Prev: Set up SMTP AUTH/SASL, can't log in
Next: Deliver raw, local emails to a socket?
From: Josh Cason on 26 Mar 2010 00:13
I don't have time to post alot more info since I'm off of work on
friday. But going back and looking at my log. I thought of a question
a few months ago. But had not place to ask. We are behind a firewall
that is doing nat translation. I got the impression that when this
spam hits. It looks like it is originating from the server. At least
the server ip address. Then going out. Do I need to use a proxy
setting in main.cf to tell it my outside public ip number for that
server? I ignored it since it seemed more for backup mx servers.


As for my posting of my main.cf file. It does look better than posted.
I'm going between a linux box and a winderz machine. So they looked
messed up sometimes. I also saw what part of that I got off from the
mail log with the -v. The message in the queue got re numbered via
rules. So when I type grep the original message. In this case as
listed above. It list the server ip number as comming in with some
outside e-mail address we don't have.

Thanks,

Josh


--
This message has been scanned for viruses and
dangerous content by Mychoice, and is
believed to be clean.

From: brian moore on 26 Mar 2010 12:56
On Thu, 25 Mar 2010 22:13:05 -0600
Josh Cason <jocaso(a)mychoice.cc> wrote:

> So when I type grep the original message. In this case as
> listed above. It list the server ip number as comming in with some
> outside e-mail address we don't have.

If it's coming from the server IP or localhost, you've most likely
got some naughty CGI/PHP/whatever script on your server generating it.

(Or someone has a shell account and doing it, but that's rare these
days.)

Is there a web server on this machine? Do you allow users to run PHP or
CGI? Are you running a webmail package of some sort and have users
that think it's wise to send their credentials to Nigeria?

Look at log entries in your web server access logs to see if somoene is
loading a suspicious looking page around this time (grep for 'POST' in
the logs to narrow it down).

 | 
Pages: 1
Prev: Set up SMTP AUTH/SASL, can't log in
Next: Deliver raw, local emails to a socket?