Jon-Paul Kelly wrote:
I just received around 2000 bounce messages from various servers rejecting messages (supposedly) coming from my email address. This has happened to me before but not on this scale. Any ideas on how to tell if this is just a joe job or if someone has actually used my server as a spam sending platform?
The first thing to do is look at the bounces to see whether your IP address is listed anywhere. If none of them mention your server, either in the original Received headers on the rejected message or in the bounce notice itself, you can be confident that it was just a forged sender.
If it does list your server, you'll need to look more closely. Is it the immediate sender (the one that connected to the server issuing the rejection)? If so, you've got problems. Is it further down in the Received chain? In that case, it could also be forged, and you'll have to keep looking.
You can also look at your mail logs, in case they found a hole in your relay config or something. Though if the system is actually hacked, they could send using their own SMTP engine, bypassing your mail queue, and the messages probably wouldn't be logged.
Hope this helps. -- Kelson Vibber SpeedGate Communications <www.speed.net>
