From: Josh Cason on
First I hope I'm posting a reply back. I'll try to explain better.
Since I cannot find the log I need to post.

The spam comes from any place. Mostly just foreign IP numbers. Yea we
could block the ip numbers but they change. We also use postini and to
my surprise it even show up through them. This problem does not last
more than 2 weeks if that. For instance on postini it came in for
about two weeks. Not every day. Then I assume postini or whoever fixes
or kicks the spammer off-line. I went with a month and a half one time
with no extra junk. Then it returned. All I see is a person connecting
up. Dropping a message via a ip number. With or without spoofed
address. Then it goes through the system and is sent back out to like
30 recepients. These messages are pretty harmless either. Sometimes
not even a link. Just a stupid message. Example last night I had
somebody go over 20 (that is our number) and we are okay since it was
blocked. Then what we get back is from other email servers saying
connection time out or users does not exist, etc, etc. I figured
either my main.cf file is allowing a open relay that my testing is not
picking up or I'm already doing everything I can to fight this type of
spam. Yes we even put in more firewall rules and that helped too. I
did find one other person having this issue with postini in general.
The answer they got was to turn on autocreate and add all valid users
to postini database. The problem is this cost money for each user
address and I cannot believe this is the only answer. I admit I might
have configured something incorrect even though it worked for more
than a year.

On the other problem. We still get email that is to/from the same
person and it is not from our system. I found a page that said that
said if you added something it will check to see the to/from is not
from your ip number and kills the message. But I cannot find that
info. Even though the ip number can be spoofed. Most of what I see is
not. When you look at the message. Just the to/from address matches
up. The ip does not.

Thanks,

Josh


--
This message has been scanned for viruses and
dangerous content by Mychoice, and is
believed to be clean.

From: Ansgar Wiechers on
First and foremost, please read the fine Postfix Debugging HOWTO [1]. It
will provide guidance in troubleshooting your problem.

On 2010-03-24 Josh Cason wrote:
> First I hope I'm posting a reply back. I'll try to explain better.
> Since I cannot find the log I need to post.

What operating system are you using? In case of Linux it's probably
/var/log/mail.log or something like that. You'll find the exact name and
location in your syslog configuration.

Once you have located the file: please do *not* post the entire log
file, but extract the relevant entries (e.g. grep for the queue ID of a
suspicious transaction).

> The spam comes from any place. Mostly just foreign IP numbers. Yea we
> could block the ip numbers but they change. We also use postini and to
> my surprise it even show up through them. This problem does not last
> more than 2 weeks if that. For instance on postini it came in for
> about two weeks. Not every day. Then I assume postini or whoever fixes
> or kicks the spammer off-line. I went with a month and a half one time
> with no extra junk. Then it returned. All I see is a person connecting
> up. Dropping a message via a ip number. With or without spoofed
> address. Then it goes through the system and is sent back out to like
> 30 recepients.

If an arbitrary external host can submit a message that is relayed to
external recipients, then you do have an open relay. Which would be a
Bad Thing(tm). However, given your vague description and non-existent
evidence, it could be anything else just as well.

Please do post the output of "postconf -n" and relevant log excerpts.

> On the other problem. We still get email that is to/from the same
> person and it is not from our system. I found a page that said that
> said if you added something it will check to see the to/from is not
> from your ip number and kills the message. But I cannot find that
> info. Even though the ip number can be spoofed. Most of what I see is
> not. When you look at the message. Just the to/from address matches
> up. The ip does not.

I think what you want can be done with a policy daemon or a proxy
filter. I seem to recall a discussion about this very topic not too long
ago, but was unable to find it when sifting through the list archive.

[1] http://www.postfix.org/DEBUG_README.html

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky