[Cialug] Hijack This! (Equivalent on Linux?)

Andrew Lietzow cialug@cialug.org
Fri, 28 Jan 2005 11:15:59 -0600 

Dave Weis wrote:

>> I've both done a lot on this problem, and not near enough.   Some 
>> idiots in the world have decided to hijack my server as a Relay host 
>> for Spam.   I have only three entries in my /etc/mail/relay-domains 
>> listing, and these entries are NOT the domain from which they 
>> accomplish this spoof.
>
> It's possible that it's a joe job, when someone puts your from address 
> on spam and you get the bounces. 

Thanks Dave and list,
Interesting.  A "Joe Job"?
 
Here is a header:
---------------------------------------------------------
 From - Fri Jan 28 04:36:16 2005
X-UIDL: 1093565615.40418355
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <MAILER-DAEMON@ns1.microanswers.net>
Received: from mx03.cybersurf.com (mx03.cybersurf.com [209.197.145.106])
    by ns1.microanswers.net (8.12.11/8.12.11) with ESMTP id j0SAXQG5027522
    for <Uwbxbls@theaclgroup.com>; Fri, 28 Jan 2005 04:33:26 -0600
Received: from mail.cyberus.ca ([209.197.145.21])
    by mx03.cybersurf.com with esmtp (Exim 4.30)
    id 1CuTRJ-0007ZJ-Tr
    for Uwbxbls@theaclgroup.com; Fri, 28 Jan 2005 05:33:21 -0500
Received: from exim by mail.cyberus.ca with local (Exim 4.20)
    id 1CuTRI-0002La-Fg
    for Uwbxbls@theaclgroup.com; Fri, 28 Jan 2005 05:33:20 -0500
*From: Lynda.Palmer@ns1.microanswers.net   ---> This is a hijack or "Joe 
Job" -- There is no Lynda.Palmer here... *
*To: Uwbxbls@theaclgroup.com  --->  This is the bounce message from 
someone's server, coming to me, as though "i" sent the message!   *
Subject:
In-Reply-To: <4864f5a23488eea@sugarfreefood.com>
Message-Id: <E1CuTRI-0002La-Fg@mail.cyberus.ca>
Date: Fri, 28 Jan 2005 05:33:20 -0500
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on 
ns1.microanswers.net
X-Spam-Level:
X-Spam-Status: No, hits=-4.7 required=5.0 tests=BAYES_00,NO_REAL_NAME
    autolearn=no version=2.63
Status: O
X-UID: 40418355
Content-Length: 30
X-Keywords:                                                                                                    

Your email has been received.
-----------------------------------------

> Looking at network traffic either you aren't sending much or it isn't 
> actually going through your server.
> Check in /var/log/maillog and see if they are going in and out, or 
> forward a bounce message with full headers to the list. 

I have been checking the mail log, trying to identify a STATIC IP 
address, or consistent email address, but all that is coming in are the 
bounces.  But boy are there a lot of those (hundreds every day). 

Isn't there a law against this? :-D

Andrew L.