Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
spam protection - but local!
duncan at ring-wraith
Jun 21, 2002, 7:52 AM
Post #1 of 2 (299 views)
Permalink
This is a multi-part message in MIME format.
--
[ Picked text/plain from multipart/alternative ]
Hi,

i had to realize, that s.o. abuses my server to spam other users on my server.
The email always contains the recipients email address as sender & receiver, which is already quite weird.
However, its also sent localy from a different account, but i cannot trace it back to the account who created these emails.
Any idea, how i can either check the users oubox or check the sent emails to trace em back to the account, that really sent them?
Deactivating local email support is sadly no option, because some vital scripts rely on this support.

Thanks for your help,

Duncan
--
Re: spam protection - but local! [ In reply to ]
ph10 at cus
Jun 21, 2002, 9:07 AM
Post #2 of 2 (279 views)
Permalink
On Fri, 21 Jun 2002, Duncan wrote:

> i had to realize, that s.o. abuses my server to spam other users on my server.
> The email always contains the recipients email address as sender & receiver, which is already quite weird.

If you mean in the envelope, a local sender has to be trusted by Exim to
do that.

> However, its also sent localy from a different account, but i cannot trace it back to the account who created these emails.
> Any idea, how i can either check the users oubox or check the sent emails to trace em back to the account, that really sent them?
> Deactivating local email support is sadly no option, because some vital scripts rely on this support.

When Exim receives a message directly from a local process, it logs the
login name of that process in the <= line in its log, using the tag U=.

However, if the messages are received over TCP/IP via the loopback
interface (127.0.0.1), there is no such information. They look like
messages from other hosts. Anything can be forged.

If you want to get some information about who is sending them, install
the "ident" daemon on your host. Make sure the Exim configuration has
not disabled it (look for options with "rfc1413" in their names). Then,
whenever a call arrives on 127.0.0.1, Exim will make an ident call back
to the sending host (i.e. also your host) and it will log the ident
information.


--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal