On 02/11/2014 06:05 PM, Noel Jones wrote:
On 2/11/2014 4:20 PM, L. D. James wrote:
Most of the spam getting in my system is stamped with
localhost.localdomain.
All the mail that passes through your amavisd-new mail filter passes
through localhost.localdomain. If you block localhost you won't
receive any mail.
You need to trace a message and see where they originally come from.
If they really do originate at localhost, your server may be
compromised -- the usual culprit is an insecure web script.
Or your server could be misconfigured such that external connections
appear to be from localhost. This can be caused by a misconfigured
NAT firewall or an SMTP proxy.
To trace a message...
Easy way:
- examine the Received: headers from an unwanted message. Note they
are in reverse order, so read from the bottom up. You'll be
interested in the first Received: header containing "by yoursevername".
Harder way:
- Pick a Message-ID from your log or from the header of a message.
- grep that Message-ID from your log. You should see (at least) two
postfix/cleanup entries and an amavis entry.
- note the postfix QueueID recorded on the cleanup lines.
- search the log for that same QueueID. Note that the QueueID is
not unique; there may be unrelated messages with the same ID, but
never at the same time.
- you'll be interested in the first "postfix/smtpd[ ... client=" entry.
-- Noel Jones
Thanks, Noel. I appreciate the attention and input. Please be aware
that I have no trouble tracing where the messages come from. I can very
easily do that manually. Postfix has features that allow you to
configure it to automatically handle the messages. I'm working on
implementing this feature.
I appreciate your reference that my system might be configured
incorrectly. But I believe it's a little beyond that. All systems are
subject to some spam. The key is to spend time putting in locks against
the spam.
In this particular case the culprit is the user is answering a normal
helo query (which is totally legal, but I'll say unethical) as my domain
rather than their domain. This is because most people will accept mail
that is announcing that it's my domain. My system is accepting it by
the announcement.
It's very easy to tell the remote system is lying. So, of course, I'm
trying to figure out where to put the rejection process, where it will
reject the connections that are lying.
Also, just in case I have it wrong and reject my own messages, I want to
have a bounced message to alert the user.
-- L. James
--
L. D. James
lja...@apollo3.com
www.apollo3.com/~ljames
