I got a report from my root server provider of abuse - someone has been sending phishing mail through my server's Postfix (the headers originate from my server's IP). What should I check for? The server itself doesn't seem to be hacked.
Asked
Active
Viewed 147 times
1
-
It doesn't need to be hacked if it is misconfigured - try http://www.spamhelp.org/shopenrelay/ – symcbean Jun 14 '12 at 15:11
1 Answers
2
inspecting full headers of phishing mails can contains some clues. there are few options:
- messages came from your server and via postifx - then you should be able to find corresponding entries in postfix log
- messages came from your server but not via postfix - maybe there was some rouge code that implemented own smtp sender or maybe someone relied ip traffic via your server [think ssh tunnel]
- messages never passed your box [i doubt it's the case but it's possible to hijack a route]
pQd
- 29,981
- 6
- 66
- 109