Robert
Thanks for the ideas. I'll try out your recommendations.
Like I said, as soon as I blocked the troublesome IP's the problem went away.
Thus, it cannot be a local script. Furthermore,
we are not even running Apache. We are running Tomcat with custom developed
Java apps.
I also ran tcpdump on localhost to see if there was traffic being received on
localhost. Guess what? While the spamming was taking place
there was no smtp traffic passing through on localhost port 25.
Hi, double check that no webserver script is injecting mail via
localhost etc, for other case
dig -x 113.167.239.162
; <<>> DiG 9.7.0-P1 <<>> -x 113.167.239.162
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53155
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;162.239.167.113.in-addr.arpa. IN PTR
;; ANSWER SECTION:
162.239.167.113.in-addr.arpa. 86400 IN PTR localhost.
thats not very rare in the internet
you may solve i.e it with
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
...
check_reverse_client_hostname_access
hash:/etc/postfix/reverse_client_hostname_access
...
/etc/postfix/reverse_client_hostname_access
localhost REJECT your ptr record points to localhost fix it
Best Regards
MfG Robert Schetterer
