Localhost forgery

Kevin Miller Kevin_Miller at ci.juneau.ak.us
Thu Aug 20 20:11:09 IST 2009

Steve Freegard wrote:
> Kevin Miller wrote:
>> I'm being bombarded with a ton of spam that claims to be from
>> localhost (but the IP isn't in the 127. range).  They are false
>> NDRs, bouncing off of foreign servers.  A large number of my users
>> are being joe-jobbed, and the remote servers send the NDRs here. 
>> Here's a couple of examples from the the mail log:    
>> Aug 20 06:32:30 mx2 sendmail-in[25703]: n7KEVnN7025703:
>> from=<qvmanifestation at grahamevinson.com>, size=0, class=0, nrcpts=0,
>> proto=ESMTP, daemon=MTA, relay=localhost [] (may be
>> forged) Aug 20 07:34:33 mx2 sendmail-in[29611]: n7KFYJdI029611:
>> from=<kzmatrimony at ivory.plala.or.jp>, size=0, class=0, nrcpts=0,
>> proto=ESMTP, daemon=MTA, relay=localhost [] (may be
>> forged)
>> I'd really like to be able to block them at the MTA level, but
>> barring that, a spamassassin rule would do nicely.  Anybody have a
>> rule available that would fit the bill?  There are too many sources
>> to try to blacklist - I'd be playing whack-a-mole all day long.   
>> (I've been on vacation the past few weeks, so if this has been
>> discussed please let me know the subject line.)
> Try:
> connect:		OK
> connect:localhost		REJECT
> In the access-map as the connect tag inspects the IP address and the
> PTR record which should work in this case provided Sendmail doesn't
> ignore it due to the '(may be forged)'.  

Sending from the server itself fails when I do that.  Thanks for the suggestion though...

Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

More information about the MailScanner mailing list