On 2/11/2014 4:20 PM, L. D. James wrote: > Most of the spam getting in my system is stamped with > localhost.localdomain. >
All the mail that passes through your amavisd-new mail filter passes through localhost.localdomain. If you block localhost you won't receive any mail. You need to trace a message and see where they originally come from. If they really do originate at localhost, your server may be compromised -- the usual culprit is an insecure web script. Or your server could be misconfigured such that external connections appear to be from localhost. This can be caused by a misconfigured NAT firewall or an SMTP proxy. To trace a message... Easy way: - examine the Received: headers from an unwanted message. Note they are in reverse order, so read from the bottom up. You'll be interested in the first Received: header containing "by yoursevername". Harder way: - Pick a Message-ID from your log or from the header of a message. - grep that Message-ID from your log. You should see (at least) two postfix/cleanup entries and an amavis entry. - note the postfix QueueID recorded on the cleanup lines. - search the log for that same QueueID. Note that the QueueID is not unique; there may be unrelated messages with the same ID, but never at the same time. - you'll be interested in the first "postfix/smtpd[ ... client=" entry. -- Noel Jones
