On Thu, 2011-04-07 at 17:22 +1200, Nathan Ward wrote:
On 7/04/2011, at 5:19 PM, Steve Holdoway wrote:
To answer a few privately asked questions...
sendmail ( which has greylisting, spamhaus RBL, greet pause running ) sees the traffic as coming from a 192.168.x.x address, which negates all the access controls in place.
However, wireshark sees the SMTP traffic as coming from the external IP addresses...
(I'm saying what I see as I don't want to use the wrong terminology... I'm only a sysadmin!)
We're talking to telstra, and it looks like the simplest solution will be to move addresses. Which will work - until next time! Would be nice to be better prepared though.
SMTP uses TCP which means address spoofing like you describe can't work. Perhaps the mail is coming from an internal host, to the mail server in your office, and then is being sent from your mail server out to spam recipients - ie. you are sending the spam because of a virus or something. This would explain the connections outside your office.
-- Nathan Ward This was my first thought, and I've thought further. I know it's external as if I drop the port forwarding from the firewall, the problem disappears.
Said mail server is a KVM VPS, and the ip address seen by sendmail is
that of the physical host, so I now think it's some artefact of the
bridging used ( all physical and virtual servers are on the same
subnet ). I think I need to read more on this. Any pointers, keywords I
should look out for?
Cheers,
Steve
--
Steve Holdoway BSc(Hons) MNZCS