> From: exi.ml @ yalis.fr
>
> I just received a SPAM (I hope), but the headers retained my attention;
> here they are, in full:
An infected Windows sent this common fraudulent spam with the same
email address in From: and envelope-from as the recipient.
And the same domain in Message-ID.
>
> From: S?awomir Dworaczek
> where is the error in the ACL
>
> continue = ${run{SHELL -c "echo $sender_host_address
> >>/var/spool/exim/blacklists/blocked_IPs;\N{\N echo Subject:
> $sender_host_address blocked; echo; echo for bruteforce auth cracking
> attempt.;\N}\N | EXIMBINARY
> T-Online clearly states in their terms and conditions that they will
> block servers who perform sender verfication towards them.
Then a different check:
deny condition = ${if or{\
{eqi{$sender_address_domain}{t-online.de}}\
.ifdef _HAVE_LOOKUP_DNSDB
{forany{${lookup dnsdb{>:
Kai Siering wrote on [mailop]:
> how about starting internal discussions within that community
> to include a default rejection of any mail from @t-online.de
> in Exim's default configuration?
> As nearly no-one who is deploying Exim
> (or Postfix, Sendmail for that matter)
> will be able to
> From: Eric Grammatico
> In fact I tried to implement the wiki:
> https://github.com/Exim/exim/wiki/AuthenticatedSmtpUsingPwauth
I edited that wiki: changed
server_condition = ${run{/bin/bash -c "echo -e '$auth2\n$auth3' |
/usr/local/bin/pwauth"}{1}{0}}
to
server_condition = ${and {\
P.S. No, the culprit is the apostrophe in auth login-name:
> A=login_server:#xxx'uuss+zzz
> server_condition = ${run{/bin/sh -c "echo -e '$auth1\n$auth2' |
> /usr/sbin/pwauth"}{1}{0}}
You need to add:
deny message = Restricted characters in address
senders = ^.*['"$#]
--
##
> From: Eric Grammatico
> 2022-09-26 16:15:24 [10] 1ocotI-0A-0g <=
> #xxx'uuss+...@grammatico.me H=(localhost) [45.123.190.53] P=esmtpsa
> X=TLS1.2:AES256-GCM-SHA384:256 CV=no A=login_server:#xxx'uuss+zzz S=736
> 2022-09-26 16:15:31 [12] 1ocotI-0A-0g => xxx.x...@.info
>
> == r...@xyz.com R=xxx (-36): host lookup for did not
> complete (DNS timeout?)
>
> There is no problem with DNS resolution of the relevant domains on those
> MX servers whatsover, judging by using dig and host command in shell.
A dig or host command once is not a proof.
#!/bin/sh
while true
> From: Timur
> # exim -be '$primary_hostname'
> says:
> mail.domain.com (This is my mail host)
>
> from smtp transport config:
> helo_data = mail.domain.com
>
> DKIM generated for domain.com with selector mail
> There is DNS record for domain:
> mail._domainkey.domain.com. TXT?? v=DKIM1;
> From: Timur
> I have trouble with autoreply transport (and any email from Exim-self)
> in check DMARK when Exim send bounce/autoreply messages to google.
> I want to configure vacation-router. SPF, DKIM, PTR is configured for my
> server. When I send email from myself google receives it and
I'm concerned with the "EXPIRATION_DATE=2022-06-30" below:
FreeBSD 12.3 base contains /usr/include/db.h without DB_VERSION_STRING
with
* @(#)db.h8.7 (Berkeley) 6/16/94
* $FreeBSD: releng/12.3/include/db.h 326024 2017-11-20 19:45:28Z pfg $
Ports have:
databases/db18:
> - Query-style lookups are now checked for quoting, if the query string is
> built using untrusted data ("tainted"). For now lack of quoting is
> merely logged; a future release will upgrade this to an error.
Does it apply to dnsdb?
If yes then how to quote for ptr, a, mxh, txt?
