| Linode Forum https://forum.linode.com/ |
|
| Does this email suggest a vulnerability in my mail server? https://forum.linode.com/viewtopic.php?f=11&t=2330 |
Page 1 of 1 |
| Author: | mabrams [ Fri Jun 16, 2006 3:44 am ] |
| Post subject: | Does this email suggest a vulnerability in my mail server? |
-------------Full text of email------------ Return-Path: <DPmkV@mailserver.com> X-Original-To: realuser@mailserver.com Delivered-To: realuser@mailserver.com Received: from billgates (unknown [59.44.75.105]) by mail.mailserver.com (Postfix) with SMTP id 842104C55 for <realuser@mailserver.com>; Fri, 16 Jun 2006 03:12:31 -0400 (EDT) Message-Id: <20060616071231.842104C55@mail.mailserver.com> Date: Fri, 16 Jun 2006 03:12:31 -0400 (EDT) From: DPmkV@mailserver.com To: undisclosed-recipients:; Status: ---------------End email ------------------ mail.log: Jun 16 03:12:27 www postfix/smtpd[17493]: connect from unknown[59.44.75.105] Jun 16 03:12:32 www postfix/smtpd[17493]: 842104C55: client=unknown[59.44.75.105] Jun 16 03:12:34 www postfix/cleanup[17496]: 842104C55: message-id=<20060616071231.842104C55@mail.mailserver.com> Jun 16 03:12:34 www postfix/qmgr[24375]: 842104C55: from=<DPmkV@mailserver.com>, size=340, nrcpt=1 (queue active) Jun 16 03:12:34 www postfix/local[17497]: 842104C55: to=<realuser@mailserver.com>, relay=local, delay=3, status=sent (delivered to command: procmail -a "$EXTENSION") Jun 16 03:12:34 www postfix/qmgr[24375]: 842104C55: removed Jun 16 03:12:35 www postfix/smtpd[17493]: disconnect from unknown[59.44.75.105] We use postfix and pop-before-smtp. user DPmkV is not a valid user on mailserver.com. User DPmkV should, therefore, not be able to send from mailserver.com. User realuser is a valid user on mailserver.com. If this went through some other mailserver, realuser would necessarily receive it. I cannot tell if there is a threat at hand or if the From: and Return-Path: are simply spoofed. Any ideas? Obviously if we've got a hole, I want to close it. TIA |
|
| Author: | mkincaid [ Fri Jun 16, 2006 7:42 am ] |
| Post subject: | |
This looks to me like SPAM. This person took advantage of the fact you must deliver mail to local users or they would never receive any mail. By connecting to your server directly and addressing the user they didn't have to worry about finding a server open to relaying. So I don't think it's a hole. IMO it wouldn't be worth the overhead to do additional checking such cross checking valid From: to real users. It would solve the problem until the spammer started sending mail with From: and To: as the same address. It's also possible that this is the realuser who wanted to send an email to themself, had no relay server available to them, was too lazy to type their name in the From: box. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|