My admin mailbox has been filling up with bounces from aol.com -
obvious SPAM that appears to have originated from my qmail system (running
ucspi-tcp-0.88 and daemontools-0.70. Here's my rather simple config for
tcpserver:
127.0.0.1:allow,RELAYCLIENT=""
206.75.255.:allow,RELAYCLIENT=""
10
At 08:55 PM 5/17/01, Roger Walker wrote:
> My admin mailbox has been filling up with bounces from
> aol.com -
>obvious SPAM that appears to have originated from my qmail system
>(running
>ucspi-tcp-0.88 and daemontools-0.70. Here's my rather simple config
>for
>tcpserver:
>
>127.0.0.1:a
A better idea would be for the original poster to post the logs as proof
that there is a relay happening, and if were lucky some headers and the smtp
logs too.
-- Tim
- Original Message -
From: "Todd Finney" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, M
Roger Walker wrote:
>
> My admin mailbox has been filling up with bounces from aol.com -
> obvious SPAM that appears to have originated from my qmail system
I am curious about that because recently I got a bounce from aol that
said that they don't accept mails anymore from mailservers wi
On Thu, 17 May 2001, Todd Finney wrote:
> At 08:55 PM 5/17/01, Roger Walker wrote:
> >tcpserver:
> >
> >127.0.0.1:allow,RELAYCLIENT=""
> >206.75.255.:allow,RELAYCLIENT=""
> >10.:allow,RELAYCLIENT=""
> >:allow
> >
> > The first line is for localhost, the second for my class 'C',
> > the
>
On Fri, 18 May 2001, Caspar Bothmer wrote:
> Roger Walker wrote:
> >
> > My admin mailbox has been filling up with bounces from aol.com -
> > obvious SPAM that appears to have originated from my qmail system
>
> I am curious about that because recently I got a bounce from aol that
> said
On Thu, May 17, 2001 at 10:32:41PM -0600, Roger Walker wrote:
> I understand completely. I administer mail servers for a major
> ISP, so the principles are not a problem. I run qmail on my own servers,
> but there could always be something that I'm overlooking in the config. I
> know it sur
On Thu, May 17, 2001 at 08:47:46PM -0400, Todd Finney wrote:
> At 08:55 PM 5/17/01, Roger Walker wrote:
> >:allow
> Doesn't that last allow line cause an open relay?
NO! The last :allow is needed for other Mailservers delivering mail to your
domains listed in rcpthosts. Unless RELAYCLIENT is set
At 04:47 AM 5/18/01, Henning Brauer wrote:
>On Thu, May 17, 2001 at 08:47:46PM -0400, Todd Finney wrote:
> > At 08:55 PM 5/17/01, Roger Walker wrote:
> > >:allow
> > Doesn't that last allow line cause an open relay?
>
>NO! The last :allow is needed for other Mailservers delivering mail to
>your
>
On Fri, May 18, 2001 at 06:53:30AM -0400, Todd Finney wrote:
> At 04:47 AM 5/18/01, Henning Brauer wrote:
> >On Thu, May 17, 2001 at 08:47:46PM -0400, Todd Finney wrote:
> > > At 08:55 PM 5/17/01, Roger Walker wrote:
> > > >:allow
> > > Doesn't that last allow line cause an open relay?
> >NO! The
On 18 May 2001, Mark Delany wrote:
> So you are saying that you've checked the qmail-send logs and there is
> no injection that matches the headers of the bounce? Are you sure?
>
> If you found a match, then the uid trail will tell you who did it.
The log portion I supplied is indicative
On 18 May 2001, John R. Levine wrote:
> Any chance it's coming from formmail.pl or a similar insecure CGI?
> That seems a lot more likely than spam sneaking in via SMTP.
Actually, that thought just occured to me this morning. I was
talking with the other person who has access to the syst
On Fri, May 18, 2001 at 06:55:59AM -0600, Roger Walker wrote:
> On 18 May 2001, Mark Delany wrote:
>
> > So you are saying that you've checked the qmail-send logs and there is
> > no injection that matches the headers of the bounce? Are you sure?
> >
> > If you found a match, then the uid trail w
This would seem to be the conclusive evidence that the formmail
was the back door to allow the relay, although I'm not immediately sure
how it was done - check the bottom of the message...
The IP is for mail-in.namezero.com, which also happens to be the
MX for spammah.com. I don't
On 18 May 2001, Mark Delany wrote:
> > The log portion I supplied is indicative of all of the stuff
> > related to the aol mail. The PID associated with those messages was not
> > there when I became aware of what was happening, so I can't definitively
> > trace it.
>
> UID != PID
So
On Fri, May 18, 2001 at 08:37:37AM -0600, Roger Walker wrote:
> > UID != PID
>
> Sorry, I was distracted. The UID was for apache, further evidence
> that this was done through a formmail script.
Ok... And what did your apache logs say at the time? They are logging
IP addresses, right?
> H
On 18 May 2001, Mark Delany wrote:
> Ok... And what did your apache logs say at the time? They are logging
> IP addresses, right?
I had to disappear for some other commitments, so I was gone for a
few hours :-)
I've removed the form completely. I'll have to do up another
script
17 matches
Mail list logo