Sendmail/LogWatch reports (may be forged)
Timothy Alberts
talberts at msiscales.com
Wed Dec 7 18:33:11 UTC 2005
Thank you for the response Paul.
I like the idea of blocking an IP range, as I'm already doing that for
several spammers. However, when I blocked on IP, they changed IP to
200.206.123.10. I could try and block multiple IP ranges, but it's just
a moving target I think. I block one and they move to another. I don't
want to have to play that game.
So if sendmail finds that it can't trust the name (DNS fails in some
manner), is there a way to configure sendmail to REJECT the mail as it
is coming in based on failed DNS, rather than block IP ranges?
On Wed, 2005-12-07 at 17:55 +0000, Paul Howarth wrote:
> Timothy Alberts wrote:
> > Greetings,
> >
> > I am running a FC4 sendmail server and I've been trying forever to at
> > least limit some of the spam. In this effort, I have been adding to the
> > Access control (/etc/mail/access) domains that are known to be mail
> > bombing my domain. A few continue to evade the sendmail filtering and
> > are still getting through. I know this because LogWatch reports:
> >
> > Unknown Local Users
> > invaliduser at mydomain.com
> > from *.speedy.net.pe ... (may be forged)
>
> This means that reverse DNS for this IP points to
> something.speedy.net.pe but a DNS lookup of something.speedy.net.pe does
> not resolve back to the same IP address (usually because the name
> doesn't resolve at all). So sendmail doesn't trust the name and won't
> use it for anything, noting this as "may be forged".
>
> > where * contains the specific client that continues to change. My first
> > attempt to block them, I added to /etc/mail/access
> >
> > speedy.net.pe REJECT
> >
> > to try and reject the problem domain. This doesn't work because
> > LogWatch continues to report to me that mail is coming in. I've tried
> > to reject on the IP as follows:
> >
> > 201.230.19.113 REJECT
> >
> > but of course, they just changed IP address.
> >
> > Can anyone explain to my the whole in my security that is allowing them
> > to get through and how to plug it?
>
> Try blocking the entire network:
>
> Connect:201.230 REJECT
>
> Hope nobody in that part of Peru want to mail you though.
>
> Paul.
>
>
>
More information about the fedora-list
mailing list