[lug] Re: Email spam

Justin glow at jackmoves.com
Thu Apr 25 09:34:25 MDT 2002


The userid 80 is for my webserver, apache. I don't have any cgi that 
sends mail, the only cgi scripts I have are Neomail for my webmail.

Here is the rest of the log:
[glowecon at oldschool glowecon]$ sudo grep B5E693D3D /var/log/maillog
Apr 22 15:44:07 oldschool postfix/pickup[24190]: B5E693D3D: uid=80 
from=<www>
Apr 22 15:44:07 oldschool postfix/cleanup[24411]: B5E693D3D: reject: 
header From: BritneySpears at hollywood.net; from=<www at jackmoves.com> 
to=<unknown>
Apr 22 15:44:07 oldschool postfix/cleanup[24411]: B5E693D3D: message-
id=<20020422214407.B5E693D3D at oldschool.jackmoves.com>
Apr 22 15:44:07 oldschool postfix/cleanup[24411]: B5E693D3D: 
to=<unknown>, relay=cleanup, delay=0, status=bounced (Message 
processing aborted: No recipients specified)

I almost think my config is being abused somehow, but I really don't 
know. I think one of the other guys mentioned something like that. 

Justin 

> "Justin" <glow at jackmoves.com> writes:
> 
> This is a bounce being sent to your web server account because your
> web server is attempting to send the mail.
> 
> > Content-Description: Undelivered Message
> > Content-Type: message/rfc822
> >
> > Received: by oldschool.jackmoves.com (Postfix, from userid 80)
> >         id B5E693D3D; Mon, 22 Apr 2002 15:44:07 -0600 (MDT)
> 
> What is userid 80 on your system (you can tell by looking at
> /etc/passwd)?  If it is the userid of your web server, you probably
> are running a CGI that attempts to send mail.
> 
> 
> > And here is what was in my /var/log/maillog for the same time frame:
> >
> > ++++
> > Apr 22 15:44:07 oldschool postfix/cleanup[24411]: B5E693D3D: 
reject: 
> > header From: 
> > BritneySpears at hollywood.net; from=<www at jackmoves.com> to=<unknown>
> > ++++
> 
> That's not enough of the log file to tell what is going on.  Search
> for other occurrences of B5E693D3D to see how the message go into
> postfix.  The first occurrence of B5E693D3D will probably be from
> postfix/pickup, which probably means you have a CGI running on your
> server that can send mail through /usr/sbin/sendmail.  You probably
> want to get rid of that, or fix it so the bounces for the mail it
> sends don't go to the www account.
> 
> 
> P.S. I have this in my /etc/aliases:
> 
> # Random users on this machine that we want to disable mail delivery 
for.
> daemon: nobody
> bin: nobody
> sys: nobody
> sync: nobody
> games: nobody
> man: nobody
> lp: nobody
> mail: nobody
> proxy: nobody
> postgres: nobody
> www-data: nobody
> backup: nobody
> msql: nobody
> list: nobody
> irc: nobody
> gnats: nobody
> identd: nobody
> gdm: nobody
> postfix: nobody
> jabber: nobody
> cgi: nobody
> uucp: nobody
> nobody:         |"exit 67"
> 
> The nobody alias will cause mail to any of these users to bounce.
> This works for postfix and probably would work for sendmail and exim
> too.
> 
> 
> -- 
> matt
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> 
> 

-----
glow at jackmoves.com
www.jackmoves.com



More information about the LUG mailing list