Dear J.P. Trosclair, Thank you for your prompt reply and your help. Before I could locate the an intance where a spam passed through, how can I locate that ?
Below are my test, there is no open relay. (my real domain had been replaced to mydomain.com as well as a dummy IP address) *Mail relay testing* Connecting to mail.mydomain.com for anonymous test ... <<< 220 mail.mydomain.com ESMTP Postfix >>> HELO www.abuse.net <<< 250 mail.mydomain.com Relay test 1 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@abuse.net> <<< 250 2.1.0 Ok >>> RCPT TO:<securityt...@abuse.net> <<< 554 5.7.1 <securityt...@abuse.net>: Relay access denied Relay test 2 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamtest> <<< 250 2.1.0 Ok >>> RCPT TO:<securityt...@abuse.net> <<< 554 5.7.1 <securityt...@abuse.net>: Relay access denied Relay test 3 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<> <<< 250 2.1.0 Ok >>> RCPT TO:<securityt...@abuse.net> <<< 554 5.7.1 <securityt...@abuse.net>: Relay access denied Relay test 4 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@mydomain.com> <<< 250 2.1.0 Ok >>> RCPT TO:<securityt...@abuse.net> <<< 554 5.7.1 <securityt...@abuse.net>: Relay access denied Relay test 5 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@[123.123.123.11]> <<< 250 2.1.0 Ok >>> RCPT TO:<securityt...@abuse.net> <<< 554 5.7.1 <securityt...@abuse.net>: Relay access denied Relay test 6 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@mydomain.com> <<< 250 2.1.0 Ok >>> RCPT TO:<securitytest%abuse....@mydomain.com> <<< 554 5.7.1 <securitytest%abuse....@mydomain.com>: Relay access denied Relay test 7 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@mydomain.com> <<< 250 2.1.0 Ok >>> RCPT TO:<securitytest%abuse....@[123.123.123.11]> <<< 554 5.7.1 <securitytest%abuse....@[123.123.123.11]>: Relay access denied Relay test 8 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@mydomain.com> <<< 250 2.1.0 Ok >>> RCPT TO:<"securityt...@abuse.net"> <<< 554 5.7.1 <securityt...@abuse.net>: Relay access denied Relay test 9 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@mydomain.com> <<< 250 2.1.0 Ok >>> RCPT TO:<"securitytest%abuse.net"> <<< 554 5.7.1 <securitytest%abuse.net>: Relay access denied Relay test 10 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@mydomain.com> <<< 250 2.1.0 Ok >>> RCPT TO:<securityt...@abuse.net@mydomain.com> <<< 554 5.7.1 <securityt...@abuse.net@mydomain.com>: Relay access denied Relay test 11 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@mydomain.com> <<< 250 2.1.0 Ok >>> RCPT TO:<"securityt...@abuse.net"@mydomain.com> <<< 554 5.7.1 <securityt...@abuse.net@mydomain.com>: Relay access denied Relay test 12 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@mydomain.com> <<< 250 2.1.0 Ok >>> RCPT TO:<securityt...@abuse.net@[123.123.123.11]> <<< 554 5.7.1 <securityt...@abuse.net@[123.123.123.11]>: Relay access denied Relay test 13 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@mydomain.com> <<< 250 2.1.0 Ok >>> RCPT TO:<@mydomain.com:securityt...@abuse.net> <<< 554 5.7.1 <securityt...@abuse.net>: Relay access denied Relay test 14 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@mydomain.com> <<< 250 2.1.0 Ok >>> RCPT TO:<@[123.123.123.11]:securityt...@abuse.net> <<< 554 5.7.1 <securityt...@abuse.net>: Relay access denied Relay test 15 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@mydomain.com> <<< 250 2.1.0 Ok >>> RCPT TO:<abuse.net!securitytest> <<< 554 5.7.1 <abuse.net!securitytest>: Relay access denied Relay test 16 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@mydomain.com> <<< 250 2.1.0 Ok >>> RCPT TO:<abuse.net!securityt...@mydomain.com> <<< 554 5.7.1 <abuse.net!securityt...@mydomain.com>: Relay access denied Relay test 17 >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<spamt...@mydomain.com> <<< 250 2.1.0 Ok >>> RCPT TO:<abuse.net!securityt...@[123.123.123.11]> <<< 554 5.7.1 <abuse.net!securityt...@[123.123.123.11]>: Relay access denied Relay test result All tests performed, no relays accepted. Thank you On Fri, Jan 2, 2009 at 11:56 PM, J.P. Trosclair <jptroscl...@judelawfirm.com > wrote: > William Kisman wrote: > >> What are the possibilities that the spammer could use my mail server to >> spam ? >> > > First check if your server is an open relay using this service: > http://www.abuse.net/relay.html > > Also if you think that a sasl user/pass has been compromised, change the > password. You can look through the mail log for an instance where a spam > passed through and get the id: > > Jan 2 07:05:04 mail1 postfix/smtp[26253]: 0B2DC6A009B: <-- This is the id > > Once you get the id, you can grep that specific id to get all of the log > entries related to it at which point you can see where the connection came > from and if it was authenticated: > > Jan 2 01:05:03 mail1 postfix/smtpd[25860]: 0B2DC6A009B: client= > mail1.xxx.com[x.x.x.x], sasl_method=LOGIN, sasl_username=johndoe > > If the connection was authenticated and you know it should not have been > and the message should have been rejected, then a password has possibly been > compromised. > > J.P. > -- Best regards, William Kisman
