I'm running the following:
RH 9
SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp)
running using procmail/postfix
I also have amavisd running too.
I am concerned that someone might be using my mail server to send
spam. I have received a couple of emails with the headers quoted
below. My mail server SHOULD be using AUTH only, no anonymous and no
POP before SMTP. What concerns me is that there is only one Received
line in each of the messages below, and that it received it from
localhost. Everything is intact below, except I've inserted <my domain
here> substituting my actual domain name.
Also, the 2nd email header looks like it might be from a form mailer.
I'm hosting many domains, and I'm looking for suspect scripts. I'm
using Red Hat Linux, and Postfix as my MTA. Thanks for anyone that can
give me
advice, pointers, etc...
[BEGIN HEADERS]
Received: from localhost [127.0.0.1]
by <my domain name here>
with SpamAssassin (2.61 1.212.2.1-2003-12-09-exp);
Sun, 09 May 2004 07:22:54 -0400
From: "Artroom Submissions" <[EMAIL PROTECTED]>
To: webmaster@<my domain name here>
Subject: Your listing in Yahoo - Ref:-
Date: Sun, 09 May 2004 11:25:11 -0100
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp)
on <my domain name here>
X-Spam-Level: ******
X-Spam-Status: Yes, hits=6.3 required=5.0 tests=BIZ_TLD,HTML_70_80,
HTML_IMAGE_ONLY_02,HTML_MESSAGE,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,
MIME_HTML_ONLY_MULTI,NO_DNS_FOR_FROM,RCVD_IN_RFCI autolearn=no
version=2.61
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------=_409E148E.EE4E3E72"
From [EMAIL PROTECTED] Mon May 10 20:30:10 2004
Received: from localhost [127.0.0.1] by <my domain name here>
with SpamAssassin (2.61 1.212.2.1-2003-12-09-exp);
Mon, 10 May 2004 17:06:34 -0400
From: "Todd Goddard" <[EMAIL PROTECTED]>
To: patel@<my domain name here>, patterson@<my domain name here>,
paul@<my domain name here>, pennington@<my domain name here>,
perry@<my domain name here>, petersen@<my domain name here>
Subject: dont miss out! wharves
Date: Mon, 10 May 2004 21:01:00 -0100
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp)
on
<my domain name here>
X-Spam-Level: **************
X-Spam-Status: Yes, hits=14.1 required=5.0 tests=DNS_FROM_RFCI_DSN,
FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_TAGS,HTML_20_30,
HTML_FONTCOLOR_UNKNOWN,HTML_MESSAGE,MIME_HTML_MOSTLY,
NORMAL_HTTP_TO_IP,RCVD_IN_DSBL,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS,
SORTED_RECIPS autolearn=spam version=2.61
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------=_409FEEDA.BFF85045"
[END OF HEADERS]
--
Bryce Fischer <[EMAIL PROTECTED]>
