Here are some rules that can be added to your Exim.conf, using the Exim editor preferably. It stops those pesky forged email attempts that we see so often from Hotmail, MSN, Yahoo, AOL.

Copy and paste the following into exim.conf, using the exim configuration editor.

############################################
#FORGED MAIL
############################################

deny message = Forged Yahoo mail.
log_message = Forged Yahoo mail.
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

deny message = Forged hotmail.
log_message = Forged hotmail.
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}

deny message = Forged MSN mail.
log_message = Forged MSN mail.
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}

deny message = Forged AOL mail.
log_message = Forged AOL mail.
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}

If you are running dictionary attack rules, add these after those rules and before your HELO/EHLO greeting.

Use your imagination. You could also add paypal, comcast, verison or any other big named ISP.

Be careful with the }{ye s}} above!!! It should be }{yes}} not }{ye s}} but the vbulletin editor is showing it as }{ye s}} which is incorrect! Whats up with that?

Is there a particular place in the exim config editor to paste those lines? I'm getting the following message when adding them to the very first section... Exim does restart though. Just not sure if it doesn't like the deny or if this needs to go after a particular section in the file. Thanks!

2005-07-06 19:25:23 Exim configuration error in line 7 of /etc/exim.conf.buildtest:
main option "deny" unknown
Exim version 4.50 #1 built 24-Mar-2005 15:02:01
Copyright © University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.1.25: (August 21, 2003)
Support for: iconv() PAM Perl OpenSSL Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile autoreply pipe smtp
Configuration file has an invalid syntax. Please try again.

As i posted above, make sure the following line does not have a space in the Y ES

condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{ye s}}

Remove the space from {ye s} so it should look like {yes}

This is a problem with this editor since is posted this message correctly but after i saved the message a space was placed in there.

Also, you need to paste this in the middle box where you have all your other rules. For eg, if you have not modified exim.conf add these rules before;

# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}

Yes, I caught that in your original post.
That did it. I had it in the wrong place in the config. Thanks for posting this and the quick reply! -Dave

Greeeeeeeeeeeeeeeeeeeeeeat!

Then, as it would be in this case. The e-mail is valid, but it was rejected.

2005-07-14 14:43:45 H=sp.200_155_24_59.datacenter1.com.br (cart5.ocarteiro.com.br.) [200.155.24.59] F= rejected RCPT : Forged O Carteiro mail.


My setup:

deny message = Forged O Carteiro mail.
log_message = Forged O Carteiro mail.
senders = *@ocarteiro.com.br
condition = ${if match {$sender_host_name}{\Nmx.cart5.ocarteiro.com.br$\N}{no}{yes}}

thanks,

Wilton Bennet

I dont know the specifics of ocarteiro.com.br's requirements but you should try changing;

condition = ${if match {$sender_host_name}{\Nmx.cart5.ocarteiro.com.br$\N }{no}{yes}} to

condition = ${if match {$sender_host_name}{\Nocarteiro.com.br$\N }{no}{yes}}

Hey Kiddies!

Here is an update! It adds a few other ISP's not included in the origional code.
Hope this is stopping alot of spam as it's working wonders on our boxes. Let me know what you think, if anything! If you have any other ISP to add, please post it!

############################################
# FORGED MAIL CHECKS
############################################

deny message = Forged Yahoo mail, connection denied!
log_message = Forged Yahoo mail, connection denied!
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
delay = 3s

deny message = Forged hotmail mail, connection denied!
log_message = Forged hotmail mail, connection denied!
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
delay = 3s

deny message = Forged MSN mail, connection denied!
log_message = Forged MSN mail, connection denied!
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}
delay = 3s

deny message = Forged AOL mail, connection denied!
log_message = Forged AOL mail, connection denied!
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}
delay = 3s

deny message = Forged Netscape Mail, connection denied!
log_message = Forged Netscape Mail, connection denied!
senders = *@netscape.com
condition = ${if match {$sender_host_name}{\Nnetscape.com$\N}{no}{yes}}
delay = 3s

deny message = Forged Netscape Mail, connection denied!
log_message = Forged Netscape Mail, connection denied!
senders = *@netscape.net
condition = ${if match {$sender_host_name}{\Nnetscape.net$\N}{no}{yes}}
delay = 3s

deny message = Forged Comcast Mail, connection denied!
log_message = Forged Comcast Mail, connection denied!
senders = *@comcast.net
condition = ${if match {$sender_host_name}{\Ncomcast.net$\N}{no}{yes}}
delay = 3s

deny message = Forged Comcast Mail, connection denied!
log_message = Forged Comcast Mail, connection denied!
senders = *@comcast.com
condition = ${if match {$sender_host_name}{\Ncomcast.com$\N}{no}{yes}}
delay = 3s

deny message = Forged Verizon Mail, connection denied!
log_message = Forged Verizon Mail, connection denied!
senders = *@verizon.com
condition = ${if match {$sender_host_name}{\Nverizon.com$\N}{no}{yes}}
delay = 3s

