We checked the maillog. But the session shows as [127.0.0.1] 127.0.0.1. What config did you put in sendmail to make it shows more?
On Tue, 01 Feb 2005 07:26:29 -0800, Evan Platt <[EMAIL PROTECTED]> wrote: > At 06:34 AM 2/1/2005, you wrote: > >We also have a problem to scan outgoing mail. It seems like a user on > >our server is making scripts to send out spam to a large list of AOL > >users in the "Cc" part that we are still trying to track them down. > >The mail header looks as it was sent from our local 127.0.0.1 from > >[EMAIL PROTECTED] user, so we can't block user or ip address. > > Well, I'm not a network admin, but I play one on TV. Just kidding. I was a > level 1 tech who dabbled on the mail server and was dangerous enough to be > dangerous, but our maillog showed the IP of the mail session. This was > sendmail. > > If your mail server / logs do not have this capability, you need a more > secure solution, IMHO. > > >I had considered the other's suggestion to use a wrapper for sendmail, > >but looking at the dependencies of /usr/sbin/sendmail, it seems like a > >lot of work to replace it with the wrapper as everyone knows the > >location of /usr/sbin/sendmail already. > > > >Is there a way in spamassassin that we can set a rule to reject mail > >that contains a large list of "Cc" ? > > Spamassassin will NOT reject anything anytime anywhere. No capability to do > so. > >
