Subject: Re: system possibly compromised
To: None <rgfisch@excite.com, netbsd-help@netbsd.org>
From: Richard Rauch <rkr@olib.org>
List: netbsd-help
Date: 02/24/2004 19:46:32
Some random thoughts:

 * Do you have copies of at least the headers of the aleged spam?  It may
   help you to check that.  I don't recall that you said if you had those
   so I am asking.

 * Have you had your system checked for open relays?  You might have a
   relay that you don't know about.

 * The MyDoom virus, as I recall, was doing something that spammers could
   do to "bankshot" spam off of your box: It sent mail to a non-existant
   address at your machine, and lied about the origin of the email.
   By default, Postfix does not check your /etc/passwd (or any other)
   database before accepting the message.  After it has accepted it
   and closed the SMTP connection, it finds that the address doesn't
   exist after all, and tries to bounce the message.

   That's where it goes out to whomever the sender chose.

   I was surprised to see this was the default, but the mechanism
   appears to be ripe for spammers to use as well as viruses.  (Unless
   I have misunderstood something.)  Closing it involves checking your
   local user database before accepting the email.  (Postfix can
   directly read your passwd file.)

   Spam propogated this way will have the form of a bounce message,
   after it leaves your system.


-- 
  "I probably don't know what I'm talking about."  http://www.olib.org/~rkr/