From owner-freebsd-questions@FreeBSD.ORG Tue Sep 19 22:57:56 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0551116A407 for ; Tue, 19 Sep 2006 22:57:56 +0000 (UTC) (envelope-from ryallsd@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92FCB43D70 for ; Tue, 19 Sep 2006 22:57:55 +0000 (GMT) (envelope-from ryallsd@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so36878pye for ; Tue, 19 Sep 2006 15:57:55 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=FijtcmzXAi+dfLQkn+52JsMqW7okQldN1Ho261QXIbzvUECPiNjfbf2cHQQ+aG2v7YmDrH90T9IEb5DCGhtS03ewuB+4VLqzE9xUd1HxXNISlVO1z36QHGKiatlrmOMjrPLA/53diJrgKQ3jbknNeFnAd9KVHyezRiMOKmDaNu8= Received: by 10.65.59.20 with SMTP id m20mr15448252qbk; Tue, 19 Sep 2006 15:57:54 -0700 (PDT) Received: by 10.65.54.6 with HTTP; Tue, 19 Sep 2006 15:57:54 -0700 (PDT) Message-ID: Date: Tue, 19 Sep 2006 15:57:54 -0700 From: "Derrick Ryalls" To: freeBSD MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Mail server relaying spam, but how? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2006 22:57:56 -0000 The problem is over and the machines in question have been rebuilt from scratch, but I am still curious as to how it could have happened. Many weeks ago I noticed that I my mail server was dealing with about 4x the amount of mail it normally does. After much digging I was able to trace it back to my brother's machine (different network, different location) who happens to be my secondary DNS. I mention the DNS part since most of the spam being sent to my system was addressed to domains I host. In any case, the machine sending me all the spam was not his mail server, but his router. Since his actual mail server lives within his network, all port 25 traffic should have been diverted to his internal machine, so it doesn't seem likely to have been a normal open relay issue. His router had qmail installed on it, and was running FreeBSD 4.5, but aside from the huge amount of mail coming out of it I didn't see any abnormal activity on the machine. So the question becomes, how does a router with port 25/993 directed to the internal network start relaying gobs of spam and why is all (?) mail directed at my domains in particular? I didn't see any new accounts on the machine, nor any strange processes. As soon as I shut down all of qmail's processes the problem went away. Any thoughts on this?