Mailing List Archive

Re: Deny when from and to are the same (Jeremy Harris)
>
> On 06/04/2019 07:50, Andrew C Aitchison via Exim-users wrote:
>> On Fri, 5 Apr 2019, AC via Exim-users wrote:
>>> ?deny
>>> ?? hosts = ! +relay_from_hosts
>>> ?? condition = ${if eqi{$sender_address}{$local_part@$domain}}
>>> ?? log_message = Same sender and recipient address
>>>
>>> ?deny
>>> ?? hosts = ! +relay_from_hosts
>>> ?? condition = ${if eqi{$reply_address}{$local_part@$domain}}
>>> ?? log_message = Same sender and reply address
>>>
>>> I'm trying to check when the From: address is the same as the To:
>>> address and the? mail is coming from a host outside my accepted network.
>>>
>>> I just received a message where the addresses in From and To were the
>>> same but neither of these rules captured it.
>>>
>>> What am I missing to perform this check and deny spam? messages like
>>> this?
>>
>> acl_smtp_rcpt runs when processing the RCPT;
>> $reply_address cannot be set until the acl_smtp_data ACL.
>
> Also, by "From and To" you're probably talking about the
> From: and To: headers. The addresses in those are not always
> the same as those in the envelope for the message. Read up
> on email basics if this isn't clear.
>

No, I understand what I'm looking at and I know what I'm asking for. I
was examining the spam I received and observed that the Envelope-to, To:
and From: all were identical. The envelope-from and Return-path did not
match the first three. However, nearly every legitmate email I receive
does not have Envelope-to, To and From matching each other exactly (with
the exception of a couple of mailing lists that I can whitelist). So I
tried writing the rules to take care of this.

The reminder about acl_smtp_data was the pointer I needed. I moved the
stanzas there and altered them to look for the headers specifically and
it has been working.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Deny when from and to are the same (Jeremy Harris) [ In reply to ]
> On Apr 8, 2019, at 11:33 PM, AC via Exim-users <exim-users@exim.org> wrote:
>
> No, I understand what I'm looking at and I know what I'm asking for.

In point of fact, you really don't understand the message "envelope",
i.e. how messages are processed in transit between systems.

[. The liberating thing about not being an expert, is not knowing what
you don't know. ]

> I was examining the spam I received and observed that the Envelope-to, To:
> and From: all were identical.

No, the spam had an envelope sender (as recorded in the Return-Path
header on delivery) that was distinct from the RFC2822.From header.

> The envelope-from and Return-path did not

Stored messages don't have an "envelope-from", but they do have a
"Return-Path", which records the last envelope sender at time of
delivery.

> match the first three. However, nearly every legitmate email I receive
> does not have Envelope-to,

All messages (in transit) have at least one envelope recipient, otherwise
they could/would not be delivered to anyone.

> To and From matching each other exactly (with
> the exception of a couple of mailing lists that I can whitelist). So I
> tried writing the rules to take care of this.

Much legitimate mail you receive from from automated systems (rather
than individual human authors) will have an envelope sender that is
distinct from the RFC2822.From header.

Take some time to understand what is meant by the message envelope.
You'll see the envelope sender and recipient addresses in mail logs,
and they need not agree with what you later find in the delivered
message.

For example, "Bcc" recipients appear only in the message envelope
recipient list, and not in the message headers. The envelope sender
is where any non-delivery notifications for the message go, and need
not match the "From" header, but many user agents don't provide the
option of setting them separately.

--
Viktor.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/