Hi all,
Am running several Debian Sarge servers with qmail + smtp auth. However I am seeing large amounts of spam mail passing through the servers that appears to be coming via SMTP. So far the only characteristic I've found in common with the mails is that they all use a spoofed FROM: address using one of the IP addresses for that server.
So far the angles I've covered are that its not using the server's address as a spoofed IP (have blocked this at the F/W), it's not being injected locally (as far as I can tell), i think the idea that the there is a compromised mail account and thats being used to send via the auth is unlikely since its affecting ALL our servers including our storemail server which has no mail accounts. Really starting to run out of ideas on how this is getting into the MTA!
I've included a header of one such mail below (have edited our server ip out)
regards,
Andrew
Received: (qmail 27535 invoked by uid 1008); 5 Jul 2006 05:33:30 -0000
Received: from 202.8.87.185 by bfb001 (envelope-from <a214g326pp@[server ip here]>, uid 1002) with qmail-scanner-1.25st
(clamdscan: 0.84/1539. spamassassin: 3.0.3. perlscan: 1.25st.
Clear:RC:0(202.8.87.185):SA:1(6.8/5.0):.
Processed in 4.327631 secs); 05 Jul 2006 05:33:30 -0000
X-Spam-Status: Yes, hits=6.8 required=5.0
X-Spam-Level: ++++++
X-Qmail-Scanner-Mail-From: a214g326pp@[server ip here] via bfb001
X-Qmail-Scanner: 1.25st (Clear:RC:0(202.8.87.185):SA:1(6.8/5.0):. Processed in 4.327631 secs Process 27505)
Received: from ppp-202.8.87.185.revip.proen.co.th (HELO ameillpu-7jat6i) (webmaster@202.8.87.185)
by bfb001.[server domain here] with SMTP; 5 Jul 2006 05:33:26 -0000
From: "mojxks" <A214G326pp@[server ip here]>
Subject: SPAM *** =?GB2312?B?usNfzsRfubJfyc0=?=
To:
xudidan@yeah.net
Content-Type: TEXT/HTML
Date: Wed, 5 Jul 2006 13:33:50 +0800
X-Mailer: Microsoft Outlook, Build 10.0.2616
X-Qmail-Scanner-1.25st: added fake MIME-Version header
MIME-Version: 1.0
X-Qmail-Scanner-Message-ID: <115207760789427505@bfb001>
