[plug] nasty spammer

Ben Jensz jensz at wn.com.au
Wed Mar 27 15:17:48 WST 2002


Hey all,

I was wondering if anyone had any suggestions.

Recently got a report from spamcop.net that spam had come through our mail
server at work.  Tracked it and it appears some "delightful" person had
successfully gotten a couple of emails through, by spoofing their packets
with a source of 127.0.0.1, which Postfix accepted of course.  I shut off
this measure by dropping packets from private network addresses both at the
router before it enters the public part of the network and at the machine
itself, and also made Postfix stop relaying for 127.0.0.1.

I've received some more reports from spamcop.net today about more apparently
coming from our mail server.  I've investigated Postfix's logs after having
received the message headers in the email report, and it appears that there
is nothing in the logs at all to match up with those message headers at all.
So that now leaves me with the conclusion that the spammer having discovered
our mail server won't relay with their IP spoofing anymore, has now started
spoofing as if they are our mail server to other mail servers and sending
spam, using HELO and EHLO hostnames such as "mail.ru" and "yahoo.com".

Anyone got any suggestions on top of what I've already done to stop this
person using any other methods of fooling our mail server and anything I can
do to make other mail servers pick up on them now spoofing as being our mail
server?

TIA :)


/ Ben



More information about the plug mailing list