On Mon, 4 Dec 2000, Ari Arantes Filho wrote:
> Hi,
>
> I'm receiving a virus from [EMAIL PROTECTED],
No you're not! You're receiving mail from a null address. Examine the
Return-Path:
Return-Path: <>
There is no address here. qmail-smtpd only looks at the envelope
sender address (as supplied by the "mail from:" part of the
transaction). It compares the address provided here with badmailfrom.
You can't use badmailfrom to stop null addresses (and in general you
shouldn't stop them anyway because a legitimate bounce is sent with a
null sender).
Instead, you might want to prohibit mail from
200.189.209.130
instead. Of course this will stop all mail from that IP address and
you might want that other mail.
> I've already inserted this
> email in badmailfrom, the qmail was restarted and I'm still receiving this
> virus.
>
> In the header below you can see that the user doesn't exist, there is a
> 3D caracter in the beginning of the email address, so the address is
> unknowm, but even inserted in badmailfrom I've receive order mails from this
> guy.
>
> Here goes the header:
>
> Return-Path: <>
> Received: (qmail 14547 invoked by uid 0); 4 Dec 2000 21:26:48 -0000
> Received: from unknown (HELO mail01.osite.com.br) (200.189.209.130)
> by mail.doctordata.com.br with SMTP; 4 Dec 2000 21:26:48 -0000
> Received: from clipping (a09029.dial-pn.impsat.com.br [200.189.200.29])
> by mail01.osite.com.br (8.9.1b+Sun/8.9.3) with SMTP id SAA14499
> for <[EMAIL PROTECTED]>; Mon, 4 Dec 2000 18:49:02 -0200 (EDT)
> Date: Mon, 4 Dec 2000 18:49:02 -0200 (EDT)
> Message-Id: <[EMAIL PROTECTED]>
> From: Hahaha <[EMAIL PROTECTED]>
> Subject: Branca de Neve porn�!
> MIME-Version: 1.0
>
>
>
--
Regards
Peter
----------
Peter Samuel [EMAIL PROTECTED]
http://www.e-smith.org (development) http://www.e-smith.com (corporate)
Phone: +1 613 368 4398 Fax: +1 613 564 7739
e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada
"If you kill all your unhappy customers, you'll only have happy ones left"
