My admin mailbox has been filling up with bounces from aol.com -
obvious SPAM that appears to have originated from my qmail system (running
ucspi-tcp-0.88 and daemontools-0.70. Here's my rather simple config for
tcpserver:
127.0.0.1:allow,RELAYCLIENT=""
206.75.255.:allow,RELAYCLIENT=""
10.:allow,RELAYCLIENT=""
:allow
The first line is for localhost, the second for my class 'C', the
third for private network stuff behind a firewall and through a VPN. I
presume the last is to allow anyone to connect to allow them to send to my
hosted domains.
My qmail logs simply show a message generated by
<[EMAIL PROTECTED]> and being sent to an aol.com account. Then another
one. Then the third one and subsequent ones go out to variable numbers to
aol.com accounts. Total about 550.
This is something that definitely went through my system, but I am
at a loss as to explain it. I retested for relaying and was unable to do
so. I considered the possibility of someone actually accessing the system
and sending directly from the system via a shell, but that is extremely
unlikely. Access is limited to two people. There is very restricted login
via telnet using a one time password token, only from a specific set of
trusted hosts, etc. etc.
If anyone has any ideas or would like to mull over any
configurations I have, please ask. I am rather nervous about continuing
with ucspi-tcp and daemontools with this having happened. If it's a simple
configuration error that allowed it, I'd appreciate being educated. If
everything is correct, then I am concerned that someone has found a way to
relay despite the settings.
If I get hit again, I'll be reverting to the stock qmail config
using inetd.conf and hosts.allow...
Thanks for any help or pointers.
--
Roger Walker <http://www.rat-hole.com>
Voice/Fax 1-780-440-2685 <http://www.man-from-linux.com>
"HIS Pain; YOUR Gain" <http://www.rope.net>
<http://www.rope.net/signature.html>
