Localhost forgery
Steve Freegard
steve.freegard at fsl.com
Thu Aug 20 18:51:15 IST 2009
Kevin Miller wrote:
> I'm being bombarded with a ton of spam that claims to be from localhost (but the IP isn't in the 127. range). They are false NDRs, bouncing off of foreign servers. A large number of my users are being joe-jobbed, and the remote servers send the NDRs here. Here's a couple of examples from the the mail log:
>
> Aug 20 06:32:30 mx2 sendmail-in[25703]: n7KEVnN7025703: from=<qvmanifestation at grahamevinson.com>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=localhost [123.26.216.57] (may be forged)
> Aug 20 07:34:33 mx2 sendmail-in[29611]: n7KFYJdI029611: from=<kzmatrimony at ivory.plala.or.jp>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=localhost [222.254.108.100] (may be forged)
>
> I'd really like to be able to block them at the MTA level, but barring that, a spamassassin rule would do nicely. Anybody have a rule available that would fit the bill? There are too many sources to try to blacklist - I'd be playing whack-a-mole all day long.
>
> (I've been on vacation the past few weeks, so if this has been discussed please let me know the subject line.)
>
Try:
connect:127.0.0.1 OK
connect:localhost REJECT
In the access-map as the connect tag inspects the IP address and the PTR
record which should work in this case provided Sendmail doesn't ignore
it due to the '(may be forged)'.
Regards,
Steve.
More information about the MailScanner
mailing list