Hi,

I followed the "perfect install" guide for CentOS (4.4 with ISPConfig 2.2.7). I recently received a SPAM, and it appears to have come through my server ???


Delivered-To: root AT vps.linickx DOTy co DOTy uk
Received: from 70A0802596.wbb.net.cable.rogers.com (70A0802596.wbb.net.cable.rogers.com [74.210.9.137])
by vps.linickx.co.uk (Postfix) with SMTP id 67251BE390A
for <support AT oakfarmpreschool DOTy com>; Tue, 13 Feb 2007 17:28:40 +0000 (GMT)
To: support AT oakfarmpreschool DOTy com
Message-Id: <20070213172840.67251BE390A@vps.linickx DOTy co DOTyuk>
Date: Tue, 13 Feb 2007 17:28:40 +0000 (GMT)
From: support AT oakfarmpreschool DOTy com

but (a) this address shouldn't exist

###################################
#
# ISPConfig virtusertable Configuration File
# Version 1.0
#
###################################
admin AT www.oakfarmpreschool DOTy com user28_oakfarm
user28_oakfarm AT www.oakfarmpreschool DOTy com user28_oakfarm
admin AT oakfarmpreschool DOTy com user28_oakfarm
user28_oakfarm AToakfarmpreschool DOTy com user28_oakfarm

and (b) my understanding of Next we configure SMTP-AUTH and TLS: (http://www.howtoforge.com/perfect_setup_centos_4.4_p5) is that this email should get authenticated as it's from a domain I'm hosting ?

Can anyone shed any light on the matter ? If it helps support@ does exist under other domains hosted on the same box.

Many Thanks
Nick

The mail was sent from Received: from 70A0802596.wbb.net.cable.rogers.com (70A0802596.wbb.net.cable.rogers.com [74.210.9.137]) to your server, not through your server.
If you send to a domain hosted on the server, you don't need authentication. Also take a look here: http://www.howtoforge.com/forums/showpost.php?p=16205&postcount=34

Hi Falko,

Thanks for the response; what confuses me is that "support AT oakfarmpreschool DOTy com" shouldn't exist (see above virtusertable), any thoughts ?

cheers,
Nick

Thanks for the response; what confuses me is that "support AT oakfarmpreschool DOTy com" shouldn't exist (see above virtusertable), any thoughts ?

The email address "support AT oakfarmpreschool DOTy com" is the sender address, it is not nescessary that this address exists. Spammers are often using non existant fake addresses as sender.

The email address "support AT oakfarmpreschool DOTy com" is the sender address

yeah that makes sense, but wasn't it was also the to.....


SMTP id 67251BE390A
for <support AT oakfarmpreschool DOTy com>; Tue, 13 Feb 2007 17:28:40 +0000 (GMT)
To: support AT oakfarmpreschool DOTy com
Message-Id: <20070213172840

that's why I'm thinking it should have been rejected (as support isn't on the oakfarm domain) rather than delivered to root. no ? :confused:

that's why I'm thinking it should have been rejected (as support isn't on the oakfarm domain) rather than delivered to root. no ? :confused:What's in /etc/aliases? Is support a system user on your server?

Ah, yes, that explains it, I've never used that file b4 :D

Is it safe to comment stuff out without effecting the running of ISPConfig ? (and associated services ) ... the man pages suggest it's a send mail file, so I think I'm ok as I'm using postfix.

Thanks ! :)

The file /etc/aliases is used by postfix too.

I want to comment out this rubbish at the bottom, as they're common spam victims.

newsadm: news
newsadmin: news
usenet: news
ftpadm: ftp
ftpadmin: ftp
ftp-adm: ftp
ftp-admin: ftp
www: webmaster
webmaster: root
noc: root
security: root
hostmaster: root
info: postmaster
marketing: postmaster
sales: postmaster
support: postmaster

Do you think that will cause any problems with the ISPConfig Magic ?

These entries are not from ISPConfig, so you can remove them sfaely and then run the command "newaliases".

that great, thanks for you help ! :)