It looks like sendmail has announced your -desteny alias at some
point, just look at your first Received line, and now the spammer
is writing directly to that alias. When this happens, majordomo
can not stop the mail from being distributed.
1. Change the name to something else. -20020324 is a good example.
2. Change the alias to include ,nobody after the delivery alias.
test: "/pathto/majordomo/wrapper resend -l test test-20020324,nobody"
test-20020324: :include:/pathto/majordomo/lists/test
3. Add <nylxs-announce-20020324 error:nouser User unknown>
to /etc/mail/virtusertable
test error:nouser User unknown
4. Add the spammer domain to your blacklist via /etc/mail/access
or /etc/hosts.deny
Majordomo will still use the address correctly, but sendmail will
prevent outside connections from using it. The correct alias can
still be used, nylxs-announce@your.domain but unless the mail comes
from the address you specify in the "restrict_post = filename" file,
spammers messages will bounce to the -owner address for approval
where you can simply delete them before it gets out to your list
subscribers.
BTW, majordomo does not read Received lines, but it can strip them
if the .config file tells it to. You should also consider using
the restrict_post feature via the .config file.
Dan Liston
Ruben I Safir wrote:
>
> I understand that spammer grab the recieved line, but this spammer
> is getting past a list without being subscribed to it.
>
> I beleive Majordomo is being fooled because of the recieved line listed.
>
> > Check your /etc/hosts file for incorrect IP info.
> I'm running DNS bind 9 although /etc/hosts is correct
>
> >
> > Make sure sendmail is not advertising your list's
> > -outoing alias in the Received line, and/or secure
> > that address by blocking it with the virtusertable.
>
> OK
> If I block the address then I can't send mail from
> the machine, which doubles as my workstation
>
> This is a typical list header
>
> > Date: 2002.03.24 00:15
> From: Ruben I Safir <ruben@mrbrklyn.com>
> To: nylxs-announce@nylxs.com
> Return-Path: owner-nylxs-announce-desteny@mrbrklyn.com
> Sender: owner-nylxs-announce@mrbrklyn.com
> Message-ID: <200203240515.g2O5F2g15909@www2.mrbrklyn.com>
> Received: (from mdom@localhost) by www2.mrbrklyn.com
> (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) id g2O6r0217505 for
> nylxs-announce-desteny; Sun, 24 Mar 2002 01:53:00 -0500
> Received: (from ruben@localhost) by www2.mrbrklyn.com
> (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) id g2O6r0j17499 for
> nylxs-announce@www2.mrbrklyn.com; Sun, 24 Mar 2002
> 01:53:00 -0500
> Received: (from ruben@localhost) by www2.mrbrklyn.com
> (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) id g2O5F2g15909 for
> nylxs-announce@nylxs.com; Sun, 24 Mar 2002 00:15:02 -0500
> Precedence: bulk
>
> This is the alias entry
> nylxs-announce: "|/usr/lib/majordomo/wrapper resend -l nylxs-announce nylxs-announce-desteny"
> nylxs-announce-desteny: :include:/var/lib/majordomo/lists/nylxs-announce,
> "|/usr/lib/majordomo/wrapper archive.pl /var/lib/majordomo/lists/nylxs-announce.archive"
>
> nylxs-announce-request: "|/usr/lib/majordomo/wrapper majordomo -l nylxs-announce"
> nylxs-announce-archive: "|/usr/lib/majordomo/wrapper archive.pl /var/lib/majordomo/lists/nylxs-announce.archive"
>
> nylxs-announce-approval: owner-nylxs-announce,
> owner-nylxs-announce-desteny: owner-nylxs-announce,
> owner-nylxs-announce-request: owner-nylxs-announce,
> owner-nylxs-announce: ruben,
>
> It looks like it's being advertized if I understand. How do I change that?
>
> I still don't understand how that spammer is hijaking the list server.
> There not on the list.
>
> Ruben
>
> > Dan Liston
> >
> > Ruben I Safir wrote:
> > >
> > > On 2002.03.24 10:29 Ruben I Safir wrote:
> > > Hello
> > >
> > > I'm getting spam through Majordomo which spoofs my machines domain with another
> > > ip address - such as this:
> > >
> > > Message 1/371 Mogogo Mogul Chairman Mar 24, 2002 03:18:44 pm
> > >
> > > From owner-fairuse-discuss-desteny@mrbrklyn.com Sun Mar 24 07:59:47 2002
> > > Received: (from mdom@localhost)
> > > by www2.mrbrklyn.com (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) id g2OCxkC219
> > > for fairuse-discuss-desteny; Sun, 24 Mar 2002 07:59:46 -0500
> > > Received: from www2.mrbrklyn.com ([216.139.164.141])
> > > by www2.mrbrklyn.com (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) with SMTP id
> > > for <fairuse-discuss@mrbrklyn.com>; Sun, 24 Mar 2002 07:59:45 -0500
> > >
> > > Note my www2.mrbrklyn.com is my host and not IP address 216.139.164.141
> > >
> > > Can I secure majordomo or sendmail from this?
> > >
> > > Ruben
References:
|
|
