On Feb 26, 2013, at 11:32 AM, Jamie wrote: > Hi > > Earlier today I noticed a spammer using my Postfix server as a relay to send > out spam. This was puzzling because i had all requisite anti relay host > settings applied. Further, it was particularly alarming that Postfix seemed > to be receiving the spam messages from localhost as indicated: > > connect from localhost.localdomain[127.0.0.1]
Are you sure of that? I assume that Postfix is getting the peer IP address from the socket, _not_ doing a lookup of the HELO name offered by the SMTP client, as that would be useless and confusing. Do you have any web server/PHP stuff on the same machine that might have been exploited instead? That would make the SMTP connection actually come from 127.0.0.1. Borja.
