Newbie seeing lots of fake SMTP traffic and would appreciate advice.

[LuserKid]

I’m a new admin who is trying to get up to speed with maintaining an Apple mail server. The server is running Tiger 10.4.2 and over the weekend the mail slowed down tremendously. In troubleshooting the problem I noticed there was much higher amount of SMTP traffic than normal. Many, many logged items like the following:

Jul 18 17:06:29 mailserver postfix/qmgr[13606]: 7873B194D4F: from= [email protected] , size=3640, nrcpt=1 (queue active)
Jul 18 17:06:29 mailserver postfix/qmgr[13606]: 7873B194D4F: [email protected], relay=none, delay=55260, status=deferred (delivery temporarily suspended: transport is unavailable)
Jul 18 17:06:29 mailserver postfix/qmgr[13606]: 7874E1C71A1: [email protected], size=4040, nrcpt=1 (queue active)
Jul 18 17:06:29 mailserver postfix/qmgr[13606]: 7874E1C71A1: [email protected], relay=none, delay=26908, status=deferred (delivery temporarily suspended: transport is unavailable)
Jul 18 17:06:29 mailserver postfix/qmgr[13606]: 787541966A8: [email protected], size=3652, nrcpt=1 (queue active)
Jul 18 17:06:29 mailserver postfix/qmgr[13606]: 787541966A8: [email protected], relay=none, delay=55528, status=deferred (delivery temporarily suspended: transport is unavailable)
Jul 18 17:06:29 mailserver postfix/qmgr[13606]: 787551CEB71: [email protected], size=4035, nrcpt=1 (queue active)
Jul 18 17:06:29 mailserver postfix/qmgr[13606]: 787551CEB71: [email protected], relay=none, delay=20212, status=deferred (delivery temporarily suspended: transport is unavailable)

The “from” addresses all show the messages to be from the address “[email protected]” (where “mailserver.mydomain.org” is the correct FQDN of our mail server). But the www user isn’t supposed to be able to post mail. None of the recipient addresses are real (I’m getting lots of “no such user” errors back to our server), and there are hundreds in the log from just a couple of hours today, so I think there’s a worm somewhere just making them up.

The mail wasn’t actually going out in these log records because I had disabled outgoing SMTP since I was concerned that a machine on our network had a worm.

But when I tested all the segments of the LAN by removing them one by one, none contained the machine that was putting up these fake messages onto the server. Only when the internet connection was brought down did the fake messages stop. So I’m surmising that someone else is posting them on our server.

I’ve got SMTP authentication turned on, so I don’t understand how the “www” user is authorized to send mail on the system. Can the sending address be spoofed even to the SMTP log? If so, how can I figure out where all this garbage is coming from? Is tcpdump my only option at this point? Is there something obvious I’m missing?

Thanks for your patience in watching a newbie come to grips with the basics. Any help you vets can offer would be very appreciated.

Andy

[Author]

Posts