Matt wrote:
Almost certainly. But not knowing WHICH Webmail app - where to look?
- parsing the messages for '127.0.0.1' instead of $sender_address would
obviously hit all-comers, not just the infected.
- parsing the *message* headers for the 'From:' or 'Reply-to:' is far less
reliable, 'specially as we are speaking of vermin that may very well alter
those.
But .. depending on the Webmail app, what MAY work is using the Luser's
Login UID and PWD eg: AUTH creds - of each individual submitter - instead of
the source address.
Can Exim be handed these from the Webmail daemon in a manner still
associated with each submitter and message?
I want to base it on $sender_address rather then the IP
SquirrelMail ALSO knows the Luser's connecting IP, so you aren't limited
to 127.0.0.1 if you can get at that. But it isn't much use if/as/when
the Luser is mobile.
But you missed my point. $sender_address is still not optimal.
I suggested the login *credentials*. UID:PWD. These are known to
Squirrelmail IF ONLY so it can access the IMAPd to recover messages.
Further - IF/AS/WHEN a WinCrobe has compromised their on-luser-box login
credential storage, they'll still have to be used unaltered. Guaranteed
suicide-kit for the WinCrobe if those are what you are keying on.
IF your IMAPd is Dovecot, there are methods published herein to utilize
the dovecot-auth for Exim. Those may help in at least onpassing the info.
CAVEAT1: Not personally certain they are appropriate, as I do run
Dovecot with Exim, BUT my smtp-submission and IMAP-recovery UID and PWD
are not related, so use separate authenticators.
CAVEAT 2: I also run Prayer Webmail with Perdition, and for reasons
probably not germane simply do not have this sort of problem anyway.
Hold that thought...
;-)
since I have
SquirrelMail setup to NOT allow altering that but only altering
reply_too. SquirrelMail connects on 587 SMTP and IMAP 143 I believe.
Ergo,
CAVEAT3: I suggest grabbing the UID:PWD because..
a) If that is not secured, what is?
Oops. Scratch all after 'if that is not secured..' because it may not be!
I'd recommend moving your IMAP daemon to port 993 with TLS (AND NOT 143
or any other unencrypted port). Port 143 'may' be passing all or part of
the login exchange 'en clair'. I shut mine OFF. The few MUA that do not
automagically select 993 when set to secure login can usually accept a
manual port number over-ride to 993.
b) I DID run SquirrelMail for many years, and while I am aware it is
greatly improved these days, would still not bet that your setting to to
'not allow changes' in the $sender_address is 100% bulletproof.
I would rather it not depend on the webmail client used since I may
update or change it down the road.
Sooner rather than later might well improve your situation w/r
infected-box abuse.
Have a look at U Cambridge's 'Prayer' (optionally Perdition as well..):
http://www-uxsup.csx.cam.ac.uk/~dpc22/prayer/
If you code 'C' even modestly, it would not be rocket-science to check
credentials against an externally-maintained bad-boy lookup file (read
how Prayer stores its preferences for something adaptable)..
.. and cut offenders down to size before they even leave to go to Exim.
That could save you a good deal of CPU cycles and b/w all-round.
HTH,
Bill
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
