Kevin_Miller at ci.juneau.ak.us
Thu Aug 20 20:11:09 IST 2009
Steve Freegard wrote:
> Kevin Miller wrote:
>> I'm being bombarded with a ton of spam that claims to be from
>> localhost (but the IP isn't in the 127. range). They are false
>> NDRs, bouncing off of foreign servers. A large number of my users
>> are being joe-jobbed, and the remote servers send the NDRs here.
>> Here's a couple of examples from the the mail log:
>> Aug 20 06:32:30 mx2 sendmail-in: n7KEVnN7025703:
>> from=<qvmanifestation at grahamevinson.com>, size=0, class=0, nrcpts=0,
>> proto=ESMTP, daemon=MTA, relay=localhost [220.127.116.11] (may be
>> forged) Aug 20 07:34:33 mx2 sendmail-in: n7KFYJdI029611:
>> from=<kzmatrimony at ivory.plala.or.jp>, size=0, class=0, nrcpts=0,
>> proto=ESMTP, daemon=MTA, relay=localhost [18.104.22.168] (may be
>> I'd really like to be able to block them at the MTA level, but
>> barring that, a spamassassin rule would do nicely. Anybody have a
>> rule available that would fit the bill? There are too many sources
>> to try to blacklist - I'd be playing whack-a-mole all day long.
>> (I've been on vacation the past few weeks, so if this has been
>> discussed please let me know the subject line.)
> connect:127.0.0.1 OK
> connect:localhost REJECT
> In the access-map as the connect tag inspects the IP address and the
> PTR record which should work in this case provided Sendmail doesn't
> ignore it due to the '(may be forged)'.
Sending from the server itself fails when I do that. Thanks for the suggestion though...
Kevin Miller Registered Linux User No: 307357
CBJ MIS Dept. Network Systems Admin., Mail Admin.
155 South Seward Street ph: (907) 586-0242
Juneau, Alaska 99801 fax: (907 586-4500
More information about the MailScanner