On Mon, 9 Dec 2002 sharun@??? wrote:
> deny condition = ${if eq{$sender_ident}{squid}{yes}{no}}
> message = Hacked proxy ? Go away!
>
> deny condition = ${if eq{$sender_ident}{CacheFlow Server}{yes}{no}}
> message = Hacked proxy ? Go away!
Just to confirm that I've tried this, and it's caught a reasonable
number of spams, and I don't see any false positives. Some proportion
of the spams would have fallen into other traps anyway, but I am sure
that the net effect has been positive, since we've got the ident on
hand anyway - whereas things like RBL lookups - or even callbacks to
verify the envelope sender - cost rather more.
In our version, the message is rather less brusque
deny condition = ${if eq{$sender_ident}{CacheFlow Server}{1}{0}}
message = Rejected - appears to be an unsecured proxy: $sender_ident
and similarly for any other idents that you take a dislike to
(definitely squid - I suppose some might also add apache, httpd etc.)
However, there was a minor point of my original query (this would be
for Philip, excuse me for pressing!) that went unanswered. In some
log entries, I see the expected format - like it says in the
documentation:
... U=CacheFlow Server ...
whereas in other log messages (most, in practice) I see the ident
presented in this format instead:
... (CacheFlow Server) ...
- a syntax that doesn't seem to be mentioned in the documentation of
the log format. I'm wondering whether the discrepancy was deliberate
or inadvertent. It might be relevant in relation to logfile analysis
software?
cheers
