On 7/04/2011, at 5:19 PM, Steve Holdoway wrote:
To answer a few privately asked questions...
sendmail ( which has greylisting, spamhaus RBL, greet pause running ) sees the traffic as coming from a 192.168.x.x address, which negates all the access controls in place.
However, wireshark sees the SMTP traffic as coming from the external IP addresses...
(I'm saying what I see as I don't want to use the wrong terminology... I'm only a sysadmin!)
We're talking to telstra, and it looks like the simplest solution will be to move addresses. Which will work - until next time! Would be nice to be better prepared though.
SMTP uses TCP which means address spoofing like you describe can't work. Perhaps the mail is coming from an internal host, to the mail server in your office, and then is being sent from your mail server out to spam recipients - ie. you are sending the spam because of a virus or something. This would explain the connections outside your office. -- Nathan Ward