Hi
Having searched the exim mail archives and not found my problem there I
thought of asking the experts.
I am postmaster for a local company mail server (it is running Exim
4.63) that receives its e-mail from our company mail relay which does
the virus checking of the e-mail as it arrives into the company.
We have a lot of e-mail arriving for users that have left the company
and so I created a reject-list file which is checked in the
acl_smtp_rcpt acl so that these e-mails are rejected early which saves
on downloading them and running them through Spamassassin (use sa-exim).
This works fine for most of this type of spam.
But lately, an increasing percentage of this spam is arriving with the
sender spoofed to be postmaster (AT) my (DOT) domain (i.e. me) and when Exim issues
a deny because the recipient has left I then get an e-mail from the
postmaster of our company mail relay sent to postmaster (AT) my (DOT) domain to
inform me that the e-mail to jbloggs (AT) my (DOT) domain failed because of unknown
user!
How can I reject this type of spam without getting the e-mail from
postmaster of our company mail relay?
Would my only option to stop this happening be to accept these e-mails
(but then I would like to bin it without spam checking it which I'm not
sure is possible when using sa-exim)?
Thanks
Paul McIlfatrick

K these are bounce messages, so they have no sender.

If all outbound email is sent via this server of yours I would add a rule to
the data acl that checks for your local hostname in the message body if the
sender is null. Therefore all emails that generated a bounce from your
domain that did not actually get sent by yourself would get rejected.

So something like this might work.

in RCPT ACL

warn senders = :
set acl_m1 = yes

in DATA ACL

deny message = Unsolicited Bounce Detected
condition = ${if def:acl_m1{1}{0}}
condition = ${if match
{$message_body}{$primary_hostname}{0}{1}}

Regards

Ed St Pierre

26/10/06, paul.mcilfatrick (AT) bt (DOT) com <paul.mcilfatrick (AT) bt (DOT) comwrote:

Hi

Having searched the exim mail archives and not found my problem there I
thought of asking the experts.

I am postmaster for a local company mail server (it is running Exim
4.63) that receives its e-mail from our company mail relay which does
the virus checking of the e-mail as it arrives into the company.

We have a lot of e-mail arriving for users that have left the company
and so I created a reject-list file which is checked in the
acl_smtp_rcpt acl so that these e-mails are rejected early which saves
on downloading them and running them through Spamassassin (use sa-exim).

This works fine for most of this type of spam.

But lately, an increasing percentage of this spam is arriving with the
sender spoofed to be postmaster (AT) my (DOT) domain (i.e. me) and when Exim issues
a deny because the recipient has left I then get an e-mail from the
postmaster of our company mail relay sent to postmaster (AT) my (DOT) domain to
inform me that the e-mail to jbloggs (AT) my (DOT) domain failed because of unknown
user!
--
How can I reject this type of spam without getting the e-mail from
postmaster of our company mail relay?

Would my only option to stop this happening be to accept these e-mails
(but then I would like to bin it without spam checking it which I'm not
sure is possible when using sa-exim)?
--
Thanks
--
Paul McIlfatrick
--

paul.mcilfatrick (AT) bt (DOT) com schrieb:
Hi

Having searched the exim mail archives and not found my problem there I
thought of asking the experts.

I am postmaster for a local company mail server (it is running Exim
4.63) that receives its e-mail from our company mail relay which does
the virus checking of the e-mail as it arrives into the company.

We have a lot of e-mail arriving for users that have left the company
and so I created a reject-list file which is checked in the
acl_smtp_rcpt acl so that these e-mails are rejected early which saves
on downloading them and running them through Spamassassin (use sa-exim).

This works fine for most of this type of spam.

But lately, an increasing percentage of this spam is arriving with the
sender spoofed to be postmaster (AT) my (DOT) domain (i.e. me) and when Exim issues
a deny because the recipient has left I then get an e-mail from the
postmaster of our company mail relay sent to postmaster (AT) my (DOT) domain to
inform me that the e-mail to jbloggs (AT) my (DOT) domain failed because of unknown
user!

How can I reject this type of spam without getting the e-mail from
postmaster of our company mail relay?

