Spam to root

03/11/2006, 09h12

I am running sendmail 8.12.9 on a Mac OS X 10.2.8 as a server.

Because I have no need for mail to root I have blocked it in .forward,
and in the aliases database.

And yet some of the spam to root gets through, and the items that gets
through have a higher pri- than the items that gets /dev/nulled, up in
the 6XXXX zone rather than the 3xxxx zone. The sneaky ones get
/dev/nulled AND copied to mbox. I wonder whether it's an attachment issue.

It's only a handful but it's irritating and a worry for security.

I wonder whether I can fix it, or maybe I should go over to postfix.
What do you all think?

03/11/2006, 12h37

hjones wrote:
> I am running sendmail 8.12.9 on a Mac OS X 10.2.8 as a server.
>
> Because I have no need for mail to root I have blocked it in .forward,
> and in the aliases database.
>
> And yet some of the spam to root gets through, and the items that gets
> through have a higher pri- than the items that gets /dev/nulled, up in
> the 6XXXX zone rather than the 3xxxx zone. The sneaky ones get
> /dev/nulled AND copied to mbox. I wonder whether it's an attachment issue.
>
> It's only a handful but it's irritating and a worry for security.
>
> I wonder whether I can fix it, or maybe I should go over to postfix.
> What do you all think?

It's all gone a bit quiet. I will elaborate out of sheer desperation.

Here is a snippet from the mail log showing what's happening:

Example 1: aliases doing it's job:
Nov 3 12:03:16 localhost sendmail[877]: kA3C3EmT000876:
to=/dev/null,ctladdr=<root@my.co.uk> (1/0), delay=00:00:00,
xdelay=00:00:00, mailer=*file*, pri=32835, dsn=2.0.0, stat=Sent
(next line follows)
Nov 3 12:09:12 localhost sendmail[878]:
kA3C9BmT000878:<fred@my.co.uk>... User unknown

Example 2: aliases failing:
Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=/dev/null,
ctladdr=<root@my.co.uk> (1/0), delay=00:00:02, xdelay=00:00:00,
mailer=*file*, pri=64969, dsn=2.0.0, stat=Sent
Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=me,
delay=00:00:02, xdelay=00:00:00, mailer=local, pri=64969, dsn=2.0.0,
stat=Sent

It's sending it to /dev/null, and then slipping me a copy.
sendmail.cf specifies aliases, nis lookup is hashed out. And the only
difference is in the "pri"

Anyone know if Mac OS X forces a system alias lookup, because obviously
I am also root.?

03/11/2006, 13h22

hjones wrote:

> Example 2: aliases failing:
> Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=/dev/null,
> ctladdr=<root@my.co.uk> (1/0), delay=00:00:02, xdelay=00:00:00,
> mailer=*file*, pri=64969, dsn=2.0.0, stat=Sent
> Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=me,
> delay=00:00:02, xdelay=00:00:00, mailer=local, pri=64969, dsn=2.0.0,
> stat=Sent
>
> It's sending it to /dev/null, and then slipping me a copy.
> sendmail.cf specifies aliases, nis lookup is hashed out. And the only
> difference is in the "pri"

The logical explanation would be that this message was sent to (at
least) two different recipient addresses: root _and_ you.
You quoted only the log lines that logged the delivery of the message.
Please have a look at all log lines for the message with "queue id"
kA3CEwmT000881. There should be at least one more line logging the
arrival of the message. That line logs (among other things) the
sender address and the number of recipients (nrcpts=....).

Regards,

Kees.

--
Kees Theunissen.

