>The messages look like they were sent from the local server (127.0.0.1)
>which another reader has indicated is a flaw in the 6.0x version of imail
>in that it will allow any e-mail to be forwarded with this ip address.
No, that's incorrect, actually. No version of IMail that I know of will
accept mail from 127.0.0.1 (or any other IP address), unless it is supposed
to (IE it is an open relay, or you have told it that IP address is OK).
The IP issue is that someone could spoof the IP address, in which case (as
Len mentioned) you would need to block IP spoofing at the gateway. That's
not an IMail issue.
The problem you are having is that 127.0.0.1 is the "loopback" IP address,
meaning that the spammer is sending the mail FROM YOUR SERVER. He is not
simply connecting to your server with a mail client (in which case it would
show the IP address of the mail client). He is using software running on
your server to send the mail.
>How it happened is another question. It has been suggested by two people this
>may be because there is a formmail.pl file or equivalent on one of the web
>sites we host. I will search for this as there ARE a couple that we do not
>control.
That's one of the dangers of web hosting.
> >>We can't assume that 206.159.55.2 is really the IP address that sent the
>E-mail.<<
>Not the original sender. BUT is hit the internet from this IP address and
>that is how they traced it back and our logs confirm the messages came
>through us if they did not originate there.
And it sounds like it did originate at your mail server. But that
206.159.55.2 is completely untrusted, as with the rest of the headers they
sent. The information they sent was exactly as useful as if some random
person on the Internet sent an E-mail that simply said "You spammed me".
In this case, you should take it seriously, because you know that spam was
sent out. But normally, you would need more information before justifying
taking the time to research the problem.
> >>The other is why someone sent you an E-mail that was missing headers, and
>whether or not that E-mail really came through your
>server.<<
>
> >From what I have seen so far, NONE of the senders had anything more than
>what you saw.
That would happen if the spammer was running his own spamware on your
server (such as a Perl script), that was connecting directly to the remote
mail servers. That's a fairly common spam tactic.
But, that still doesn't account for why they made it into your log
file. Unless, perhaps, the spamware tries connecting directly, but if it
can't, it sends it to the local mail server. That would be pretty smart.
In any case, the prime suspect is a rogue CGI program (or a trojan horse
that a hacker installed), some sort of program that is sending the mail
out. You'll need to check the IIS logs to find it. The first thing to
search for is logs of POST actions that are >20K or so in length (the ones
I've seen are usually about 80K).
-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
IMail. http://www.declude.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
