Re: [Exim] spam protection - but local!

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Duncan
CC: exim-users
Subject: Re: [Exim] spam protection - but local!
On Fri, 21 Jun 2002, Duncan wrote:

> i had to realize, that s.o. abuses my server to spam other users on my server.
> The email always contains the recipients email address as sender & receiver, which is already quite weird.


If you mean in the envelope, a local sender has to be trusted by Exim to
do that.

> However, its also sent localy from a different account, but i cannot trace it back to the account who created these emails.
> Any idea, how i can either check the users oubox or check the sent emails to trace em back to the account, that really sent them?
> Deactivating local email support is sadly no option, because some vital scripts rely on this support.


When Exim receives a message directly from a local process, it logs the
login name of that process in the <= line in its log, using the tag U=.

However, if the messages are received over TCP/IP via the loopback
interface (127.0.0.1), there is no such information. They look like
messages from other hosts. Anything can be forged.

If you want to get some information about who is sending them, install
the "ident" daemon on your host. Make sure the Exim configuration has
not disabled it (look for options with "rfc1413" in their names). Then,
whenever a call arrives on 127.0.0.1, Exim will make an ident call back
to the sending host (i.e. also your host) and it will log the ident
information.


--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.