03/11/2006, 13h58

Kees Theunissen wrote:
> hjones wrote:
>
>> Example 2: aliases failing:
>> Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=/dev/null,
>> ctladdr=<root@my.co.uk> (1/0), delay=00:00:02, xdelay=00:00:00,
>> mailer=*file*, pri=64969, dsn=2.0.0, stat=Sent
>> Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=me,
>> delay=00:00:02, xdelay=00:00:00, mailer=local, pri=64969, dsn=2.0.0,
>> stat=Sent
>>
>> It's sending it to /dev/null, and then slipping me a copy.
>> sendmail.cf specifies aliases, nis lookup is hashed out. And the only
>> difference is in the "pri"
>
> The logical explanation would be that this message was sent to (at
> least) two different recipient addresses: root _and_ you.
> You quoted only the log lines that logged the delivery of the message.
> Please have a look at all log lines for the message with "queue id"
> kA3CEwmT000881. There should be at least one more line logging the
> arrival of the message. That line logs (among other things) the
> sender address and the number of recipients (nrcpts=....).
>
> Regards,
>
> Kees.
>
You may be right! This is the full list for message *881:
> Nov 3 12:15:01 localhost sendmail[881]: kA3CEwmT000881: from=<bdthreeriverssro@threerivers.org>, size=4771, class=0, nrcpts=2, msgid=<816600193.41124915934135@thebat.net>, proto=ESMTP, daemon=MTA, relay=83.68.77.80.brzesko77.tnp.pl [83.68.77.80]
> Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=/dev/null, ctladdr=<root@my.co.uk> (1/0), delay=00:00:02, xdelay=00:00:00, mailer=*file*, pri=64969, dsn=2.0.0, stat=Sent
> Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=me, delay=00:00:02, xdelay=00:00:00, mailer=local, pri=64969, dsn=2.0.0, stat=Sent
> Nov 3 12:15:01 localhost sendmail[881]: kA3CEwmV000881: <home@my.co.uk>... User unknown
> Nov 3 12:15:02 localhost sendmail[881]: kA3CEwmV000881: <@my.co.uk>... User unknown
> Nov 3 12:15:02 localhost sendmail[881]: kA3CEwmV000881: <contact@my.co.uk>... User unknown
> Nov 3 12:15:02 localhost sendmail[881]: kA3CEwmV000881: <billing@my.co.uk>... User unknown
> Nov 3 12:15:02 localhost sendmail[881]: kA3CEwmV000881: <ambulant@my.co.uk>... User unknown
> Nov 3 12:15:02 localhost sendmail[881]: kA3CEwmV000881: <advertising@my.co.uk>... User unknown
> Nov 3 12:15:02 localhost sendmail[881]: kA3CEwmV000881: <admin@my.co.uk>... User unknown
> Nov 3 12:15:02 localhost sendmail[881]: kA3CEwmV000881: <accounts@my.co.uk>... User unknown
> Nov 3 12:15:03 localhost sendmail[881]: kA3CEwmV000881: from=<bdthayerassociatessro@thayerassociates.com>, size=4853, class=0, nrcpts=1, msgid=<417226509.30054668990319@thebat.net>, proto=ESMTP, daemon=MTA, relay=83.68.77.80.brzesko77.tnp.pl [83.68.77.80]
> Nov 3 12:15:03 localhost sendmail[893]: kA3CEwmV000881: to=/dev/null, ctladdr=root (1/0), delay=00:00:01, xdelay=00:00:00, mailer=*file*, pri=35051, dsn=2.0.0, stat=Sent

I see the nrcpts=2 which I suppose means 1 plus a number of copies(?)
The one that gets through is addressed to root so if it's a hidden copy
recipient I can't yet see the aliasing on that third line. I've upped
the log level to 10 but I don't know whether that will until the
next one comes in.
I appreciate your reply. I think I'm maybe on the right trail here. Any
more clues most welcome.
Cheers.

03/11/2006, 14h44

hjones wrote:
> Kees Theunissen wrote:
>> hjones wrote:
>>
The final answer is to suspend all aliasing overnight, then every bcc
including the rogue one will bounce and reveal it's addressee in the log.
Thank you dear boy.

