Localhost forgery

Martin Hepworth maxsec at gmail.com
Thu Aug 20 18:45:15 IST 2009


2009/8/20 Kevin Miller <Kevin_Miller at ci.juneau.ak.us>

> I'm being bombarded with a ton of spam that claims to be from localhost
> (but the IP isn't in the 127. range).  They are false NDRs, bouncing off of
> foreign servers.  A large number of my users are being joe-jobbed, and the
> remote servers send the NDRs here.  Here's a couple of examples from the the
> mail log:
>
> Aug 20 06:32:30 mx2 sendmail-in[25703]: n7KEVnN7025703: from=<
> qvmanifestation at grahamevinson.com>, size=0, class=0, nrcpts=0,
> proto=ESMTP, daemon=MTA, relay=localhost [123.26.216.57] (may be forged)
> Aug 20 07:34:33 mx2 sendmail-in[29611]: n7KFYJdI029611: from=<
> kzmatrimony at ivory.plala.or.jp>, size=0, class=0, nrcpts=0, proto=ESMTP,
> daemon=MTA, relay=localhost [222.254.108.100] (may be forged)
>
> I'd really like to be able to block them at the MTA level, but barring
> that, a spamassassin rule would do nicely.  Anybody have a rule available
> that would fit the bill?  There are too many sources to try to blacklist -
> I'd be playing whack-a-mole all day long.
>
> (I've been on vacation the past few weeks, so if this has been discussed
> please let me know the subject line.)
>
> Thanks...
>
> ...Kevin
> --
> Kevin Miller                Registered Linux User No: 307357
> CBJ MIS Dept.               Network Systems Admin., Mail Admin.
> 155 South Seward Street     ph: (907) 586-0242
> Juneau, Alaska 99801        fax: (907 586-4500 --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>

Kevin

does you outgoing go via MailScanner? if so make ure you're using the
watermark feature of MailScanner. Still means you're accepting the email but
it will mean any email thats an NDR without those watermark headers will get
marked as spam.


-- 
Martin Hepworth
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090820/82443bce/attachment.html


More information about the MailScanner mailing list