--
> How to catch brute foce smtp auth attempts only? (== bad login or
> password provided)
https://github.com/Exim/exim/wiki/BlockCracking
> Condition like:
>
> ${if eq{$authentication_failed}{1}}
>
> doesn't work because it also catches cases where client cancelled smtp
> auth attempt (rfc2554
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
> From: Ole Klinck
> Apparently Exim sometimes failed to decode the message and
> just gave the RFC 2047 string
Insert into beginning of Exim config:
check_rfc2047_length = false
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
> this means that Exim cannot decode the original header for some reason.
Insert into the beginning of Exim config:
check_rfc2047_length = false
Also, you should encode Subject back.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at
> From: Mark Elkins
> I'm looking for an example for how to cure this problem.
>
> Every now and then, a user will give his password to a bad actor (Social
> Engineering). That bad person then goes to my webmail interface and
> sends out a lot of SPAM e-mail - which goes to my port 587 (only)
> From: Emanuel Gonzalez
> i found this rule in a site:
That was forked by somebody from an earlier version of my
https://github.com/Exim/exim/wiki/BlockCracking
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the
> From: Jeremy Harris
> > store_get() is not part of the API documented (in local_scan.h) as
> > being usable by local_scan and dlexpand code.
>
> I see however that it _is_ described as part of the API in the
> documentation chapter on local-scan. My apologies.
>
> I'll get that chapter
P.S. How to debug delivery?
I inserted into the beginning of rcpt ACL:
warn domains = tiscali.cz
control = debug/tag=.$message_exim_id/opts=+all
The debuglog contains only lines with pid of the receiving process,
including:
20:18:58 18029 DSN: SPOOL_OUT - address: |doma*@
Exim 4.92 as a smarthost gets a 5xx after end of data, but doesn't send a DSN.
In mainlog (I redacted with asterisks and inserted blanks after @):
2019-06-20 18:28:19 +0300 1hdyz4-000G6A-BR <= Len*@ lena.kiev.ua
H=ip-19*6.rusa*ovka-net.ki*v.ua (bedsi*e.lena.kiev.ua) [94.244.2*.38]
> From: Ian Zimmerman
> > check_rfc2047_length = false
>
> Thanks, Lena.
>
> If I leave it as true (the default), and $h_subject: turns out to
> contain "=?UTF-8?B?", can I assume (not with certainty, but with a high
> likelihood) the message violates the RFC?
Yes, but filtering on that is
> From: Ian Zimmerman
> An unwanted message arrived to my mailbox with the following Subject:
>
> Subject:
> =?UTF-8?B?VXMgY29uZ3Jlc3MgaGVhcmluZyBvZiBtYWFuIGFsc2FhbiBNb25leSBsYXVuZHJ5INmC?=
>
>
> From: Mark Elkins
> I should probably have some EXIM scripts that count repetitive failures,
> both at login authentication and delivery (failure) by a user, and use
> that to do automatic blocking and reporting. Lena probably has a
> solution for that.
> When several messages are sent to @ orange.fr in a too short period of
> time, they are (temporarily) refused:
> > Too many connections
I use in the transport:
serialize_hosts = *
You can use:
serialize_hosts = smtp-in.orange.fr
At reboot:
rm /var/spool/exim/db/misc*
--
## List
> How to block sending mail from my host to my host users without
> authorization, so that in the future there are no such situations
> 41.56.57.80 is not my ip address
> Received: from [41.56.57.80]
> by domain.dot.com with esmtp (Exim 4.91)
> (envelope-from )
> id 1gkmFE-0002ym-UR
> for
> From: Russell King
> My mail server is being hit with auth attempts when the helo hasn't
> advertised the presence of authentication
I always advertise AUTH but in the rcpt ACL:
accept authenticated = *
condition = ${if !={$received_port}{25}}
--
## List details at
> From: Luca Bertoncello
> we receive many E-Mails with faked From (Header), and I'm trying to
> block them.
> Currenty I extract the domain (most our own domain) and check it for SPF.
