> From: Charles Cazabon <[EMAIL PROTECTED]>
> Date: Wed, 6 Jun 2001 15:19:21 -0600
>
> Chris Garrigues <[EMAIL PROTECTED]> wrote:
> > I've got this in my queue:
> >
> > 5 Jun 2001 14:44:17 GMT #48256 5651 <[EMAIL PROTECTED]>
> > remote [EMAIL PROTECTED]
> > done remote [EMAIL PROTECTED]
> > done remote [EMAIL PROTECTED]
> > remote [EMAIL PROTECTED]
> > done remote [EMAIL PROTECTED]
> > done remote [EMAIL PROTECTED]
> > remote [EMAIL PROTECTED]
> > done remote [EMAIL PROTECTED]
> > remote [EMAIL PROTECTED]
> > remote [EMAIL PROTECTED]
> > done remote [EMAIL PROTECTED]
> > done remote [EMAIL PROTECTED]
> > remote [EMAIL PROTECTED]
> > remote [EMAIL PROTECTED]
> >
> > Neither mail.com nor mindless.com are my domains
>
> Okay so far.
>
> > [root@austin-jump network-scripts]# more /etc/qmail/control/rcpthosts
>
> [no mindless.com]
>
> > my smtp.cdb contains:
> >
> > 10.:allow,RELAYCLIENT=""
> > :allow
>
>
> > Looking at the guts of the message in the queue, I find:
> [...]
> > Received: (qmail 2993 invoked by uid 104); 5 Jun 2001 14:44:17 -0000
> > Received: from [EMAIL PROTECTED] by austin-jump.vircio.com with
> > qmail-scanner- 0.90 (uvscan: v4.1.20/v4127. . Clean. Processed in 3.91906
> 5
> > secs); 05/06/2001 09 :44:13
> > Received: from pppa16-resaleeasternmab1-3r7830.dialinx.net (HELO
> > oemcomputer???1
> > 02.74.4.25???by?mtiwmhc08.worldnet.att.net??InterMail?v03.02.07.07?118-13
> 4??with
> > ?SMTP?id??20000116195506.ZOOK28505@oemcomputer??from?worldnet.att.net???1
> 2.77.19
> > 4.15???by?mtiwmhc03.worldnet.att.netmindspring??user-3qt5hn.dialup.mindsp
> ring.co
> > m?99.174.150.55???by?smtp6.mindspring.com??8.9.3/8.8.5??with?SMTP?id?OAA0
> 6398??f
> > rom?110140321worldnet.att.net???102.70.21.32???by?mtiwmhc98.worldnet.att.
> net??In
> > terMail?v03.02.07.07?118-134??with?SMTP?id?20090116195452.ZOMX28505@11094
> 0321wor
> [...]
>
> That's a lot of garbage. It's either the world's worst attempt at forging
> Received: headers, or perhaps qmail-scanner is broken in this instance? Any
> other rewriting going on?
No.
> > so it appears that the message arrived from
> > pppa16-resaleeasternmab1-3r7830.dialinx.net at 4.45.125.13.
>
> I didn't get that far in the headers; there appeared to be a lot more garbage,
> so I'm not sure I agree with you.
If you look at the line with all the garbage, and remove the stuff in the
first parenthesis, you get:
Received: from pppa16-resaleeasternmab1-3r7830.dialinx.net () ([4.45.125.13])
(envelope-sender <[EMAIL PROTECTED]>)
by 216.30.106.234 (qmail-ldap-1.03) with SMTP
for <[EMAIL PROTECTED]>; 5 Jun 2001 14:44:12 -0000
which was written by qmail. I did a reverse lookup of
pppa16-resaleeasternmab1-3r7830.dialinx.net myself getting 4.45.125.13 just
like qmail.
> > I don't know why this wasn't rejected by tcpcontrol.
>
> You aren't rejecting anything with tcpserver; you're accepting all
> connections. How it got relayed is another matter.
Er, yeah. I meant qmail-smtpd.
> To trace this, you need to find the qmail qid in this message, then go through
> your qmail-send logs to find out where this message originated and how. Based
> on the timestamp you find there for "new msg ...", look in your qmail-smtpd
> logs. That will tell you exactly where the message originated.
Unfortunately, I blew away my qmail log recently because it filled my /var to
100%. :-(
In hindsight I think this happened because I was relaying SPAM.
> Perhaps you have a CGI script which sends mail, and contains a security hole?
Not on this box.
> Or something else is letting people into your 10. address space?
Maybe.
--
Chris Garrigues http://www.DeepEddy.Com/~cwg/
virCIO http://www.virCIO.Com
4314 Avenue C
Austin, TX 78751-3709 +1 512 374 0500
My email address is an experiment in SPAM elimination. For an
explanation of what we're doing, see http://www.DeepEddy.Com/tms.html
Nobody ever got fired for buying Microsoft,
but they could get fired for relying on Microsoft.
PGP signature