Paul,

your local MTA is doing fine, but your company mail relay needs to do
recipient verification for the domains it is relaying to, instead of
accepting mail for recipients that don't exist. you will
always get their collateral spam.

Patrick Eisenacher

26 2006 16:43:19 +0200 exim-users (AT) securitects (DOT) com wrote:

paul.mcilfatrick (AT) bt (DOT) com schrieb:
>Hi
>>
>Having searched the exim mail archives and not found my problem there I
>thought of asking the experts.
>>
>I am postmaster for a local company mail server (it is running Exim
>4.63) that receives its e-mail from our company mail relay which does
>the virus checking of the e-mail as it arrives into the company.
>>
>We have a lot of e-mail arriving for users that have left the company
>and so I created a reject-list file which is checked in the
>acl_smtp_rcpt acl so that these e-mails are rejected early which saves
>on downloading them and running them through Spamassassin (use sa-exim).
>>
>This works fine for most of this type of spam.
>>
>But lately, an increasing percentage of this spam is arriving with the
>sender spoofed to be postmaster (AT) my (DOT) domain (i.e. me) and when Exim issues
>a deny because the recipient has left I then get an e-mail from the
>postmaster of our company mail relay sent to postmaster (AT) my (DOT) domain to
>inform me that the e-mail to jbloggs (AT) my (DOT) domain failed because of unknown
>user!
>>
>>
>How can I reject this type of spam without getting the e-mail from
>postmaster of our company mail relay?
>
Paul,

your local MTA is doing fine, but your company mail relay needs to do
recipient verification for the domains it is relaying to, instead of
accepting mail for recipients that don't exist. you will
always get their collateral spam.

That's what he's doing. The collateral spam probably wasn't originally
aimed at his users.

Paul, if you *never* send email from the postmaster address, then you can
safely reject messages with null sender that are addressed to postmaster -
but do this in the data acl otherwise you may fall foul of sender
verification callouts.

Patrick Eisenacher

Le jeudi 26 octobre * 15:53:36, Ian Eiloart a crit :

26 2006 16:43:19 +0200 exim-users (AT) securitects (DOT) com wrote:

paul.mcilfatrick (AT) bt (DOT) com schrieb:
>Hi
>>
>Having searched the exim mail archives and not found my problem there I
>thought of asking the experts.
>>
>I am postmaster for a local company mail server (it is running Exim
>4.63) that receives its e-mail from our company mail relay which does
>the virus checking of the e-mail as it arrives into the company.
>>
>We have a lot of e-mail arriving for users that have left the company
>and so I created a reject-list file which is checked in the
>acl_smtp_rcpt acl so that these e-mails are rejected early which saves
>on downloading them and running them through Spamassassin (use sa-exim).
>>
>This works fine for most of this type of spam.
>>
>But lately, an increasing percentage of this spam is arriving with the
>sender spoofed to be postmaster (AT) my (DOT) domain (i.e. me) and when Exim issues
>a deny because the recipient has left I then get an e-mail from the
>postmaster of our company mail relay sent to postmaster (AT) my (DOT) domain to
>inform me that the e-mail to jbloggs (AT) my (DOT) domain failed because of unknown
>user!
>>
>>
>How can I reject this type of spam without getting the e-mail from
>postmaster of our company mail relay?
>
Paul,

your local MTA is doing fine, but your company mail relay needs to do
recipient verification for the domains it is relaying to, instead of
accepting mail for recipients that don't exist. you will
always get their collateral spam.

That's what he's doing. The collateral spam probably wasn't originally
aimed at his users.

Paul, if you *never* send email from the postmaster address, then you can
safely reject messages with null sender that are addressed to postmaster -
but do this in the data acl otherwise you may fall foul of sender
verification callouts.

Isn't it more a "from" checking rules which is needed ?

From Header could be checked and allowed if the real sender come from a
auth or relay_from_hosts ?

I don't known how to do that and so could help me too.

27 2006 20:06:00 +0200 Beber <beber (AT) meleeweb (DOT) netwrote:

Isn't it more a "from" checking rules which is needed ?

From Header could be checked and allowed if the real sender come from a
auth or relay_from_hosts ?

I don't known how to do that and so could help me too.

No,

His problem is with bounces from remote systems. There's no telling what
the from header will be.