Re: Mail from invalid users at my local dynamic DNS

On Thursday, Apr 17, 2003, at 21:43 Canada/Mountain, Professional 
Software Engineering wrote:
> At 19:42 2003-04-17 -0600, LuKreme did say:
> > What I find odd is that there is almost no info in the received 
> > header.  Shouldn't postfix be keeping track of the IP address that 
> > connected?
> > Anyway, that's not really the point.  The question is, can I look at 
> > the "From: Bill(_at_)systh(_dot_)serveftp(_dot_)net" and have procmail somehow test if 
> > that usersname is valid:
> Is 'valid' defined as only local lognames?  'finger' or a grep of 
> /etc/passwd would be ways to check that.
Right. I could awk /etc/passwd but OS X uses NetInfo, so that's a 
little more complicated, though not much.
> > I suppose I could check if the From: matched the From_ though, that 
> > might work.
> I should add a caveat to my earlier recommendation: if the message is 
> arriving as a result of a mailing list (oh, such as this user sending 
> a message to the Procmail list for instance), then the From_ won't 
> match.
Right.  Will keep that in mind on the off chance I ever loose my mind 
and decide to subscribe to mailing lists using a dynamic hostname.  (It 
could happen)
> However, in conjunction with the "less received's than expected" 
> check, this would be fine - if it were through a real discussion list, 
> you should expect more Received: headers, shouldn't you?
> > Mailserver is southgaylord.com/kreme.com and I get mail down via 
> > fetchmail.  The syth.serveftp.net is my home machine using dyndns and 
> > has accounts for me, my family, and some friends.  I do get SOME mail 
> > directly to the dyndns domain, but very very little.
> Therein lies a problem with your headers - something's amiss with the 
> remote server, since the spam was sitting in your mailbox there 
> WITHOUT A RECEIVED: HEADER - the ONE header you have is your localhost 
> from when fetchmail (running on localhost) submitted it to the local 
> MTA for delivery.
That's what I was wondering. I was thinking it must have been delivered 
directly to my dynamic machine, but now I'm not so sure.  Of course, 
with those headers it's very difficult to say.  I will have to check 
the logs on the server.
> There's another technique for catching this sort of crud: set the 
> hostname of your mail host to something OTHER than the domain portion 
> through which you receive mail (if you send mail locally from that 
> host, you'll need to deal with userdb type stuff, or whatever the 
> Postfix equivalent is - for changing user/hostnames on SENT messages). 
>  Look at my headers - my mail has a hostname portion of 'mail', but 
> the mail server doesn't go by that name (trei).  Whenever I receive 
> mail including a hostname of trei, I know it is spam, or truely 
> locally generated (root, postmaster - both of which could be rewritten 
> through userdb), and in the latter case, I know those accounts aren't 
> used for remote mailing lists, so the From_ should darn well match.  
> Any address not corresponding to a legitimate address (and thus having 
> the hostname rewritten by the userdb handler) pass through with the 
> actual mailhost hostname, and be easily identifyable as crap.
Good technique.  If I had full and easy access to the DNS I'd give that 
a go.
--
If there's a bustle in your hedgerow don't be alarmed now.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail