Anyone Here an Email IT/server Guru?

situation:

Someone has been trying to hack our server at work to send out spam. It's configured in such a way that the only way we can send email from our work address is to be on a company computer w/assigned IP.

Someone, however has been trying to spoof and once or twice a day I get a bounce that goes like this:



This is the Postfix program at host smtp03.(our.isp)

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

The Postfix program

<michael@XXXX.com>: host mail.XXXX.com said: 550 5.1.1
<michael@XXXX.com>... User unknown (in reply to RCPT TO command)




XXXX = our domain. There is no "michael" account.



Reporting-MTA: dns; smtp03.(our isp)
Arrival-Date: Fri, 11 Jun 2004 04:49:49 -0500 (CDT)

Final-Recipient: rfc822; michael@XXXX.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host mail.xxxx.com said: 550 5.1.1
<michael@XXXX.com>... User unknown (in reply to RCPT TO command)


Subject:

Date:
Sat, 12 Jun 2004 15:36:35 +0600
From:
"Lesley Nash" <myaddy@XXXX.com>
To:
"Crisco" <myaddy@XXXX.com>

(spam message below)



Any ideas?

than anything else.

The only other possibility I can think of is that you have an open relay that hasn't been entirely blocked either on your firewall or on your mail server.

What you need to do is block outgoing mail from coming in through the firewall and being relayed.

for an insurance company.

side note: for the second time, I've had an outgoing message refused because our ISP is on the SPEWS list. I wouldn't be at all surprised if the people listed in the complaint are the same folks trying to use us as a relay.

Some of the newer trojans are infecting private PC's, using them as relays and in turn using corporate mail server relays.

"Four-fifths of spam now emanates from computers contaminated with Trojan horse infections, according to a study by network management firm Sandvine out this week. Trojans and worms with backdoor components such as Migmaf and SoBig have turned infected Windows PCs into drones in vast networks of compromised zombie PCs.

Sandvine reckons junk mails created and routed by "spam Trojans" are clogging ISP mail servers, forcing unplanned network upgrades and stoking antagonism between large and small ISPs.

Using its own technology, Sandvine was able to identify subscribers bypassing their home mail servers and contacting many mail servers within a short period of time - a sure sign of spam Trojan activity - over sustained periods. It also looked at SMTP error messages returned, which helps to clarify the total volume of spam within the service provider network. "After comparing those data points with the total volume of legitimate messages passing through the service provider's mail system, we are able to arrive at our percentage of 80 per cent," explained Sandvine spokesman Mark De Wolf." . . . .

http://www.bankinfosecurity.com/?q=node/view/1286


I would double and triple check your firewall and server to make absolutely certain that no open relay exists.

..

There are numerous malicious programs that can hijack a machine without the user even being aware. They use a dictionary to pick random user names and recipients, so you never know if it is going to come from a valid user or not. Or you could have a spammer for a customer.

Postfix does stamp the numerical IP address in the header along with the host name. You should be able to track it down which customer by which address.

It is unlikely that they are trying to hack your server. Spammers work under the principle of the least work for the most reward. True computer cracking is difficult work. Spammers like easy things like poorly maintained email servers they can rape poorly written CGI scripts they can abuse.

...that's why your Postfix accepted it.

But since the account doesn't exist (anymore?) Postfix sent a bounce to the (forged) envelope sender -- you.

About the origin, the best information you have is the first Recieved: header that list an untrusted address.

Implement e-mail scanning on your mail server. Configure it to send notifications to an admin account whenever a virus is coming out of a customer's machine. Then you have a choice of actions -- I'd block the address and immediately contact the customer, maybe offering a repair job.

I also work for an ISP, and that's what we do. We use this tool (http://odeiavir.sourceforge.net), which is in process of being updated to include Exim support (unfortunately, it only works with Qmail and Exim right now). The author is a really cool guy. :evilgrin:

There's Amavis, but it uses Perl, and Perl is a tool of the Devil.

we've been using Symantec but that's going to be replaced in the near future ... can't recall the name.. mojo? flofo?

the null emails with our domain on them that are showing up in these are all people who were with the company but left some 7-8 years ago. someone (obviously) got their hands on an old list.