Re: pager.icq.com spam storm :(

[mouss]

Yousef Raffah wrote:
On Sat, 2006-03-25 at 11:35 +0100, mouss wrote:
Yousef Raffah wrote:
Hello Everyone,
I've been under a spam storm for the last two days and most of the
message I get are similar to the one below, message for
[EMAIL PROTECTED], I really don't understand how come I'm receiving
such messages! Can someone help me prevent these messages?
you'll need to check in your postfix logs.

Return-Path: <>
Received: from 10.0.0.4 by ocs.savola.com with ESMTP id
50091021143204306; Fri, 24 Mar 2006 15:45:06 +0300
Received: from kansai.savoladns.com ([10.0.0.3]) by Savola_Proxy2 with
InterScan Messaging Security Suite; Fri, 24 Mar 2006 16:07:03 +0300
X-Envelope-From: <[EMAIL PROTECTED]>
X-Envelope-To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
X-Quarantine-Id: <ieTYZkD94JBN>
Received: from 54156D58 (localhost [127.0.0.1]) by kansai.savoladns.com
(Postfix) with SMTP id 2AE131020D; Fri, 24 Mar 2006 15:56:34 +0300 (AST)
so your postfix received it from localhost with an hello=54156D58 (not 
very standard....).

X-Apparently-To: [EMAIL PROTECTED] via dress.prima.com; Fri, 24 Mar
2006 07:55:04 -0500
Received: from skin  (HELO pencil.prima.com) by small.prima.com with
This is not generated by postfix. is prima.com your system? If so, what 
is this skin? if not yours, configure your small.prima.com to reject the 
forged hello (skin is helloing as pencil.prima.com)

if small.prima.com isn't yours, then you have a problem on 
kansasi.savoladns.com. it got the mail from localhost. vulnerable 
cgi/web form? open proxy?

I guess you pointed it out correctly, I had a proxy server running for
test purposes and I guess it allowed passing the messages "somehow" to
the mailserver as I can see in the proxy logs something like:

1143268316.235 112970 209.172.32.52 TCP_MISS/200 39 CONNECT
206.16.192.227:25 - DIRECT/206.16.192.227 -

Anyhow, the problem is solved now as I have shut the proxy server.
Thanks for all your help :)


when using a proxy, always make sure it only accepts connections from as 
few hosts as possible. also give them private IPs so that you can 
configure your postfix not to trust them (so they are not in 
mynetworks). This is not enough, but reduces the risks.