Sendmail/LogWatch reports (may be forged)
Paul Howarth
paul at city-fan.org
Wed Dec 7 17:55:19 UTC 2005
Timothy Alberts wrote:
> Greetings,
>
> I am running a FC4 sendmail server and I've been trying forever to at
> least limit some of the spam. In this effort, I have been adding to the
> Access control (/etc/mail/access) domains that are known to be mail
> bombing my domain. A few continue to evade the sendmail filtering and
> are still getting through. I know this because LogWatch reports:
>
> Unknown Local Users
> invaliduser at mydomain.com
> from *.speedy.net.pe ... (may be forged)
This means that reverse DNS for this IP points to
something.speedy.net.pe but a DNS lookup of something.speedy.net.pe does
not resolve back to the same IP address (usually because the name
doesn't resolve at all). So sendmail doesn't trust the name and won't
use it for anything, noting this as "may be forged".
> where * contains the specific client that continues to change. My first
> attempt to block them, I added to /etc/mail/access
>
> speedy.net.pe REJECT
>
> to try and reject the problem domain. This doesn't work because
> LogWatch continues to report to me that mail is coming in. I've tried
> to reject on the IP as follows:
>
> 201.230.19.113 REJECT
>
> but of course, they just changed IP address.
>
> Can anyone explain to my the whole in my security that is allowing them
> to get through and how to plug it?
Try blocking the entire network:
Connect:201.230 REJECT
Hope nobody in that part of Peru want to mail you though.
Paul.
More information about the users
mailing list