In messages from mailing lists (such as this [exim-users])
the domain in "From:" header fails SPF.
--
##
> From: supportsob...@mail.ru
> Could someone help with syntax of?${lookup{value}lsearch{file}{yes}{no}}
>
> I'm trying to write a condition that will return "FALSE" if either of hosts
> from "Received:" headers (yes, any on the way from sender's server to me)
> is listed
> From: Jon 'Boli' Copeland
> I have a problem with some people insisting on CCing every single
> address they have for my company on every email they send. No amount of
> asking politely seems to stop this.
>
> What I want to do, serverside, is something like the following
>
> |while (TO+CC
> From: Emanuel Gonzalez
> lately we are suffering from dictionary attacks, as a prevention method
> I use "fail2ban", but in some cases users use passwords that are
> easy to guess and are used to send spam through bots.
This code blocks both dictionary attacks and stolen passwords used for
> From: Marco Gaiarin
> but a condition like:
>
> deny
> message = Serious MIME defect detected ($demime_reason)
> demime = *
> condition = ${if >{$demime_errorlevel}{2}{1}{0}}
>
> how can be converted in 'acl_smtp_mime' lingo?
No way I think. I'm curious: how often did you see
> > What this is telling me is someone at 157.0.116.189 is making
> > connections to my mail server - presumable to see if they can detect the
> > accounts of users on my machine?
It tries to guess passwords of users on your machine
(brute-force password cracking).
This code catches both using
> From: S?awomir Dworaczek
> how to block attachment with zip rar etc. extension in Exim 4.91 ?
> this entry in the configuration has stopped working
> deny condition = ${if
>
> From: Emanuel Gonzalez
It's ACL, not a filter.
> In the exim log i see this:
>
> 2018-08-22 07:48:12 1fsQgL-000554-6N Entrantes y Salientes autenticados -
> Cuenta_FROM: - X-Mailer = Microsoft Outlook
> Express 6.00.2900.2950 - Subject = \277Eres el del video?
>
> discardcondition =
> acl_check_auth:
>
> ? drop? message = blacklisted for bruteforce cracking attempt
> ??? set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
> ??? condition = ${if >{$acl_c_authnomail}{4}}
This needs also:
acl_smtp_mail = acl_check_mail
begin acl
acl_check_mail:
accept set
> I have an "info@"-address that forwards the E-Mails to other
> addresses, some on them outside my servers.
>
> Well, unfortunately this address catches many Spam/junk E-Mails and, of
> course, my Exim (4.88) tries to forward them.
> Virus are blocked and will __NOT__ be forwarded, but Spam is
Had someone this error? Using port:
cc tls.c
In file included from tls.c:122:
tls-openssl.c: In function `tls_refill':
tls-openssl.c:2499: error: structure has no member named `verify_stack'
tls-openssl.c:2502: error: structure has no member named `verify_stack'
tls-openssl.c: In function
> I try to write acl for incomming chinese spam. Does anyone know how to check
> for chinese content?
begin acl
acl_check_rcpt:
...
require message = relay not permitted
domains = +local_domains : +relay_to_domains
require verify = recipient
accept hosts = +whitelisted_hosts
> From: Mark Elkins
> Problem: I have users either with weak passwords or whom give away their
> passwords...
>
> Result: Spammers have their "information" so can use my relay mail
> server to send spam on my clients behalf to many other people. If it
> bounces - then the client has a full mail
> From: Max Kostikov
> Tried few times but received nothing in email.
I requested password reset, got in my log:
2018-01-06 15:40:57 +0200 131.111.8.88 whitelisted in list.dnswl.org=127.0.11.2
2018-01-06 15:40:57 +0200 SMTP connection from hummus.csx.cam.ac.uk
[131.111.8.88]
> From: Sebastian Arcus
> drop message = Invalid HELO/EHLO
> condition= ${if eq{$received_port}{25}}
> condition= ${if match{$sender_helo_name}{.+\\\..+\\\..+} \
>{no}{yes}}
Some legitimate senders can have hostname and HELO with one dot
> From: Jeremy Harris
> Could you do that with debug enabled?
