Pkg exim4 users - Jan 2011 - Spam sent to user from user's email address

Hi,

My Exim4 users are getting spam sent to them which appear to come from there own
email address.

Assuming that these emails are originating from my exim server how do I, please,
stop them

Regards

Peter

On Thu, 13 Jan 2011 08:00:19 +0000
Peter Sparkes <peter at didm.co.uk> wrote:
> Hi,
> 
> My Exim4 users are getting spam sent to them which appear to come
> from there own email address.
> 
> Assuming that these emails are originating from my exim server how do
> I, please, stop them
> 
> Regards
> 
> Peter
> 
> 
The list will need some more info to help.
Meantime, unless you have a bad egg local user its unlikely that the mails are
originating from YOUR server.
1/ Check the mail headers and see if you can get a little more info.
2/ Check /var/log/exim4/mainlog 
	Cross check against victims local mail address and times.


Once you have the originating SMTP server you can block it a number of ways.
here are two:

	1/ create a file called: /etc/exim4/local_host_blacklist
	[ man exim4_local_host_blacklist ]
	its a simple list of IP addresses to deny access to
e.g. from Man page:
       192.168.10.0/24
       !172.16.10.128/26
       172.16.10.0/24
       10.0.0.0/8

Restart exim and your at least half way there.
You can append to that file anytime you like.

	2/ set up an iptables rule to block to IP totally or only when using the SMTP
port:
something like...
	iptables -N EXIMDROPS
	iptables -A EXIMDROPS -p tcp -s 123.456.789 -j REJECT 
	iptables -A INPUT -p tcp -m tcp --dport 25 -j EXIMDROP
Or use your favorite GUI tools 
(there are many ways of skinning that cat, that is a rough example.)

Install spamassassin or similar
apt-cache search spam 

 
> _______________________________________________
> Pkg-exim4-users mailing list
> Pkg-exim4-users at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-exim4-users

--Pete (another one) 
(local-debian-hints.u8)
:your fortune cookie:

Debian Hint #21: If your Debian box is behind a slow network connection,
but you have access to a fast one as well, check out the apt-zip package.
     
Peter Gossner <gossner at internode.on.net>
<pete.gossner at gmail.com>

In <4D2EB113.9050809 at didm.co.uk>, Peter Sparkes
wrote:
>My Exim4 users are getting spam sent to them which appear to come from there
>own email address.
>
>Assuming that these emails are originating from my exim server how do I,
>please, stop them
The "From" header is effectively free-form.  It isn''t used
for routing the
message to its destination, so it isn''t something that is to be
trusted.

SPF can make the "From" header part of bulk mail filtering; if your
users will
put up with it, a very restrictive SPF policy can reduce the amount of SPAM 
that has your domain in the "From" header.
-- 
Boyd Stephen Smith Jr.                   ,= ,-_-. =.
bss at iguanasuicide.net                   ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy         `-''(. .)`-''
http://iguanasuicide.net/                    \_/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.alioth.debian.org/pipermail/pkg-exim4-users/attachments/20110113/ae1d2bf7/attachment.pgp>

On Thu, Jan 13, 2011 at 08:00:19AM +0000, Peter Sparkes
wrote:
> My Exim4 users are getting spam sent to them which appear to come from
> there own email address.
That''s normal.
> Assuming that these emails are originating from my exim server
Most probably wrong assumption.

If you _know_ that none of your users are using their mail address as
sender for messages that are delivered via other SMTP servers, you can
block messages with sender addresses from your domain that come in
from elsewhere on an unauthenticated connection, but that prerequisite
is seldomly filled.

You might get some more insight on the upstream mailing list as this
is not a Debian issue.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190