deny message = Forged Verizon Mail, connection denied!
log_message = Forged Verizon Mail, connection denied!
senders = *@verizon.net
condition = ${if match {$sender_host_name}{\Nverizon.net$\N}{no}{yes}}
delay = 3s

deny message = Forged Paypal Mail, connection denied!
log_message = Forged Paypal Mail, connection denied!
senders = *@paypal.com
condition = ${if match {$sender_host_name}{\Npaypal.com$\N}{no}{yes}}
delay = 3s

deny message = Forged Prodigy Mail, connection denied!
log_message = Forged Prodigy Mail, connection denied!
senders = *@prodigy.com
condition = ${if match {$sender_host_name}{\Nprodigy.com$\N}{no}{yes}}
delay = 3s

deny message = Forged Prodigy Mail, connection denied!
log_message = Forged Prodigy Mail, connection denied!
senders = *@prodigy.net
condition = ${if match {$sender_host_name}{\Nprodigy.net$\N}{no}{yes}}
delay = 3s

deny message = Forged RoadRunner Mail, connection denied!
log_message = Forged RoadRunner Mail, connection denied!
senders = *@rr.com
condition = ${if match {$sender_host_name}{\Nrr.com$\N}{no}{yes}}
delay = 3s

deny message = Forged RoadRunner Mail, connection denied!
log_message = Forged RoadRunner Mail, connection denied!
senders = *@rr.net
condition = ${if match {$sender_host_name}{\Nrr.net$\N}{no}{yes}}
delay = 3s

deny message = Forged Gmail, connection denied!
log_message = Forged Gmail, connection denied!
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngmail.com$\N}{no}{yes}}
delay = 3s

but this will stop relayed messages correct? if I have to use my comcast.net SMTP server to send mail as me (user@mydomain.com) would such a setup restrict that?

i am not sure where the $sender_host_name is pulled from.

It should be fine, why dont you test it and report back?

thanks aussie,

I was using the first filter and it cleaned a lot of thing.
Now, I see that it removed MXs of everybody, less the one of the aol.com.
Is that correct?

Sorry, I dont understand what your saying.

deny message = Forged AOL mail, connection denied!
log_message = Forged AOL mail, connection denied!
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}
delay = 3s

Is there a way to bypass this ruleset for specific domains ? I have a car dealership that gets its sales leads from cobalt.com, but they change the from address to match the customers thus rejecting all of the mail

Thanks

S/B aol.com remove mx

Why should these rules stop them from doing that? If you have not placed cobalt.com in the ruleset then there is no header checking at all. These rules shouldnt have anything to do with what the dealership site is doing.

IM not sure why , but when cobalt sends them exim thinks they are coming from the contacts domain, for example cobalt sends a lead that is from joecustomer@aol.com, exim denys the connection saying it is a forged AOL mail.

Here is an example from the exim reject log ----
" 2005-08-15 21:11:53 H=(66.98.250.xxx) [204.252.146.xxx] F= rejected RCPT : Forged Yahoo mail, co$"

The mail shows to be erniemaxxxx@yahoo.com , but 204.252.146.xxx is a uunet domain ( this is another lead sent by uunet.com , cobalt.com does the same thing )


Thanks

IC what their doing but this is completely out of the norm for most people. Usually people dont go around changing the from email like that. These rules will not work for this type of situation. If you want to exclude a particular domain from rule checking, you will need to setup a whitelist then code the rules to check for the whitelisted domain(s) to bypass those rules.

Eg, in the very top box you would add something like this;

DOMAIN_WHITELIST=/etc/exim/destwhitelist
domainlist whitelisted_domains = lsearch;DOMAIN_WHITELIST

Then in the file destwhitelist you would add the name of the domain, eg mydomain.com.

Then after all the rules you would add something like this;

deny message = Forged AOL mail, connection denied!
log_message = Forged AOL mail, connection denied!
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}
!domains = +whitelisted_domains

deny message = Forged Netscape Mail, connection denied!
log_message = Forged Netscape Mail, connection denied!
senders = *@netscape.com
condition = ${if match {$sender_host_name}{\Nnetscape.com$\N}{no}{yes}}
!domains = +whitelisted_domains

ETC

That would exclude the domain from being checked.

Aussie,

Thanks for the help and fast replys !!! I have implimented the whitelist as suggested and am running it now, I will post back with the results !

OK I had to make a change to get this to work, each rule looks like this now

"deny message = Forged Netscape Mail, connection denied!
log_message = Forged Netscape Mail, connection denied!
senders = *@netscape.net
domains = +whitelisted_domains
condition = ${if match {$sender_host_name}{\Nnetscape.net$\N}{no}{yes}}
delay = 3s"

The ! must be droped from the front of domains, and this rule must be above the condition.

