   = This message contains an attachment of a type \ 
                    (.$found_extension) which we do not accept for \      
                    security reasons. If it is important that your \
                    attachment gets through, please package it as a \
                    .zip or similar and resend.
        log_message = Blacklisted attachment (type $found_extension) \
                      to $recipients
        demime    = bat:chm:cmd:com:exe:hta:lnk:pif:reg:scr:shs:vbe:vbs

Tim