From owner-freebsd-questions@FreeBSD.ORG  Mon Aug 16 18:22:37 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DF93F10656A5
	for <freebsd-questions@freebsd.org>;
	Mon, 16 Aug 2010 18:22:37 +0000 (UTC)
	(envelope-from bonomi@mail.r-bonomi.com)
Received: from mail.r-bonomi.com (ns2.r-bonomi.com [204.87.227.129])
	by mx1.freebsd.org (Postfix) with ESMTP id B3DF18FC24
	for <freebsd-questions@freebsd.org>;
	Mon, 16 Aug 2010 18:22:37 +0000 (UTC)
Received: (from bonomi@localhost)
	by mail.r-bonomi.com (8.14.3/rdb1) id o7GILsQ8004033;
	Mon, 16 Aug 2010 13:21:54 -0500 (CDT)
Date: Mon, 16 Aug 2010 13:21:54 -0500 (CDT)
From: Robert Bonomi <bonomi@mail.r-bonomi.com>
Message-ID: <201008161821.o7GILsQ8004033@mail.r-bonomi.com>
To: freebsd-questions@freebsd.org, norgaard@locolomo.org
Cc: 
Subject: Re: Open Mail Relay
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2010 18:22:38 -0000

> From owner-freebsd-questions@freebsd.org  Sun Aug 15 15:15:43 2010
> Date: Sun, 15 Aug 2010 22:15:57 +0200
> From: Erik Norgaard <norgaard@locolomo.org>
> To: freebsd-questions@freebsd.org
> Subject: Re: Open Mail Relay
>
> On 15/08/10 13.57, peter@vfemail.net wrote:
>
> > Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of additional mailer on the machine or another machine that's allowed to relay mail.  How would I go about locating that other mailer?
>
> If the messages are indeed relayed through your server then you can see 
> it in the logs and in the Received header field which host is sending 
> the mail to your server.

*IF* it is just a case of the 'intended to be used' mail server is mis-
configured, and allowing relaying, that is correct.

*IF*, OTOH, the machine has been broken-into/compromised/"owned", then
the 'bad guys'  are fully capable of installing their _own_ mail-sending
software --software that does *NOT* record anything in the normal log files.
This kind of software is 'maliciously built' to leave *no* tracks with 
regard to incoming _or_ outgoing connections from/to other hosts.
>
> If somebody forges mail to appear to come from your domain, but not 
> relayed through your server there is really not much you can do. Only 
> the recipient server can reject the mails.
>
> Some servers support spf and you can help other servers know that mail 
> from your domain must originate from your server by adding a txt entry 
> in your dns.
>
> BR, Erik
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>