[exim] No MAIL verb before RCPT

Mon, 13 Feb 2017 09:53:02 -0800 

Hi all,
A fairly exhaustive search of past logs revealed that almost all non-spamming hosts have helo/ehlo that match the host domain in at least the top two domain levels. On the other hand, the vast majority of fake hosts fail the criterion. 

Just to be clear:
These match:
host = whatever.mta1.example.com
helo = something.mta2.example.com

These do not match:
host = whatever.mta1.crooksRus.net
helo = whatever.mta1.amazon.com


A whitelist file of wild-carded host domains was set up to accept the 
tiny few "good guys" that fail the criterion. A following test was added 
in the MAIL time ACL to DENY if the last two host domain components fail 
to match with the helo. Also in the MAIL ACL are a variety of other host 
tests including ZEN.



The problem is that some (very small) number of bad actors are managing 
to get by all of the MAIL time tests. A recent example:


HOST = 47-48-213-250.static.gwnt.ga.charter.com
HELO = amazon-sales.com

The email received from this joker purports to be an acknowledgment by 
Amazon that "Your Amazon Order has Shipped", the order being a very 
expensive retail iPhone. (No doubt hoping to cause someone a panic 
attack and accompanying brain freeze) A convenient link to "Amazon" of 
course actually links to a site with a Chilean TLD that certainly has no 
connection to Amazon, but surely does have an unpleasant surprise for 
the innocent that clicks the link. (The latter actually makes no logical 
sense to me, in that the whole point of checking at MAIL time is to 
avoid redundant checking (particularly redundant conversations with DNS 
and ZEN) in case of multiple recipients.)



Although the number of these is small, the example is precisely the kind 
of emails my MAIL ACL checking was intended to deny.



The only way that I can see that the tests are being bypassed is that 
the host is going straight from connection to RCPT, with no MAIL verb. I 
can find no example in my logs of any "good" host that jumps to RCPT 
without MAIL.


Some questions:

Should my mta deny RCPT from any host that did not send a MAIL verb? Is 
that sequence even permitted by RFC? Even if not RFC-permitted, is it 
fairly common practice (other than by bad actors)? Should I repeat all 
the MAIL tests in the RCPT ACL, or simply move all the tests to the RCPT 
ACL? It appears that the sample conf file avoids this issue by having no 
MAIL time checking at all. However, checking at MAIL time avoids 
redundant conversations with DNS and ZEN in the case of multiple 
recipients. Seemed to me the logical place for it.


Phil Carroll

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/






















					Reply via email to