Re: [Exim] "CacheFlow Server" and exim4

Página Inicial
Delete this message
Reply to this message
Autor: sharun
Data:  
Para: Giuliano Gavazzi
CC: Exim users list
Assunto: Re: [Exim] "CacheFlow Server" and exim4
My statistics:
[/usr/exim4]$ zcat /var/log/mpop-err.0.gz | egrep -c 'CacheFlow.*Hacked proxy'
288
[/usr/exim4]$ zcat /var/log/mpop-err.0.gz | egrep -c 'squid.*Hacked proxy'
243

This stats for yesterday only.
I have another trap for smart spammers, where helo matches known
mail services (yahoo,lycos, etc.). These services (while mail originates
from original servers) gives real helo (like yahoo's mta511.mail.yahoo.com f.e.),
and does not fall into this trap. So:
[/usr/exim4]$ zcat /var/log/mpop-err.0.gz | egrep -c 'forging is not'
1778

Giuliano Gavazzi wrote:
> Quite well targeted rules, especially the "squid" one, but low hit rate
> here.
> I have just checked my 700MB of mail folders for CacheFlow and squid
> in the headers and, I think.., I just got junk (I have about 7000
> spam emails in the trash). It is not common here, a total of perhaps
> 5 emails (in many years) for CacheFlowServer (no space though) and
> about 100 for squid. But I am not sure they are both from ident
> calls, perhaps sendmail (no more here) changed the way it logged it.
> For CacheFlowServer in particular I always got
> CacheFlowServer@[w.x.y.z] instead of ident:...
>
> The low numbers of hits might have been the result of rbl lists kicking in.
>
> Giuliano
>
> At 11:10 +0200 2002/12/09, sharun@??? wrote:
> >  deny    condition = ${if eq{$sender_ident}{squid}{yes}{no}}
> >          message       = Hacked proxy ? Go away!

> >
> >  deny    condition = ${if eq{$sender_ident}{CacheFlow Server}{yes}{no}}
> >          message       = Hacked proxy ? Go away!

> >
> >
> >Alan J. Flavell wrote:
> >>
> >> There's a class of event which shows up in the logs as e.g
> >>
> >> 2002-12-07 00:42:43 H=(nric) [200.160.36.13] (CacheFlow Server)
> >> F=<wvdvn@???> rejected RCPT...
> >>
> >> Am I right in thinking that "CacheFlow Server" here is always
> >> indicative of an open proxy? What actually _is_ this item of data in
> >> the mainlog, I'm having a hard time finding it documented in chapter
> >> 44. I'm suspicious that it might be the rfc1413 "ident", but then why
> >> isn't it prefixed with "U=" as indicated in 44.12?
> >>
> >> Does anyone block mail on the basis of this indication, and if so,
> >> could they offer an exim4 recipe for it, please? It seems to be quite
> > > a pestilence.
>
> --
> H U M P H
>    || |||
>  software

>
> Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
> http://www.humph.com/
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
> details at http://www.exim.org/ ##
>


--
VVS56-RIPE