Any chance of blocking these?
james at gray.net.au
Sun Jun 7 04:27:33 IST 2009
On 07/06/2009, at 6:52 AM, Ljósnet wrote:
> Hello, I have a small problem with few MS Exchange servers who are
> infected with some kind of virus/trojan. They are sending mail through
> my gateway which is fine, but I need to be able to stop them from
> sending mail which dont have any valid address in from=< > field until
> I get the system administrator to clean their server.
> In the maillog it looks like this:
> sendmail: n56Ki9EY012542: from=<>, size=23860, class=0,
> nrcpts=1, msgid=<fiplj8nhX00000e8f at domain.com>, proto=ESMTP,
> daemon=MTA, relay=[10.101.45.50]
> Is it possible to somehow stop servers/clients from being able to send
> through my gateway when there is no valid from= address?
Looks like a bounce message to me; "From=<>" is what the MTA uses when
it returns a message to the envelope sender to advise them of non-
delivery (among other things). You can certainly block them, but that
would violate the RFC's. A better solution would be to block the
entire Exchange server until the admins clean up their act. If a
virus/trojan is spewing fake bounces (aka, "back-scatter spam" etc)
then what's to say it wont start sending other malicious content??
More information about the MailScanner