Also I simplified the whitlist to 1 line of code using "domainlist whitelisted_domains = lsearch;/etc/MailScanner/rules/exim.whitelist.rules"

Thanks again Aussie for all of your help on the whitelist and for the How-To itself - it is working really well

I spoke too soon, removing the leading ! will cause the filters to allow all mail to pass.

I am going to call it quits for tonight and pick up a little later

I had to remove the filter of the yahoo.com. Messages fail.
This is the mx of the yahoo:

--- error return message.
:
209.152.166.000 does not like recipient.
Remote host said: 550 Forged Yahoo mail, connection denied!
Giving up on 209.152.166.000.

--- Below this line is a copy of the message.

Return-Path:
Received: (qmail 75774 invoked by uid 60001); 30 Aug 2005 20:07:00
-0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com.br;

Message-ID: <20050830200700.75772.qmail@web35904.mail.mud.yahoo.com>
Received: from [201.17.97.219] by web35904.mail.mud.yahoo.com via HTTP;
Tue, 30 Aug 2005 20:07:00 GMT
Date: Tue, 30 Aug 2005 20:07:00 +0000 (GMT)
From: Wilton Bennet

Correct me if I am wrong.. but....

Looks like it is working to me, cause that email came from 201.17.97.219 ( right? ), and looks like below it is not a yahoo server.....

How I am searching:
Asking e.root-servers.net for 219.97.17.201.in-addr.arpa PTR record:
e.root-servers.net says to go to sec3.apnic.net. (zone: 201.in-addr.arpa.)
Asking sec3.apnic.net. for 219.97.17.201.in-addr.arpa PTR record:
sec3.apnic.net [202.12.28.140] says to go to B.DNS.BR. (zone: 17.201.in-addr.arpa.)
Asking B.DNS.BR. for 219.97.17.201.in-addr.arpa PTR record:
b.dns.br [200.209.30.5] says to go to dns1.rjo.virtua.com.BR. (zone: 97.17.201.in-addr.arpa.)
Asking dns1.rjo.virtua.com.BR. for 219.97.17.201.in-addr.arpa PTR record: Reports c91161db.rjo.virtua.com.br. [from 200.179.192.14]

Answer:
201.17.97.219 PTR record: c91161db.rjo.virtua.com.br. [TTL 3600s] [A=201.17.97.219]



Or you have the wrong set of headers to the email... ( or you changed things, to help protect something or someone )

You may want to save your old config file before you do this just in case you want to go back (using a root terminal shell):

mkdir /root/saved-confs
cp /etc/exim.conf /root/saved-confs/exim-10-11-2005.conf

You can easily check to see what your "FORGED MAIL CHECKS" and other filters have been up to by greping the exim_mainlog like this:

cat /var/log/exim_mainlog | grep -iw "rejected RCPT" | less

In the logs, the "H=" is the reverse lookup of the IP that connected to exim to try to send mail or the [IP.IP.IP.IP]. Right after that is something in ( ) which is what they provided for a "HELO" string and could be fake. The "F=" is the "FROM" string that they tried to use. After that "rejected RCPT " is the address they were trying to send to (but you blocked them).

When you are editing the exim config, the "middle box" he is talking about is in the WHM "Main >> Service Configuration >> Exim Configuration Editor", after you hit the button to switch to "Switch to Advanced Mode", then look near the middle of the config file for:

#!!# This new section of the configuration contains ACLs #!!#

Then there are three edit boxes below, the middle one is a scroll box because it has a lot of text you could edit, and you do your editing in that box.

You want to add the "FORGED MAIL CHECKS" after the following lines to look something like this (I only show one check for this example):

#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :


############################################
# FORGED MAIL CHECKS (added by Whoever 10/11/2005)
############################################

deny message = Forged Yahoo mail, connection denied!
log_message = Forged Yahoo mail, connection denied!
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
delay = 3s

############################################
# END FORGED MAIL CHECKS
############################################

After using this for a while I had to take it out. The problem comes when someone is using a forwarding service.

Say someone has a yahoo account and is sending to a user on my box that is using fastmail to forward their mail, meaning their e-mail they give people is user (at) fastmail.fm but they have that forwarded to user (at) myserver.com

The filter sees that the "sender" is from yahoo (as an example), but the connecting server is fastmail and you see the problem.

Another problem is those sites that send things to you, like newspaper articles, "send this to a friend", they make the from and/or reply-to set as the sender, like someguy (at) yahoo.com, but it's sent from the newspaper server.

So if someone knows how to solve this without having to enter every single e-mail forwarding service, please post.

Above has failed for this message:
2006-04-23 18:30:26 H=nz-out-0102.google.com [64.233.162.204]:22638 I=[xxx.xxx.xxx.xxx]:25 F= rejected RCPT : Forged Gmail, connection denied!

So I have changed to:

QUOTE

deny message = Forged Gmail, connection denied!  
log_message = Forged Gmail, connection denied!
senders = *@gmail.com  
condition = ${if match {$sender_host_name}{\N(google|gmail).com$\N}{no}{yes}}

-susan-