OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: update to Small amount of spam still routed through server and another problem with spam

From: Noel Jones (njonesmegan.vbhcs.org)
Date: Mon Apr 26 2010 - 15:59:32 CDT


On 4/26/2010 4:05 PM, Josh Cason wrote:
> After working on some other issues. I came back to this spam problem. I
> once again do not have the -v. The spam I was looking at came in last
> wensday (I disabled the -v for a few weeks now until I can get back to
> it) and one difference I noticed is it does not have a hold header on
> it. It does not have a ip number listed with it. It does not have a
> machine listed with it. A typical valid e-mail customer will show up
> with there machine name, there ip number, and then the message is put on
> hold. This is all without the -v option.
>
> Why the difference?
>
> Has anybody seen any spam like that without the -v option?
>
> Thanks,
>
> Josh
>
>

I'm quite certain that no one here has the slightest idea what
you're talking about.

Really Wild Guess: Your web server is being exploited and
sending out spam. Turn off your web server software until you
fix the problem.

Here are some random ideas that may or may not relate to
whatever your question might be:

- postfix verbose logging (maybe that's what you mean by -v
above??) does not affect the message headers.

- You should not be using postfix verbose logging.

- No one here knows what a "hold header" is.

- If you are attempting to describe an email without a
Received: header, postfix adds Received: headers to all mail
unless you remove them with header_checks. Don't do that.

- Mail submitted on the machine via the sendmail(1) command
will have a userid rather than an IP in the Received: header.

If you need more than wild guesses and random thoughts, you
need to provide more information. Start here:
http://www.postfix.org/DEBUG_README.html#mail

If you have questions about message headers, you need to show
the headers.

   -- Noel Jones