I¹d take a look at this URL:
http://www.unixwiz.net/techtips/postfix-HELO.html
I had the same problem and now I¹m rejecting a ton of these (approximately
50% of inbound mail is associated like this).
Tom
From: "Sturgis, Grant"
Date: Wed, 21 Jul 2004 11:45:36 -0600
To: ,
Subject: RE: [suse-security] Email Spoofing
Eric,
It is possible to send multiple emails with one "connect / disconnect"
session even to different recipients and from different "MAIL FROM"
addresses. Only the original connect and the final quit will be logged.
Two ways to minimize the spoofing problem:
1. Enforce reverse DNS lookups on the connecting IP address.
2. RBL subscriptions, for what those are worth.
Another option (not necessarily recommended) is to force the "from" domain
to match the reverse lookup completed on the connecting IP address. This
will break many email attempts from legitimate sources because the SMTP
servers don't necessarily belong to the sending domain (MX gateway services,
for instances).
Is that the question you are asking?
HTH,
Grant
-----Original Message-----
From: Eric Kahklen [mailto:eric@kahklen.com]
Sent: Wednesday, July 21, 2004 11:08 AM
To: suse-security@suse.com
Subject: [suse-security] Email Spoofing
We are using Suse 9.0 Professional. I am getting email that is claiming
to be from my domain and the Posfix logs confirm it is from an outside
IP. After searching the logs, I figured out where the connection
initiated, and then the regular smtp traffic proceeded with the spoofed
email address (user@mydomain.com) to my real users email address
realusers@mydomain.com). The unique identifiers helped me correspond
the traffic. There were two other email sessions that based on their
unique identifier did not have the full smtp process. For example, this
is all that is entered in the logs for the unique process. I usually
see a connect and disconnect process before and after this and the
random character user does not exisit! BTW, this is a mail gateway for
Exchange.
Any ideas??
Jul 20 11:54:59 gateway postfix/smtp[10247]: 649E6AD30:
to=, relay=10.0.0.5[10.0.0.5], delay=14, status=sent
(250 2.6.0 Queued mail for delivery)
Jul 20 11:55:10 gateway postfix/smtp[10247]: 8BFB2AD43:
to=, relay=10.0.0.5[10.0.0.5], delay=25, status=sent
(250 2.6.0 Queued mail for delivery)
Thanks,
Eric
--
______________________________________________________________________
Eric Kahklen, MS
530 4th Ave. W.
Seattle, WA
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here
This electronic message transmission is a PRIVATE communication which
contains
information which may be confidential or privileged. The information is
intended
to be for the use of the individual or entity named above. If you are not
the
intended recipient, please be aware that any disclosure, copying,
distribution
or use of the contents of this information is prohibited. Please notify the
sender of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), and then delete it from your system.
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here