Ok the (or some) spammer came back.
For some reason everything seems to originate from localhost, which isn't
telling me much.
Where to look , what to do ?
Postcat gives me this :
*** ENVELOPE RECORDS deferred/6/6F38E5F4595 ***
message_size: 2091 1231 9
0
message_arrival_time: Fri Nov 7 18:55:55 2008
create_time: Fri Nov 7 18:55:55 2008
named_attribute: rewrite_context=local
sender: [EMAIL PROTECTED]
named_attribute: encoding=7bit
named_attribute: log_client_name=localhost
named_attribute: log_client_address=127.0.0.1
named_attribute: log_message_origin=localhost[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=localhost
named_attribute: reverse_client_name=localhost
named_attribute: client_address=127.0.0.1
named_attribute: helo_name=localhost
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;[EMAIL PROTECTED]
original_recipient: [EMAIL PROTECTED]
done_recipient: [EMAIL PROTECTED]
named_attribute: dsn_orig_rcpt=rfc822;[EMAIL PROTECTED]
original_recipient: [EMAIL PROTECTED]
done_recipient: [EMAIL PROTECTED]
named_attribute: dsn_orig_rcpt=rfc822;[EMAIL PROTECTED]
original_recipient: [EMAIL PROTECTED]
recipient: [EMAIL PROTECTED]
named_attribute: dsn_orig_rcpt=rfc822;[EMAIL PROTECTED]
original_recipient: [EMAIL PROTECTED]
recipient: [EMAIL PROTECTED]
named_attribute: dsn_orig_rcpt=rfc822;[EMAIL PROTECTED]
original_recipient: [EMAIL PROTECTED]
done_recipient: [EMAIL PROTECTED]
named_attribute: dsn_orig_rcpt=rfc822;[EMAIL PROTECTED]
original_recipient: [EMAIL PROTECTED]
done_recipient: [EMAIL PROTECTED]
named_attribute: dsn_orig_rcpt=rfc822;[EMAIL PROTECTED]
original_recipient: [EMAIL PROTECTED]
done_recipient: [EMAIL PROTECTED]
named_attribute: dsn_orig_rcpt=rfc822;[EMAIL PROTECTED]
original_recipient: [EMAIL PROTECTED]
done_recipient: [EMAIL PROTECTED]
named_attribute: dsn_orig_rcpt=rfc822;[EMAIL PROTECTED]
original_recipient: [EMAIL PROTECTED]
done_recipient: [EMAIL PROTECTED]
*** MESSAGE CONTENTS deferred/6/6F38E5F4595 ***
Received: from localhost (localhost [127.0.0.1])
by mail01.cq-link.sr (Postfix) with ESMTP id 6F38E5F4595;
Fri, 7 Nov 2008 18:55:55 -0300 (SRT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 3.694
X-Spam-Level: ***
X-Spam-Status: No, score=3.694 tagged_above=2 required=6 tests=[AWL=-0.842,
FORGED_MUA_OUTLOOK=3.116, MSOE_MID_WRONG_CASE=0.82,
RAZOR2_CHECK=0.5,
RDNS_NONE=0.1]
Received: from mail01.cq-link.sr ([127.0.0.1])
by localhost (mail01.cq-link.sr [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id DBUOCa4zij-k; Fri, 7 Nov 2008 18:55:55 -0300 (SRT)
Received: from User (unknown [64.129.70.219])
by mail01.cq-link.sr (Postfix) with ESMTP id D8AFD5F4526;
Fri, 7 Nov 2008 18:55:47 -0300 (SRT)
From: "IRS"<[EMAIL PROTECTED]>
Subject: Tax Refund (25371231) $620.50
Date: Fri, 7 Nov 2008 14:55:07 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <[EMAIL PROTECTED]>
To: undisclosed-recipients:;
<html>
<table width="482" border="1" cellpadding="0" cellspacing="0"
bordercolor="#001E5A" bordercolorlight="#001E5A" bordercolordark="#001E5A">
<tr><td width="478">
<p align="center">
<img
src="http://www.nationalbusiness.org/newgraphics/logos/irslogo102907.gif";
height="78" width="225"></td></tr>
<tr>
<td><p align="center"><font face="Courier" size=3><br>
You have get a Tax Refund on your Visa or MasterCard.<br>
Complete the formular, and get your Tax Refund.<br><br>
<b>(Your Refund Amount Is $620.50)</b><br><br></font>
<font face="Verdana">
<a href="http://jeckle.lsi.umich.edu/ /IRS.html">Complete
Formular</a></font><br><br>
</td>
</tr>
<tr><td bgcolor="#001E5A"><div align="center"><font size=1 color="#FFFFFF"
face="verdana">Copyright © 2008 - Internal Revenue Service. All rights
reserved.</font></div></td></tr>
</table>
</html>
*** HEADER EXTRACTED deferred/6/6F38E5F4595 ***
named_attribute: encoding=7bit
*** MESSAGE FILE END deferred/6/6F38E5F4595 ***
Jaap Westerbeek wrote:
> Hi Mouss, a quick off-list reply from me.
>
> Thanks for the reply.
>
> I haven't seen the spammer in a couple of days. If he comes back I'll post
> all logging i can find and some configs..
> Previous logging pointed me towards postfix, but we'll see.
>
> Doesn't the option smtpd_reject_unlisted_sender = yes also check senders
> from the internet, and takes a lot of bandwidth >?
no, it checks the sender in your maps if the domain is one of yours.
more precisely,
- if the domain is in mydestination, the user-part is checked in
$local_recipient_maps
- if the domain is in relay_domains, the address is checked in
relay_recipient_maps
- if the domain is in virtual_mailbox_domains, the address is checked in
virtual_mailbox_maps
- if the domain is in virtual_alias_domains, the address is checked in
virtual_alias_maps
In addition:
- if one of the maps above is set to an empty value (not an empty file),
then all addresses in the corresponding class are considered valid
(which is why such settting is to be avoided).
- all addresses listed in virtual_alias_maps or canonical are considered
valid (whatever the domain class is)
--
I am using the free version of SPAMfighter.
We are a community of 5.6 million users fighting spam.
SPAMfighter has removed 920 of my spam emails to date.
Get the free SPAMfighter here: http://www.spamfighter.com/len
The Professional version does not have this message
![http://www.nationalbusiness.org/newgraphics/logos/irslogo102907.gif"](http://www.nationalbusiness.org/newgraphics/logos/irslogo102907.gif"){kind=link}