03/11/2006, 09h12	#1
hjones Messages: n/a Hébergeur:	Spam to root I am running sendmail 8.12.9 on a Mac OS X 10.2.8 as a server. Because I have no need for mail to root I have blocked it in .forward, and in the aliases database. And yet some of the spam to root gets through, and the items that gets through have a higher pri- than the items that gets /dev/nulled, up in the 6XXXX zone rather than the 3xxxx zone. The sneaky ones get /dev/nulled AND copied to mbox. I wonder whether it's an attachment issue. It's only a handful but it's irritating and a worry for security. I wonder whether I can fix it, or maybe I should go over to postfix. What do you all think?

03/11/2006, 12h37	#2
hjones Messages: n/a Hébergeur:	Re: Spam to root hjones wrote: > I am running sendmail 8.12.9 on a Mac OS X 10.2.8 as a server. > > Because I have no need for mail to root I have blocked it in .forward, > and in the aliases database. > > And yet some of the spam to root gets through, and the items that gets > through have a higher pri- than the items that gets /dev/nulled, up in > the 6XXXX zone rather than the 3xxxx zone. The sneaky ones get > /dev/nulled AND copied to mbox. I wonder whether it's an attachment issue. > > It's only a handful but it's irritating and a worry for security. > > I wonder whether I can fix it, or maybe I should go over to postfix. > What do you all think? It's all gone a bit quiet. I will elaborate out of sheer desperation. Here is a snippet from the mail log showing what's happening: Example 1: aliases doing it's job: Nov 3 12:03:16 localhost sendmail[877]: kA3C3EmT000876: to=/dev/null,ctladdr=<root@my.co.uk> (1/0), delay=00:00:00, xdelay=00:00:00, mailer=file, pri=32835, dsn=2.0.0, stat=Sent (next line follows) Nov 3 12:09:12 localhost sendmail[878]: kA3C9BmT000878:<fred@my.co.uk>... User unknown Example 2: aliases failing: Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=/dev/null, ctladdr=<root@my.co.uk> (1/0), delay=00:00:02, xdelay=00:00:00, mailer=file, pri=64969, dsn=2.0.0, stat=Sent Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=me, delay=00:00:02, xdelay=00:00:00, mailer=local, pri=64969, dsn=2.0.0, stat=Sent It's sending it to /dev/null, and then slipping me a copy. sendmail.cf specifies aliases, nis lookup is hashed out. And the only difference is in the "pri" Anyone know if Mac OS X forces a system alias lookup, because obviously I am also root.?

03/11/2006, 13h22	#3
Kees Theunissen Messages: n/a Hébergeur:	Re: Spam to root hjones wrote: > Example 2: aliases failing: > Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=/dev/null, > ctladdr=<root@my.co.uk> (1/0), delay=00:00:02, xdelay=00:00:00, > mailer=file, pri=64969, dsn=2.0.0, stat=Sent > Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=me, > delay=00:00:02, xdelay=00:00:00, mailer=local, pri=64969, dsn=2.0.0, > stat=Sent > > It's sending it to /dev/null, and then slipping me a copy. > sendmail.cf specifies aliases, nis lookup is hashed out. And the only > difference is in the "pri" The logical explanation would be that this message was sent to (at least) two different recipient addresses: root _and_ you. You quoted only the log lines that logged the delivery of the message. Please have a look at all log lines for the message with "queue id" kA3CEwmT000881. There should be at least one more line logging the arrival of the message. That line logs (among other things) the sender address and the number of recipients (nrcpts=....). Regards, Kees. -- Kees Theunissen.

