-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here is the syslog entry associated with this repetitive spam (based on the
[EMAIL PROTECTED] message):
^[[B^[[BOct 20 08:57:26 lapdog postfix/smtpd[9542]: connect from
localhost.localdomain[127.0.0.1]
Oct 20 08:57:26 lapdog postfix/smtpd[9542]: warning: Illegal address syntax
from localhost.localdomain[127.0.0.1] in MAIL command:
<Received:[EMAIL PROTECTED];Oct>
Oct 20 08:57:27 lapdog postfix/smtpd[9543]: connect from
localhost.localdomain[127.0.0.1]
Oct 20 08:57:27 lapdog postfix/smtpd[9543]: 6E5C86F97:
client=localhost.localdomain[127.0.0.1]
Oct 20 08:57:27 lapdog postfix/cleanup[9544]: 6E5C86F97:
message-id=<[EMAIL PROTECTED]>
Oct 20 08:57:27 lapdog postfix/nqmgr[1657]: 6E5C86F97:
from=<[EMAIL PROTECTED]>, size=2068, nrcpt=1 (queue
active)
Oct 20 08:57:27 lapdog postfix/smtpd[9543]: disconnect from
localhost.localdomain[127.0.0.1]
Oct 20 08:57:28 lapdog postfix/smtpd[9542]: disconnect from
localhost.localdomain[127.0.0.1]
Here is the message I see in full, separated into headers and message body:
Headers:
Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from localhost (localhost.localdomain [127.0.0.1])
by lapdog.ravenhome.net (Postfix) with ESMTP id 64EB36F36
for <[EMAIL PROTECTED]>; Mon, 20 Oct 2003 09:00:30 -0400 (EDT)
X-Apparently-To: [EMAIL PROTECTED] via 216.136.173.225; Mon, 20 Oct 2003
05:57:26 -0700
Received: from pop.vip.sc5.yahoo.com [216.136.173.10]
by localhost with POP3 (fetchmail-6.2.1)
for [EMAIL PROTECTED] (single-drop); Mon, 20 Oct 2003 08:00:30 -0500
(EST)
Received: from 128.210.210.51 (EHLO lapdog.ravenhome.net) (128.210.210.51)
by mta104.mail.scd.yahoo.com with SMTP; Mon, 20 Oct 2003 05:57:26 -0700
Received: from localhost (localhost.localdomain [127.0.0.1])
by lapdog.ravenhome.net (Postfix) with SMTP id 6E5C86F97
for <praedor>; Mon, 20 Oct 2003 08:57:27 -0400 (EDT)
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: multipart/report;
report-type=delivery-status;
boundary="foo-mani-padme-hum-1777-1-1066654647"
Message-Id: <[EMAIL PROTECTED]>
Date: Mon, 20 Oct 2003 08:57:27 -0400 (EDT)
X-Spam-Status: No, hits=1.2 required=5.0
tests=MAILTO_TO_SPAM_ADDR,NO_REAL_NAME
version=2.54
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 2.54 (1.174.2.17-2003-05-11-exp)
Status: R
X-Status: N
X-KMail-EncryptionState:
X-KMail-SignatureState:
End of Headers.
Message body:
General SMTP/ESMTP error.
<here is the actual misconfigured spam file...see at bottom>
X-Apparently-To: [EMAIL PROTECTED] via 216.136.173.226; Fri, 17 Oct 2003
22:52:58 -0700
X-YahooFilteredBulk: 24.61.30.135
Received: from 24.61.30.135 (HELO 67.164.237.213) (24.61.30.135)
by mta154.mail.scd.yahoo.com with SMTP; Fri, 17 Oct 2003 22:52:58 -0700
Received: from [177.34.196.8] by f64.law4.hotmail.com with NNFMP; Oct, 18 2003
12:36:28 AM -0200
Received: from 105.183.205.243 ([105.183.205.243]) by smtp-server1.cfl.rr.com
with QMQP; Oct, 17 2003 11:27:32 PM +1200
From: uvnRuth Cawdell <[EMAIL PROTECTED]>
To: Undisclosed [EMAIL PROTECTED]
Cc:
[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL
PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL
PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]
Subject: Presription Meds givp
Sender: uvnRuth Cawdell <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Date: Sat, 18 Oct 2003 01:54:51 -0400
X-Mailer: Microsoft Outlook Build 10.0.2627
End of message body.
Here is the actual spam file contents attached to the above message:
Reporting-MTA: dns; localhost
Final-Recipient: rfc822; [EMAIL PROTECTED]
Last-Attempt-Date: Mon, 20 Oct 2003 07:57:27 -0500 (EST)
Action: failed
Status: 5.0.0
Diagnostic-Code: 501 Bad address syntax
End of misconfigured spam.
I get a new one of these every time my fetchmail daemon contacts my ISP pop
mail server. I can eliminate the messages if I add this to my
/etc/procmailrc (I run it globally):
:0
* [EMAIL PROTECTED]
/dev/null
When I have tried to key off components of the message, such as
"X-YahooFilteredBulk: 24.61.30.135" or variations I still get the message.
Spamassassin doesn't catch this message as it is screwed up (it gives a
1.2/5.0, far below what would be needed to identify it as spam and get
/dev/nulled by my other procmailrc recipe (which is working fine):
:0
* ^X-Spam-Status: Yes
/dev/null
As it is, EVERY time I hear the tone indicating new messages, I am absolutely
certain to see more of these messages unless I /dev/null anything from
fetchmail-daemon, which seems rather problematic - there may be messages from
the daemon I would be interested in receiving.
praedor
On Monday 20 October 2003 05:59 am, Bryan Phinney wrote:
> On Sunday 19 October 2003 09:17 pm, Praedor Atrebates wrote:
> > I have receive over 100 of these today alone. Nothing i've tried with
> > procmail recipes has worked. I cannot stop this nonsense. The from
> > address is my own fetchmail-daemon:
> > [EMAIL PROTECTED]
> >
> > I am considering having all fetchmail-daemon emails sent to dev/null but
> > fear the repercussions.
>
> You should probably try to see what the exact message is. If Fetchmail is
> encountering an error, you may need to fix the error. For instance, my
> Postfix mail server is set to reject messages with invalid From headers and
> sometimes malformed spam is sent to my ISP mailbox with just such invalid
> headers. Since the ISP mail server is not as picky, Fetchmail tries to
> deliver to Postfix which rejects the message and then Fetchmail, doesn't
> delete the message because it did not recieve an ack from the mail server.
> It will try to do this repeatedly until the message is cleared.
>
> If you know what is causing the problem, you can instruct Fetchmail to
> regard the error code generated by Postfix as a bounce and then Fetchmail
> will discard the message. Your message may be something similar.
>
> Why not attach a copy so that we can see it?
- --
"Our ship is in the hands of pilots who are steering directly under full sail
for a rock. The whole crew may see this course to violate our liberties in
full view if they look the right way."
- --Samuel Adams, 1771
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/k98JaKr9sJYeTxgRAuadAJ4mgb6MXf8xh0IInuKYMeMWKmC3QQCgq5T4
Bf6USQl1AFQz5duKionMrLY=
=5YBZ
-----END PGP SIGNATURE-----
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
