A little problem with Samba mail traffic...

Michael H. Warfield mhw at wittsend.com
Thu Feb 15 15:32:07 GMT 2001

Hello all!

	I just noticed that a great deal of recent Samba mailing list
traffic was being lost at my site.  I discovered it was being dumped into
on of my "spam cans".  Stranged...  It wasn't one of the rbl style
black-hole dumps but rather one of the content traps...

	A little further research revealed why.  One of my spam traps
triggers (inaccurately, apparently) on malformed IP addresses in Received
headers, since some spam packages generate bogus forged IP addresses in
fake Received headers.  Here's two of the headers from a recent message
from the Samba list (the bottom one is the problem)...

] Received: from mail.valinux.com (mail.valinux.com [])
] 	by au2.samba.org (Postfix) with ESMTP id 6740A65985B
] 	for <samba at samba.org>; Thu, 15 Feb 2001 19:25:08 +1100 (EST)
] Received: from beefcake.hdqt.valinux.com
] 	([] helo=valinux.com ident=root) 
] 	by mail.valinux.com with esmtp (Exim 3.22 #1 (Debian))
] 	id 14TJuh-0001QC-00; Thu, 15 Feb 2001 00:37:19 -0800

	This is what it gets tagged with:

] X-Procmail: unwanted ordinary tag-contents header bad IP

	This is the procmail tagging recipe that triggering on it...

] #
] # Morons trying to forge IP addresses
] :0 Hf
] * ^Received: .*\[[0-9\.]*([03-9][0-9][0-9]|2[6-9][0-9]|25[6-9])
] | formail -b -f -A "$trash_header ordinary tag-contents header bad IP"

	Ok...  Pretty obvious what's happening.  Exim is apparently
tacking on the port number to the IP address on which it received the
message.  That port number is triggering the forgery detector causing
the spam rule to fire.  I've now disabled that rule since it rarely
catches very much spam anymore anyways.  But this came from a stock
common anti-spam package I obtained by following links off the sendmail
site.  I'm sure there are other people using this (who are probably NOT
getting this message for this very reason) and many of those dump
tagged messages straight to /dev/null rather than into spam cans for
latter checking and mucking out.

	I don't know if there has been a recent change at VA Linux or
in the mailing list routing, but this seems to have only started occuring
fairly recently (like in the last week or so).

	I don't know what to suggest to the list other than watch out for
people who start complaining about not receiving mail from the list.

 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

More information about the samba mailing list