Borja
I am pretty sure of it. After I blocked the ip address, the spam stopped
coming. It is no co-incidence that 113.167.239.162 resolves to localhost
(see: http://remote.12dt.com/ for confirmation).
I am fairly certain that our mail server has not been hacked.
Regards
Jamie
On 2013/02/26 1:19 PM, Borja Marcos wrote:
On Feb 26, 2013, at 11:32 AM, Jamie wrote:
Hi
Earlier today I noticed a spammer using my Postfix server as a relay to send
out spam. This was puzzling because i had all requisite anti relay host
settings applied. Further, it was particularly alarming that Postfix seemed to
be receiving the spam messages from localhost as indicated:
connect from localhost.localdomain[127.0.0.1]
Are you sure of that? I assume that Postfix is getting the peer IP address from
the socket, _not_ doing a lookup of the HELO name offered by the SMTP client,
as that would be useless and confusing.
Do you have any web server/PHP stuff on the same machine that might have been
exploited instead? That would make the SMTP connection actually come from
127.0.0.1.
Borja.
