Re: I think I'm being relayed through, but I don't know how.

Wed, 06 Jun 2001 15:47:49 -0700 

Chris Garrigues <[EMAIL PROTECTED]> wrote:
> I've got this in my queue:
> 
> 5 Jun 2001 14:44:17 GMT  #48256  5651  <[EMAIL PROTECTED]> 
>         remote  [EMAIL PROTECTED]
>   done  remote  [EMAIL PROTECTED]
>   done  remote  [EMAIL PROTECTED]
>         remote  [EMAIL PROTECTED]
>   done  remote  [EMAIL PROTECTED]
>   done  remote  [EMAIL PROTECTED]
>         remote  [EMAIL PROTECTED]
>   done  remote  [EMAIL PROTECTED]
>         remote  [EMAIL PROTECTED]
>         remote  [EMAIL PROTECTED]
>   done  remote  [EMAIL PROTECTED]
>   done  remote  [EMAIL PROTECTED]
>         remote  [EMAIL PROTECTED]
>         remote  [EMAIL PROTECTED]
> 
> Neither mail.com nor mindless.com are my domains 

Okay so far.

> [root@austin-jump network-scripts]# more /etc/qmail/control/rcpthosts 

[no mindless.com]

> my smtp.cdb contains:
> 
> 10.:allow,RELAYCLIENT=""
> :allow


> Looking at the guts of the message in the queue, I find:
[...] 
> Received: (qmail 2993 invoked by uid 104); 5 Jun 2001 14:44:17 -0000
> Received: from [EMAIL PROTECTED] by austin-jump.vircio.com with
> qmail-scanner- 0.90 (uvscan: v4.1.20/v4127. . Clean. Processed in 3.919065
> secs); 05/06/2001 09 :44:13
> Received: from pppa16-resaleeasternmab1-3r7830.dialinx.net (HELO
> oemcomputer???1
> 02.74.4.25???by?mtiwmhc08.worldnet.att.net??InterMail?v03.02.07.07?118-134??with
> ?SMTP?id??20000116195506.ZOOK28505@oemcomputer??from?worldnet.att.net???12.77.19
> 4.15???by?mtiwmhc03.worldnet.att.netmindspring??user-3qt5hn.dialup.mindspring.co
> m?99.174.150.55???by?smtp6.mindspring.com??8.9.3/8.8.5??with?SMTP?id?OAA06398??f
> rom?110140321worldnet.att.net???102.70.21.32???by?mtiwmhc98.worldnet.att.net??In
> terMail?v03.02.07.07?118-134??with?SMTP?id?20090116195452.ZOMX28505@110940321wor
[...]

That's a lot of garbage.  It's either the world's worst attempt at forging
Received: headers, or perhaps qmail-scanner is broken in this instance?  Any
other rewriting going on?


> so it appears that the message arrived from 
> pppa16-resaleeasternmab1-3r7830.dialinx.net at 4.45.125.13.

I didn't get that far in the headers; there appeared to be a lot more garbage,
so I'm not sure I agree with you.

> I don't know why this wasn't rejected by tcpcontrol.

You aren't rejecting anything with tcpserver; you're accepting all
connections.  How it got relayed is another matter.

To trace this, you need to find the qmail qid in this message, then go through
your qmail-send logs to find out where this message originated and how.  Based
on the timestamp you find there for "new msg ...", look in your qmail-smtpd
logs.  That will tell you exactly where the message originated.

Perhaps you have a CGI script which sends mail, and contains a security hole?
Or something else is letting people into your 10. address space?

Charles
-- 
-----------------------------------------------------------------------
Charles Cazabon                            <[EMAIL PROTECTED]>
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
Any opinions expressed are just that -- my opinions.
-----------------------------------------------------------------------

Reply via email to