At 19:42 2003-04-17 -0600, LuKreme did say:
What I find odd is that there is almost no info in the received
header. Shouldn't postfix be keeping track of the IP address that connected?
Anyway, that's not really the point. The question is, can I look at the
"From: Bill(_at_)systh(_dot_)serveftp(_dot_)net" and have procmail somehow test if that
usersname is valid:
Is 'valid' defined as only local lognames? 'finger' or a grep of
/etc/passwd would be ways to check that.
I suppose I could check if the From: matched the From_ though, that might
I should add a caveat to my earlier recommendation: if the message is
arriving as a result of a mailing list (oh, such as this user sending a
message to the Procmail list for instance), then the From_ won't match.
However, in conjunction with the "less received's than expected" check,
this would be fine - if it were through a real discussion list, you should
expect more Received: headers, shouldn't you?
Mailserver is southgaylord.com/kreme.com and I get mail down via
fetchmail. The syth.serveftp.net is my home machine using dyndns and has
accounts for me, my family, and some friends. I do get SOME mail directly
to the dyndns domain, but very very little.
Therein lies a problem with your headers - something's amiss with the
remote server, since the spam was sitting in your mailbox there WITHOUT A
RECEIVED: HEADER - the ONE header you have is your localhost from when
fetchmail (running on localhost) submitted it to the local MTA for delivery.
There's another technique for catching this sort of crud: set the hostname
of your mail host to something OTHER than the domain portion through which
you receive mail (if you send mail locally from that host, you'll need to
deal with userdb type stuff, or whatever the Postfix equivalent is - for
changing user/hostnames on SENT messages). Look at my headers - my mail
has a hostname portion of 'mail', but the mail server doesn't go by that
name (trei). Whenever I receive mail including a hostname of trei, I know
it is spam, or truely locally generated (root, postmaster - both of which
could be rewritten through userdb), and in the latter case, I know those
accounts aren't used for remote mailing lists, so the From_ should darn
well match. Any address not corresponding to a legitimate address (and
thus having the hostname rewritten by the userdb handler) pass through with
the actual mailhost hostname, and be easily identifyable as crap.
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
procmail mailing list