North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Has postini been taken over?
Hank Nussbacher wrote:
Hank's issue is that he's got ports 25 and 80 blocked for some part of his network. Those IPs are generating spam reports though they shouldn't be. In the example he forwarded, the spam reached a user of gci.net, for which postini provides MX services - who then reported the email to Hank as spam from Hank's network.Postini does not originate or forward spam, they filter mail destined for their customer domains. Some spam gets through their filters, because spammers are smart and adaptively evil. It's really quite simple.
What I can see happening is that Hank's port 25 filtering ACLs are being bypassed somehow ...
maybe zombied machines on his network running ip masquerading and spam sending proxies on unfiltered ports, or tunneling smtp requests out in some other way
Or maybe he doesn't source filter addresses and a spammer controlled machine on his network has two interfaces - one on hank's network [say a throwaway dialup / broadband account], and another a much fatter pipe. Packets (or rather in this case, junk mail) goes out through the fat pipe with Hank's IPs spoofed into the source address.
I would recommend that Hank set up port blocks both inbound and outbound, and also examine mrtg or other data that he may have about that host. If possible, sniffing the traffic inbound and outbound to it would also reveal a whole lot.