:fail: is not working for dictionary attack (mail getting stored in exim queue)

[qwerty]

I just noticed today that one of our servers had thousands of emails in its queue and it was all random spam to one domain, all of the recepient emails were non existant.

However the catch-all/default address for the domain is set to ":fail: no such user here" which is supposed to check availability of mailbox and decline delivery (if unavailable) during the smtp connection ...

But what's happening here is that all these thousands of emails sent to non existant users on this domain are getting stored in my exim queue ...

Any ideas WHY???? It seems to be only this one domain !! It's driving me nuts

[chirpy]

Check the mail headers. :fail: checks the RCPT in the SMTP protocol exchange and not the email header, so if the header is going to a non-existent address, but the Received header has a for pointing to an existing email address it will not fail the RCPT check.

Also, make sure that the *: :fail: in /etc/valiases/domain.com is correctly formatted and spaced and is the last line in the file.

[qwerty]

Hi Chirpy,

how do I check what the RCPT is in the SMTP exchange as opposed to email header? All I can see in the mail header is that the 'for' is for a non existant user ...

The *: :fail: line looks fine in /etc/valiases ..it's the last line and theres no extra spaces etc

That's what's so weird about it ..it makes no sense

[qwerty]

When I'm tailing the exim_mainlog I see a message similar to the following every few seconds..

2005-12-30 04:12:00 1Es1K8-0004oj-KU ** suntalaakaash@domain.com R=virtual_aliases: no such address here


BUT ... that email above gets stored in the mail queue even though that is NOT a real mailbox...

[chirpy]

It should indeed be shown in the 'for' section of the last Received header. Odd. Are those all the lines in exim_mainlog for 1Es1K8-0004oj-KU?

[qwerty]

root@koala [~]# tail -100000 /var/log/exim_mainlog | grep 1Es1K8-0004oj-KU
2005-12-30 04:11:59 1Es1K8-0004oj-KU demime acl condition: base64 line length is not a multiple of 4 characters
2005-12-30 04:11:59 1Es1K8-0004oj-KU <= <> H=reitdiep.demon.nl [212.238.241.152] P=smtp S=30825 id=0013$01cb34f5$04d950e2@Acer-laptop
2005-12-30 04:12:00 1Es1K8-0004oj-KU ** suntalaakaash@domain.com R=virtual_aliases: no such address here
2005-12-30 04:12:00 1Es1K8-0004oj-KU Frozen (delivery error message)
2005-12-30 04:21:54 1Es1K8-0004oj-KU Message is frozen

...

I totally don't get it ... for some reason this domain totally seems to ignore the :fail:

[chirpy]

Ah.

That log snippet helps. Because of the use of the demime ACL it's not doing the recipient check until the DATA stage (i.e. when the message has already been received) instead of in the RCPT stage of the SMTP protocol. That's why it's ending up in the mail queue, because it's beyond the point where exim can deny delivery as the email has effectively been delivered. IF you were to remove those extra ACL's that you've added, it would probably work as it should.

[qwerty]

What extra ACL's ?? I don't think I have any ... plus it's only this domain that's not working properly