[lug] Re: Email spam

[Matt Armstrong]

"Justin" <glow at jackmoves.com> writes:

This is a bounce being sent to your web server account because your
web server is attempting to send the mail.

> Content-Description: Undelivered Message
> Content-Type: message/rfc822
>
> Received: by oldschool.jackmoves.com (Postfix, from userid 80)
>         id B5E693D3D; Mon, 22 Apr 2002 15:44:07 -0600 (MDT)

What is userid 80 on your system (you can tell by looking at
/etc/passwd)?  If it is the userid of your web server, you probably
are running a CGI that attempts to send mail.


> And here is what was in my /var/log/maillog for the same time frame:
>
> ++++
> Apr 22 15:44:07 oldschool postfix/cleanup[24411]: B5E693D3D: reject: 
> header From: 
> BritneySpears at hollywood.net; from=<www at jackmoves.com> to=<unknown>
> ++++

That's not enough of the log file to tell what is going on.  Search
for other occurrences of B5E693D3D to see how the message go into
postfix.  The first occurrence of B5E693D3D will probably be from
postfix/pickup, which probably means you have a CGI running on your
server that can send mail through /usr/sbin/sendmail.  You probably
want to get rid of that, or fix it so the bounces for the mail it
sends don't go to the www account.


P.S. I have this in my /etc/aliases:

# Random users on this machine that we want to disable mail delivery for.
daemon: nobody
bin: nobody
sys: nobody
sync: nobody
games: nobody
man: nobody
lp: nobody
mail: nobody
proxy: nobody
postgres: nobody
www-data: nobody
backup: nobody
msql: nobody
list: nobody
irc: nobody
gnats: nobody
identd: nobody
gdm: nobody
postfix: nobody
jabber: nobody
cgi: nobody
uucp: nobody
nobody:         |"exit 67"

The nobody alias will cause mail to any of these users to bounce.
This works for postfix and probably would work for sendmail and exim
too.


-- 
matt