[PLUG] Spam confession

Aaron Burt aaron at bavariati.org
Sat May 21 05:51:53 UTC 2005


Bless me Tux for I have sinned.

I left my SMTP relay open for nearly a day.  And a spammer used it!

The relay is now closed, and has passed the MAPS scan.  I understand
what I have done and how it came to happen, and I shall nevermore use
SSH to forward port 25 without the proper precautions.
          _______________________________________

Postfix is very good about not being an open relay, and I'd carefully
set things up with SASLauthd so that users had to authenticate to the
server before they could relay mail through it.  The only way someone
can relay mail through the box without authentication is if they're on
the box's internal (127.0.0.1) network.  This allows daemons to send
alert mails and suchlike.

I was moving the mail server from one IP address (and site) to
another.  I wanted to change the address in DNS beforehand so there'd
be time for the change to propagate without a service interruption.

I set up a system at the new address, then had it forward incoming
port 25 traffic to the old address via an SSH portforward.  All worked
nicely.  But I forgot something: SSH forwards to the internal
(127.0.0.1) network.  Yes, the one that Postfix accepts mail from
without authentication.  So by forwarding port 25 to the internal
network on the mail server, the box at the new address looked like a
perfectly ordinary open relay!

And one of the many, many spammers who troll for open relays found it.

So beware of the unintended consequences of portforwards.

Our Kernel, which Art in Ring 0...
  Aaron



More information about the PLUG mailing list