Re: Mail from invalid users at my local dynamic DNS
2003-04-18 11:38:29
On Thursday, Apr 17, 2003, at 21:43 Canada/Mountain, Professional
Software Engineering wrote:
At 19:42 2003-04-17 -0600, LuKreme did say:
What I find odd is that there is almost no info in the received
header. Shouldn't postfix be keeping track of the IP address that
connected?
Anyway, that's not really the point. The question is, can I look at
the "From: Bill(_at_)systh(_dot_)serveftp(_dot_)net" and have procmail somehow test if
that usersname is valid:
Is 'valid' defined as only local lognames? 'finger' or a grep of
/etc/passwd would be ways to check that.
Right. I could awk /etc/passwd but OS X uses NetInfo, so that's a
little more complicated, though not much.
I suppose I could check if the From: matched the From_ though, that
might work.
I should add a caveat to my earlier recommendation: if the message is
arriving as a result of a mailing list (oh, such as this user sending
a message to the Procmail list for instance), then the From_ won't
match.
Right. Will keep that in mind on the off chance I ever loose my mind
and decide to subscribe to mailing lists using a dynamic hostname. (It
could happen)
However, in conjunction with the "less received's than expected"
check, this would be fine - if it were through a real discussion list,
you should expect more Received: headers, shouldn't you?
Mailserver is southgaylord.com/kreme.com and I get mail down via
fetchmail. The syth.serveftp.net is my home machine using dyndns and
has accounts for me, my family, and some friends. I do get SOME mail
directly to the dyndns domain, but very very little.
Therein lies a problem with your headers - something's amiss with the
remote server, since the spam was sitting in your mailbox there
WITHOUT A RECEIVED: HEADER - the ONE header you have is your localhost
from when fetchmail (running on localhost) submitted it to the local
MTA for delivery.
That's what I was wondering. I was thinking it must have been delivered
directly to my dynamic machine, but now I'm not so sure. Of course,
with those headers it's very difficult to say. I will have to check
the logs on the server.
There's another technique for catching this sort of crud: set the
hostname of your mail host to something OTHER than the domain portion
through which you receive mail (if you send mail locally from that
host, you'll need to deal with userdb type stuff, or whatever the
Postfix equivalent is - for changing user/hostnames on SENT messages).
Look at my headers - my mail has a hostname portion of 'mail', but
the mail server doesn't go by that name (trei). Whenever I receive
mail including a hostname of trei, I know it is spam, or truely
locally generated (root, postmaster - both of which could be rewritten
through userdb), and in the latter case, I know those accounts aren't
used for remote mailing lists, so the From_ should darn well match.
Any address not corresponding to a legitimate address (and thus having
the hostname rewritten by the userdb handler) pass through with the
actual mailhost hostname, and be easily identifyable as crap.
Good technique. If I had full and easy access to the DNS I'd give that
a go.
--
If there's a bustle in your hedgerow don't be alarmed now.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
|
|