Kevin_Miller at ci.juneau.ak.us
Thu Aug 20 18:15:24 IST 2009
I'm being bombarded with a ton of spam that claims to be from localhost (but the IP isn't in the 127. range). They are false NDRs, bouncing off of foreign servers. A large number of my users are being joe-jobbed, and the remote servers send the NDRs here. Here's a couple of examples from the the mail log:
Aug 20 06:32:30 mx2 sendmail-in: n7KEVnN7025703: from=<qvmanifestation at grahamevinson.com>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=localhost [184.108.40.206] (may be forged)
Aug 20 07:34:33 mx2 sendmail-in: n7KFYJdI029611: from=<kzmatrimony at ivory.plala.or.jp>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=localhost [220.127.116.11] (may be forged)
I'd really like to be able to block them at the MTA level, but barring that, a spamassassin rule would do nicely. Anybody have a rule available that would fit the bill? There are too many sources to try to blacklist - I'd be playing whack-a-mole all day long.
(I've been on vacation the past few weeks, so if this has been discussed please let me know the subject line.)
Kevin Miller Registered Linux User No: 307357
CBJ MIS Dept. Network Systems Admin., Mail Admin.
155 South Seward Street ph: (907) 586-0242
Juneau, Alaska 99801 fax: (907 586-4500
More information about the MailScanner