[Mailman-Users] SPAM relayed mail through Mailman.
Mark Sapiro
msapiro at value.net
Mon May 16 02:23:32 CEST 2005
Colorado Tech Support wrote:
>Hi, I'm pretty new to this, but I've got a problem.
>
>Last night, a SPAMer was able to relay 250 mail messages through my
>server and I can't figure out how they did it.
>
>Here's my configuration:
>
>Fedora Core 2 - kernel-2.6.10-1.771_FC2
>apache - httpd-2.0.51-2.9
>mailman-2.1.5-10.fc2
>sendmail-8.12.11-4.6
>
>Here's what I know...
>
>My sendmail is configured in a way to only allow relaying from IP
>addresses within my network (the 192.168.blah.blah range).
>I believe this is configured correctly because I get "RELAYING DENIED"
>messages all the time from SPAMers trying to relay through my server.
>
>The only reason I know about the attempt is because I received over 100
>bounced messages to "mailman-ower at mydomain.com" from the target of the
>attack.
>
>The bounced messages all contained the original message (which came from
>mailman-owner at mydomain.com).
How do you know that Mailman was even involved in sending the original
spam? Perhaps the mailman-owner address was just spoofed. Mailman
generally sends messages with Sender:, Errors-To: and envelope sender
of <somelistname>-bounces so that bounces go there, not directly to
mailman-owner.
What do the full headers of one of these bounced messages look like?
>My /etc/log/maillog file shows all 250 sendmails being relayed (here's
>just one):
>maillog:May 14 21:02:52 nameofmyserver sendmail[14830]: j4F32px8014830:
>from=<popcap-route at enki.popcap.com>, size=2408, class=0, nrcpts=1,
>msgid=<courier.4286BBD9.000052C9 at enki.popcap.com>, bodytype=7BIT,
>proto=ESMTP, daemon=MTA, relay=mail.popcap.com [69.25.140.155]
What in here indicates any Mailman involvement?
--
Mark Sapiro <msapiro at value.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list