Localhost forgery
Eduardo Casarero
ecasarero at gmail.com
Thu Aug 20 18:22:20 IST 2009
2009/8/20 Kevin Miller <Kevin_Miller at ci.juneau.ak.us>
> I'm being bombarded with a ton of spam that claims to be from localhost
> (but the IP isn't in the 127. range). They are false NDRs, bouncing off of
> foreign servers. A large number of my users are being joe-jobbed, and the
> remote servers send the NDRs here. Here's a couple of examples from the the
> mail log:
>
> Aug 20 06:32:30 mx2 sendmail-in[25703]: n7KEVnN7025703: from=<
> qvmanifestation at grahamevinson.com>, size=0, class=0, nrcpts=0,
> proto=ESMTP, daemon=MTA, relay=localhost [123.26.216.57] (may be forged)
> Aug 20 07:34:33 mx2 sendmail-in[29611]: n7KFYJdI029611: from=<
> kzmatrimony at ivory.plala.or.jp>, size=0, class=0, nrcpts=0, proto=ESMTP,
> daemon=MTA, relay=localhost [222.254.108.100] (may be forged)
>
> I'd really like to be able to block them at the MTA level, but barring
> that, a spamassassin rule would do nicely. Anybody have a rule available
> that would fit the bill? There are too many sources to try to blacklist -
> I'd be playing whack-a-mole all day long.
>
do you use greylisting?
>
> (I've been on vacation the past few weeks, so if this has been discussed
> please let me know the subject line.)
>
> Thanks...
>
> ...Kevin
> --
> Kevin Miller Registered Linux User No: 307357
> CBJ MIS Dept. Network Systems Admin., Mail Admin.
> 155 South Seward Street ph: (907) 586-0242
> Juneau, Alaska 99801 fax: (907 586-4500 --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090820/b0159621/attachment.html
More information about the MailScanner
mailing list