[plug] nasty spammer

Wed Mar 27 15:32:13 WST 2002

Your not running Redhat 6.2 with the original bind I hope.

On Wed, 2002-03-27 at 15:17, Ben Jensz wrote:
    Hey all,

    I was wondering if anyone had any suggestions.

    Recently got a report from spamcop.net that spam had come through our mail
    server at work.  Tracked it and it appears some "delightful" person had
    successfully gotten a couple of emails through, by spoofing their packets
    with a source of 127.0.0.1, which Postfix accepted of course.  I shut off
    this measure by dropping packets from private network addresses both at the
    router before it enters the public part of the network and at the machine
    itself, and also made Postfix stop relaying for 127.0.0.1.

    I've received some more reports from spamcop.net today about more apparently
    coming from our mail server.  I've investigated Postfix's logs after having
    received the message headers in the email report, and it appears that there
    is nothing in the logs at all to match up with those message headers at all.
    So that now leaves me with the conclusion that the spammer having discovered
    our mail server won't relay with their IP spoofing anymore, has now started
    spoofing as if they are our mail server to other mail servers and sending
    spam, using HELO and EHLO hostnames such as "mail.ru" and "yahoo.com".

    Anyone got any suggestions on top of what I've already done to stop this
    person using any other methods of fooling our mail server and anything I can
    do to make other mail servers pick up on them now spoofing as being our mail
    server?

    TIA :)

    / Ben