[lug] Email spam

Peter Hutnick peter-lists at hutnick.com
Wed Apr 24 15:27:50 MDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 24 April 2002 03:15 pm, Justin wrote:
> Hmm, well I have no idea what could be doing the "autoreply." This
> account is solely for apache and nothing else. At first I had www
> aliased to me so I would get the emails sent to that address, but I got
> tired of all the spam. So now the mail spool is just filling up over
> time. I wonder if I could just alias www to /dev/null in
> the /etc/aliases file, or something like that?

- From aliases(5) (available at http://www.postfix.org/aliases.5.html)

       /file/name
              Mail is appended to /file/name.  See  local(8)  for
              details  of delivery to file.  Delivery is not lim-
              ited to regular files.  For example, to dispose  of
              unwanted mail, deflect it to /dev/null.

Man pages are a pretty good place to look for this kind of thing.


> > > --B5E693D3D.1019511847/oldschool.jackmoves.com
> > > Content-Description: Undelivered Message
> > > Content-Type: message/rfc822
> > >
> > > Received: by oldschool.jackmoves.com (Postfix, from userid 80)
> > >         id B5E693D3D; Mon, 22 Apr 2002 15:44:07 -0600 (MDT)
> > > To:
> > > From: BritneySpears at hollywood.net
> > > Reply-To: BritneySpears at hollywood.net
> > > Subject: new site feedback
> > > Message-Id: <20020422214407.B5E693D3D at oldschool.jackmoves.com>
> > > Date: Mon, 22 Apr 2002 15:44:07 -0600 (MDT)
> > >
> > > Whatup, foo.  Somebody said something about your site.
> > > --B5E693D3D.1019511847/oldschool.jackmoves.com--
> > > ++++
> > >
> > > I'm not sure why the bounce message comes first?
> > >
> > > And here is what was in my /var/log/maillog for the same time frame:
> > >
> > > ++++
> > > Apr 22 15:44:07 oldschool postfix/cleanup[24411]: B5E693D3D:
>
> reject:
> > > header From:
> > > BritneySpears at hollywood.net; from=<www at jackmoves.com> to=<unknown>
> > > ++++

Maybe I'm not reading this correctly . . . but is it possible that the 
original message is emanating from you webserver?  Do you have any CGIs that 
generate mail?  If so, is there any chance someone is using your webserver to 
send mail through your mailserver?

Does anyone know of a tool to fingerprint message-ids to (try to) identify the 
originating mail agent?

- -Peter

- -- 
/"\ ASCII Ribbon campaign against HTML e-mail
\ /
 X   Get my PGP key at http://hutnick.com/pgp
/ \  6128 5651 6F23 EC17 6EBD  737D 960A 20E6 76CA 8A59
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8xyNclgog5nbKilkRApO8AJsG7vdpugv9kN/2PuJkj7joZK+esgCgqHV2
xRCBW2spvCVuNdz/avoX7to=
=nY0v
-----END PGP SIGNATURE-----




More information about the LUG mailing list