Hi, As part of my anti-phishing filtering I'm using a system filter to identify scams. When the filter identifies a message as bad it looks for key features which are known to be used by only by scammers (mails from the Security "Detartment" [sic], for example).
If the message matches this list then I use the "deliver" command to send the mail on to a handful of people who collect phishing scam mails for blacklists and the like. In most cases this works well but on occassion the e-mail cannot be delivered to one of the addresses specified in the "deliver" command. When this happens the message hangs out in the queue (waiting for a retry timer to exipre?). But it seems as though the recipient of the message is still set to the original recipient, rather than the new recipients specified by the deliver command, because if a queue run starts, the message is delivered to its original recipient: 2006-12-12 18:17:51 1GuGsh-00073O-Fy <= [EMAIL PROTECTED] H=moneypenny.commanderbond.net [216.32.81.138] P=esmtp S=2407 [EMAIL PROTECTED] 2006-12-12 18:17:51 1GuGsh-00073O-Fy U> [EMAIL PROTECTED] PHISH URLBL: http://72.22.69.137 Subj: Your Lloyds TSB Online Internet Banking Access Blocked 2006-12-12 18:17:51 1GuGsh-00073O-Fy I> BAD PHISH: F=Lloyds TSB Bank <[EMAIL PROTECTED]> SIP=216.32.81.138 SH=moneypenny.commanderbond.net R=Forged sender (Lloyds TSB Bank <[EMAIL PROTECTED]>) 2006-12-12 18:17:51 1GuGsh-00073O-Fy original recipients ignored (system filter) 2006-12-12 18:17:51 1GuGsh-00073O-Fy => /tmp/spool/unprocessed_scams/ <system-filter> T=system_filter_save_directory 2006-12-12 18:17:52 1GuGsh-00073O-Fy => [EMAIL PROTECTED] <system-filter> R=dnslookup T=remote_smtp H=mail.castlecops.com [66.227.46.235] 2006-12-12 18:17:52 1GuGsh-00073O-Fy => [EMAIL PROTECTED] <system-filter> R=dnslookup T=remote_smtp H=banksafeonline.org.uk [83.138.191.36] 2006-12-12 18:17:52 1GuGsh-00073O-Fy => [EMAIL PROTECTED] <system-filter> R=dnslookup T=remote_smtp H=ikmta.ironkey.com [69.90.211.76] 2006-12-12 18:18:22 1GuGsh-00073O-Fy => [EMAIL PROTECTED] <system-filter> R=dnslookup T=remote_smtp H=smtp.ilisys.com.au [203.202.10.84] 2006-12-12 18:21:01 1GuGsh-00073O-Fy mail3.netcraft.com [194.72.238.12] Connection timed out 2006-12-12 18:24:11 1GuGsh-00073O-Fy mail2.netcraft.com [212.95.252.15] Connection timed out 2006-12-12 18:24:11 1GuGsh-00073O-Fy == [EMAIL PROTECTED] <system-filter> R=dnslookup T=remote_smtp defer (110): Connection timed out 2006-12-12 18:32:11 Start queue run: pid=30352 2006-12-12 18:32:11 1GuGsh-00073O-Fy => [EMAIL PROTECTED] R=dnslookup T=remote_smtp H=mail.hagenhosting.com [63.97.115.202] 2006-12-12 18:32:11 1GuGsh-00073O-Fy Completed As you can see from the log entry the message times out talking to netcraft's mail servers (which seems to happen not infrequently). When this happens the message seems to be held in the queue (waiting for a retry timer?) but if a queue run occurs before that time then the message is sent to the original recipient rather than the new recipients, even though the message was processed by the system filter which stated that the original recipients would be ignored. It seems that this is a bug because if you look at the message sent to the new recipients the messages are fine and indicate no connection to the original recipient. Similarly if the messages to all of the new recipients are sent correctly then the message has reached all of its recipients and so Exim deletes it. It is only when the message is resent but that delivery fails and the message is requeued for a second attempt that this becomes a problem - which makes it seem as though this occurs because Exim doesn't rewrite the recipient information for the message back to disk, so when a queue run is started (as happens every 30 min for me) the message, which wasn't deleted because the delivery had errors, is still seen as waiting to be delivered to the original recipient, so that's where it is sent. Normally this wouldn't be a problem because either the original recipient is still going to receive the message because we're only taking a copy of it, or because the message is successfully sent to all of the new recipients and because it is then marked as seen/finish it gets removed. In this situation, however, the recipient's list has changed and doesn't include the original recipient any more. The fact that the message is still delivered to the original recipient's address suggests that that was the only address in the on-disk -H file for this message. How can I change this behvaiour so that the rerouted scams don't make it to my customers? I'd be fine with failling messages from [EMAIL PROTECTED] which couldn't be delievered right away if this is only option. Thank you, Colin. I'm using this entry in the system filter: [conditionals to see if the message uses a known scam header] then # Save first as we're altering the headers save /tmp/spool/unprocessed_scams/ logwrite "$tod_log $message_id I> BAD PHISH: F=$h_from: SIP=$sender_host_address SH=$sender_host_name R=Forged sender ($h_from:)" if $message_body matches "\\Nhref=\"(h(?:\\s+ttp|t\\s+tp|tt\\s+p|\\s+t\\s+tp|\\s+tt\\s+p|t\\s+t\\s+p):.{100})\\N" then logwrite "$tod_log $message_id XU> PHISH URL: $0" endif headers add "NSubject: [SCAM REPORT] ${escape:$h_subject:}" headers add "X-Original-From: ${escape:$h_from:}" headers add "X-Original-To: ${escape:$h_to:}" headers remove "Subject" headers remove "From" headers remove "To" headers remove "Sender" headers remove "Return-path" headers add "Subject: $h_nsubject:\n\ Return-path: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] From: [EMAIL PROTECTED]" headers remove "NSubject" headers add "To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>" [ conditionals to match the scammed company's address with a known abuse contact, for eg elif $h_X-Original-From: contains "paypal" then headers add "To: <[EMAIL PROTECTED]>" deliver [EMAIL PROTECTED] errors_to [EMAIL PROTECTED] elif... ] deliver [EMAIL PROTECTED] errors_to [EMAIL PROTECTED] deliver [EMAIL PROTECTED] errors_to [EMAIL PROTECTED] deliver [EMAIL PROTECTED] errors_to [EMAIL PROTECTED] deliver [EMAIL PROTECTED] errors_to [EMAIL PROTECTED] deliver [EMAIL PROTECTED] errors_to [EMAIL PROTECTED] seen finish endif Exim version 4.63 #1 built 31-Oct-2006 12:58:49 Copyright (c) University of Cambridge 2006 Berkeley DB: Sleepycat Software: Berkeley DB 4.4.20: (January 10, 2006) Support for: iconv() move_frozen_messages Content_Scanning Experimental_SPF Experimental_SRS Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb Authenticators: Routers: accept dnslookup redirect Transports: appendfile/maildir autoreply pipe smtp Fixed never_users: 0 Size of off_t: 8 Configuration file is /usr/exim/configure -- "Developers are like artists; they produce their best work if they have the freedom to do so" - Werner Vogels, CTO Amazon.com -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