Using csh, I redirected debug output (-bd -q10m -d+all) to a file with >&
(both stdout and stderr to the same file,
some log lines might be broken and interspersed because of buffering).
The file (compressed with bzip2) can be
P.S. A way to reproduce (not every time, but often):
delete all files in /var/spool/exim/db , restart Exim with HUP signal,
send a message to @ yahoo.com . After the message is received (with auth)
by Exim, while it is waiting in the queue (for unknown reason):
-rw-r- 1 mailnull mail
> >> I noticed that some emails are sent immediately
> >> (what I prefer), while other are queued (introducing useless delay)
Same here. Exim 4.90 under FreeBSD 6 on a VPS,
root@lena:/root# exim -bP log_selector
log_selector = +smtp_confirmation +queue_time +queue_time_overall +deliver_time
> From: Sebastian Nielsen
> I would suggest using an config that restricts authenticated users to
> a specific IP range. Then no bots from china can successfully guess a
> account.
I restrict authenticated users to a non-standard port (neither 25, 465 nor 587):
daemon_smtp_ports = 25 : 1234
> From: "Ronaldo Luiz de Carvalho"
> how to limit the number of emails sent by each user?
>
> I use WHM and I can limit by a domain account, but into a domain I want to
> set limit to a specific account.
Usually such limits are in order to catch spammers.
But the limits are either low and
> From: Emanuel Gonzalez
> I have an idea to avoid sending spam from my server. Is it possible
> to create a rule so that when it is sent to a recipient, the mail
> is discarded and an alert arrives by email?
This code sends an alert by email:
https://github.com/Exim/exim/wiki/BlockCracking
--
> From: Patrick von der Hagen
> anomaly detection (like an authenticated sender suddenly causing dozens
> of bounces a minute, great indicator for compromised accounts)
Automatic detection (by bounce rate) and blocking of compromised accounts
entirely within Exim without external monitoring:
P.P.S. Add to the router:
domains = ! +local_domains
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
P.S. below a corrected version because a message can have several recipients.
> From: Charlie Elgholm
> Then one might suggest that the ratelimit-condition perhaps should be
> implemented for the routers as well.. Then we could do
>
> ratelimit = 100 / 1h / / $domain
The ${acl string
> From: Charlie Elgholm
> Then one might suggest that the ratelimit-condition perhaps should be
> implemented for the routers as well.. Then we could do
>
> ratelimit = 100 / 1h / / $domain
The ${acl string expansion item works in authenticators.
You can try to use it (or "acl" expansion
One more correction:
set acl_m_ud = ${sg{$mime_decoded_filename}{[^/]+\$}{}}
condition = ${run{SHELL -c \
"cd $acl_m_ud; \
P7ZIP x -y $mime_decoded_filename; \
GREP -r -a -s -E \
'rundll32|This program cannot be run in DOS mode|\
Correction:
condition = ${run{SHELL -c \
"cd ${sg{$mime_decoded_filename}{[^/]+\\$}{}}; \
P7ZIP x -y $mime_decoded_filename; \
GREP -r -a -s -E \
'rundll32|This program cannot be run in DOS mode' \
*"}{1}{0}}
--
## List details at
> From: Paul Lenz
> > > I wrote a plugin for Spamassassin which unzips every attachement and
> > > (IMHO very important) unzips every MS Office file (xlsx, xlsm, docx) and
> > > looks for strings like "rundll32" or "This program cannot be run in DOS
> > > mode" and some
> From: Paul Lenz
> The mentioned text "Loteria" was clearly visible in the body, because it
> was attached as
> Content-Type: text/plain; charset="Windows-1251"
> Content-Transfer-Encoding: 7bit
Connect with your server using SSH, give the command:
exim -bP acl_smtp_data
> From: Paul Lenz
> Today I received again an 1,3 MB message with Lottery spam.
