Date: Mon, 16 Aug 2010 13:21:54 -0500 (CDT) From: Robert Bonomi <bonomi@mail.r-bonomi.com> To: freebsd-questions@freebsd.org, norgaard@locolomo.org Subject: Re: Open Mail Relay Message-ID: <201008161821.o7GILsQ8004033@mail.r-bonomi.com>
next in thread | raw e-mail | index | archive | help
> From owner-freebsd-questions@freebsd.org Sun Aug 15 15:15:43 2010 > Date: Sun, 15 Aug 2010 22:15:57 +0200 > From: Erik Norgaard <norgaard@locolomo.org> > To: freebsd-questions@freebsd.org > Subject: Re: Open Mail Relay > > On 15/08/10 13.57, peter@vfemail.net wrote: > > > Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of additional mailer on the machine or another machine that's allowed to relay mail. How would I go about locating that other mailer? > > If the messages are indeed relayed through your server then you can see > it in the logs and in the Received header field which host is sending > the mail to your server. *IF* it is just a case of the 'intended to be used' mail server is mis- configured, and allowing relaying, that is correct. *IF*, OTOH, the machine has been broken-into/compromised/"owned", then the 'bad guys' are fully capable of installing their _own_ mail-sending software --software that does *NOT* record anything in the normal log files. This kind of software is 'maliciously built' to leave *no* tracks with regard to incoming _or_ outgoing connections from/to other hosts. > > If somebody forges mail to appear to come from your domain, but not > relayed through your server there is really not much you can do. Only > the recipient server can reject the mails. > > Some servers support spf and you can help other servers know that mail > from your domain must originate from your server by adding a txt entry > in your dns. > > BR, Erik > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008161821.o7GILsQ8004033>