On Fri, 18 May 2001, Caspar Bothmer wrote:
> Roger Walker wrote:
> >
> > My admin mailbox has been filling up with bounces from aol.com -
> > obvious SPAM that appears to have originated from my qmail system
>
> I am curious about that because recently I got a bounce from aol that
> said that they don't accept mails anymore from mailservers with
> dynamically assigned ip numbers. Therefore: who did say that it was
> spam, aol or you? But that's a bit off topic :-))
It's SPAM because I saw the content of the message from AOL's
bounces (which are still trickling in). Also because of the illegitimate
way it is being sent and the fact that many of the addresses are invalid.
AOL simply bounced the messages for accounts that didn't exist. As far as
they knew, they were receiving mail from me and to them. I wish they had
bounced back all of the headers, too (because if they did, there appears
to be nothing to go on).
> > Here's my rather simple config for tcpserver:
> >
> > 127.0.0.1:allow,RELAYCLIENT=""
> > 206.75.255.:allow,RELAYCLIENT=""
> > 10.:allow,RELAYCLIENT=""
> > :allow
>
> This seems to be right. Did you compile it? Is your start-script ok? Did
> you restart qmail?
This has been running for about a half year this way, including
through one reboot due to a power failure.
> So someone from your domain tried to send mail to another host. That is
> normal behaviour of qmail, as described in the "pictures" (
> http://cr.yp.to/qmail/pictures.html ). With this information I am not
> able to help you further for that anonymous could have been anyone.
> There must be more information about anonymous and the way he got his
> mail through your system.
I've only seen the anonymous address in email generated by cron,
but the crontab looks fine.
> Do you have the headers of the bounced mails? Did they say anything
> about anonymous' ip or the way the mail got through your server? Can you
> send one of those bounced mails' headers? In case I wasn't clear enough,
> just the headers from the mail that was sent by your system to aol, not
> the header of the bounce mail itself.
I understand completely. I administer mail servers for a major
ISP, so the principles are not a problem. I run qmail on my own servers,
but there could always be something that I'm overlooking in the config. I
know it sure looks as if the message originated locally, but I have my
doubts - I've been checking the system over very carefully for intrusions
and have gone over the log files, but I don't see anything out of the
ordinary to suggest that someone has gotten access to a shell.
> Do you have qmqpd running on your server? Did you install that properly?
> That means: some ip numbers that are allowed and a :deny as last line?
> If not, anybody could send mail through your system.
I do not run qmqpd. (I'm not sure, at this point, what it is.)
It's certainly not on my system.
Thanks, all, for your speculations so far...
--
Roger Walker <http://www.rat-hole.com>
Voice/Fax 1-780-440-2685 <http://www.man-from-linux.com>
"HIS Pain; YOUR Gain" <http://www.rope.net>
<http://www.rope.net/signature.html>
