I run it with all the anti-spam measure in place including the RBL option and a strictly limited set of real-permitted IP addresses.
Despite this it appears that the server was used to send spam in the last 24 hours, often associated with the email virus that I'm sure you're all seeing example of - often there's a ".pif" associated with the message that I presume carries the payload.
I started getting bouncebacks from adminbots referring to these messages, and examined the SIMS logs, only to find, much to my surprise, that somehow the messages were indeed being relayed despite my no-relay settings.
here's a header from one such returned message:
---snip---
Received: from JOE (mail.c2mcorp.com [216.201.140.226]) by rly-xd03.mx.aol.com (v95.1) with ESMTP id MAILRELAYINXD37-1153f4293115d; Tue, 19 Aug 2003 17:13:55 -0400
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Re: Re: My details
Date: Tue, 19 Aug 2003 16:13:48 --0500
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_24C4EE05"
X-AOL-IP: 216.201.140.226
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0
Message-ID: <[EMAIL PROTECTED]>
---snip---
I added the spammer IP to my local blacklist and then just shut down the server, as I didn't need it anymore. The logs were set to "problems only", and I did see some reject messages associated with the IP and "JOE" - the logs also normally record incoming and outbound messages with from and to addresses, which were NOT recorded in these instances.
My sendmail logs do not record any such activity, however, so I'm reasonably sure that if anything DID get through it was on the SIMS box. The sendmail install is secure in that it's a restricted relay - but then again, that's what i thought about the SIMS install too.
I'm baffled. Is there a security hole in older SIMS that I just don't know about?
It's also of concern that the messages appear, to the other mail admins, to be associated with my address and domain ([EMAIL PROTECTED]). Anybody have some words of wisdpom?
--
Mike Whybark - [EMAIL PROTECTED]
http://mike.whybark.com/
############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