> In the body is clearly to be seen "ONLINE LOTTERY DEPARTMENT".
What you see as message body is not the same as what Exim considers as
message body. You see a text/html or text/plain part,
for Exim message body is
> From: Mike Brudenell
> I think I'll quit worrying, leave the setup
> as-is with a deferral response to the AUTH, and move on.
>
> This all came about because I was starting to look at rate limiting failed
> attempts to AUTH along these lines
>
> Given the resounding silence from volunteers, I'm tempted to retire
> in the next release _everything_ apart from the current set of
> representatives in the buildfarm.
>
> That would be: Linux, OpenBSD, FreeBSD, SunOS5.
Perhaps keep DragonFly and Darwin, but unmaintained and unchanged,
they
> From: Frank Richter
> I'd like to rewrite envelope from "apache@*.mydomain" to the address in
> header From.
> I tried it according to https://github.com/Exim/exim/wiki/Q0801 with this
> rewrite rule:
>
> apache@*.mydomain ${sg{$h_from:}{^.*<(.*)>}{\$1}} Ffrs
According to
> From: "Dr. Volker Jaenisch"
> verify = recipient/callout=2m,defer_ok,use_sender
I specify "defer_ok" twice in different places:
verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at
> The Reply-To: header takes an address-list and is interpreted as such,
> and IIRC used in that way by some mail-clients when subscribed to
> mailing-lists but wanting personal copies of replies too. So the `rt:`
> ACL is going to calculate something which will emit bogus queries to an
>
The purpose of the EBL blacklist is described on
http://msbl.org/ebl-purpose.htm
I tested EBL since October 2016, today it was declared in public beta:
https://spammers.dontlike.us/mailman/private/list/2017-June/010493.html
> The Email Blocklist has entered Beta 2, and is now open for testing by
> From: Niels Kobsch?tzki
> for getting a grip on some spammers that use
> phished accounts on my system.
Please try this and tell me whether it helps:
https://github.com/Exim/exim/wiki/BlockCracking
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at
> I know I'm connecting to port 587 since I specified it explicitly. But I
> don't understand the relevance to my problem.
Exim took the port number 465 from somewhere in its config.
465 is the TLS-on-connect port.
In some other part of config you specified 587, but Exim nevertheless
tries
> The exim debug logs sort of look as if it is expecting to negotiate TLS
> immediately on connection, rather than after the initial EHLO
Yes. Look where the 465 came from:
> Transport port=465 replaced by host-specific port=587
--
## List details at
> From: ?
> I've tried nearly anything I could think of:
>
> Commit by
> Commit\ by
Insert into beginning of Exim config:
check_rfc2047_length = false
> From: Jasen Betts
> RFC2047 sec 2 and section 6 say that all encoded words
>
> >> It triggers when a macro name contains the sequence /_[ODH]/.
> >
> > Does it include $header_Date: ?
> > A workaround: $header_date:
>
> Macro, not header.
Even comment lines are searched for /_[ODH]/
As far as I undrestand, every config line is searched before parsing.
So, such line
> This loop appears to be the problem.
> It triggers when a macro name contains the sequence /_[ODH]/.
Does it include $header_Date: ?
A workaround: $header_date:
> You are also correct in that when macros_create_builtin() is not
> called the startup time is greatly reduced.
--
## List
> > FreeBSD
> If you can, please try building the exim-4_89_RC6
How to:
cd /usr/ports/distfiles/exim
fetch https://ftp.exim.org/pub/exim/exim4/test/exim-4.89_RC6.tar.bz2
cd /usr/ports/mail/exim
make clean extract
cd work
tar xof /usr/ports/distfiles/exim/exim-4.89_RC6.tar.bz2
mv exim-4.89_RC6
Instead of demime and clamav: :)
P7ZIP = /usr/local/bin/7z
# port archivers/p7zip in case of FreeBSD
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs|ace
# more cautious:
71 matches
Mail list logo