Hello,
I've been running exim 4.96 + spamassassin very successfully over the
last year, however recently a big amount of spam is received - because
it forges the from field to my own hostname, which is of course in the
whitelist of spamd (it has to be, a lot of traffic looks like spam but
isn't).
In this case I reviewed a sample header of a spam message, they look
like this:
Return-path: <[EMAIL PROTECTED]>
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Thu, 27 Nov 2008 15:58:06 +0100
Received: from [212.62.52.156] (helo=BMARINKOVIC)
by ostc-pl.com with smtp (Exim 4.69)
(envelope-from <[EMAIL PROTECTED]>)
id 1L5iJh-00020E-NU
for [EMAIL PROTECTED]; Thu, 27 Nov 2008 15:58:06 +0100
X-Originating-IP: [61.706.92.425]
X-Originating-Email: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
To: <[EMAIL PROTECTED]>
Subject: RE:ci.Doctor Katy
From: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
with the local_part being a valid username on my server, and ostc-pl.com
being my hostname, this message was unfortunately delivered. So to block
it I've added an acl check that would compare return-path field and the
from field. If they are different, it most probably is spam.
begin acl
acl_check_rcpt:
# first accept local mail traffic
accept hosts = :
# drop forged spam
deny condition = ${if !match{$header_from:}{$header_return-path:}}
message = return path is not equal to from field, so
I suspect spam, sir
(...)
Despite this, such mail is still being delivered. Could anyone please
explain why is it letting it through? Thanks in advance!
--
Regards,
Patryk Rządziński
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