03/11/2006, 13h58	#4
hjones Messages: n/a Hébergeur:	Re: Spam to root Kees Theunissen wrote: > hjones wrote: > >> Example 2: aliases failing: >> Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=/dev/null, >> ctladdr=<root@my.co.uk> (1/0), delay=00:00:02, xdelay=00:00:00, >> mailer=file, pri=64969, dsn=2.0.0, stat=Sent >> Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=me, >> delay=00:00:02, xdelay=00:00:00, mailer=local, pri=64969, dsn=2.0.0, >> stat=Sent >> >> It's sending it to /dev/null, and then slipping me a copy. >> sendmail.cf specifies aliases, nis lookup is hashed out. And the only >> difference is in the "pri" > > The logical explanation would be that this message was sent to (at > least) two different recipient addresses: root _and_ you. > You quoted only the log lines that logged the delivery of the message. > Please have a look at all log lines for the message with "queue id" > kA3CEwmT000881. There should be at least one more line logging the > arrival of the message. That line logs (among other things) the > sender address and the number of recipients (nrcpts=....). > > Regards, > > Kees. > You may be right! This is the full list for message 881: > Nov 3 12:15:01 localhost sendmail[881]: kA3CEwmT000881: from=<bdthreeriverssro@threerivers.org>, size=4771, class=0, nrcpts=2, msgid=<816600193.41124915934135@thebat.net>, proto=ESMTP, daemon=MTA, relay=83.68.77.80.brzesko77.tnp.pl [83.68.77.80] > Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=/dev/null, ctladdr=<root@my.co.uk> (1/0), delay=00:00:02, xdelay=00:00:00, mailer=file, pri=64969, dsn=2.0.0, stat=Sent > Nov 3 12:15:01 localhost sendmail[891]: kA3CEwmT000881: to=me, delay=00:00:02, xdelay=00:00:00, mailer=local, pri=64969, dsn=2.0.0, stat=Sent > Nov 3 12:15:01 localhost sendmail[881]: kA3CEwmV000881: <home@my.co.uk>... User unknown > Nov 3 12:15:02 localhost sendmail[881]: kA3CEwmV000881: <@my.co.uk>... User unknown > Nov 3 12:15:02 localhost sendmail[881]: kA3CEwmV000881: <contact@my.co.uk>... User unknown > Nov 3 12:15:02 localhost sendmail[881]: kA3CEwmV000881: <billing@my.co.uk>... User unknown > Nov 3 12:15:02 localhost sendmail[881]: kA3CEwmV000881: <ambulant@my.co.uk>... User unknown > Nov 3 12:15:02 localhost sendmail[881]: kA3CEwmV000881: <advertising@my.co.uk>... User unknown > Nov 3 12:15:02 localhost sendmail[881]: kA3CEwmV000881: <admin@my.co.uk>... User unknown > Nov 3 12:15:02 localhost sendmail[881]: kA3CEwmV000881: <accounts@my.co.uk>... User unknown > Nov 3 12:15:03 localhost sendmail[881]: kA3CEwmV000881: from=<bdthayerassociatessro@thayerassociates.com>, size=4853, class=0, nrcpts=1, msgid=<417226509.30054668990319@thebat.net>, proto=ESMTP, daemon=MTA, relay=83.68.77.80.brzesko77.tnp.pl [83.68.77.80] > Nov 3 12:15:03 localhost sendmail[893]: kA3CEwmV000881: to=/dev/null, ctladdr=root (1/0), delay=00:00:01, xdelay=00:00:00, mailer=file*, pri=35051, dsn=2.0.0, stat=Sent I see the nrcpts=2 which I suppose means 1 plus a number of copies(?) The one that gets through is addressed to root so if it's a hidden copy recipient I can't yet see the aliasing on that third line. I've upped the log level to 10 but I don't know whether that will until the next one comes in. I appreciate your reply. I think I'm maybe on the right trail here. Any more clues most welcome. Cheers.

03/11/2006, 14h44	#5
hjones Messages: n/a Hébergeur:	Re: Spam to root hjones wrote: > Kees Theunissen wrote: >> hjones wrote: >> The final answer is to suspend all aliasing overnight, then every bcc including the rogue one will bounce and reveal it's addressee in the log. Thank you dear boy.

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email