For a couple of months, I have been receiving mail abuse reports via the AOL feedback loop that I cannot comprehend. They look like this (only relevant headers):
Return-Path:
Received: from rly-me06.mx.aol.com (rly-me06.mail.aol.com [172.20.83.40])
by air-me10.mail.aol.com (v119.9) with ESMTP id
MAILINME102-9be46e123c31c7; Fri, 07 Sep 2007 06:11:28 -0400
Received: from www-3.de-punkt.de (142.128-254.74.4.62.in-addr.arpa [62.4.74.142])
by rly-me06.mx.aol.com (v119.9) with ESMTP id MAILRELAYINME062-9be46e123c31c7;
Fri, 07 Sep 2007 06:11:16 -0400
Received: (qmail 19457 invoked by uid 17658); Sat, 08 Sep 2007 16:06:15 +0200 (CEST)
Message-Id: <20070908160615.19457.qmail@servergf.www-3.de-punkt.de>
X-AOL-IP: 62.4.74.142
X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_helo :
X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_822_from :
I have checked the host in question (it is one of our hosting servers) for the most obvious stuff like rootkits, weird PHP backdoors and processes that do not belong there - all to no avail. As the abuse reports did not cease (like they sometimes do) automatically, I have taken some more measures to ensure no mails leave the system without me noticing:
- The postfix server on the machine only delivers mail via a smarthost that is separately monitored.
- PHP is advised to only relay mail via postfix (sendmail wrapper).
- All outgoing SMTP connections that do not go to the predefined smarthost are being logged and dropped:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG tcp -- anywhere !mail-3.de-punkt.de
state NEW tcp dpt:smtp LOG level warning
DROP tcp -- anywhere !mail-3.de-punkt.de
state NEW tcp dpt:smtp
LOG tcp -- anywhere anywhere
state NEW tcp dpt:submission LOG level warning
I cannot see any log entries, however there are still abuse reports (also for rather recently sent mails).
Anyone got an idea where to look? I am not sure if there’s a way to actually forge the headers since the Received-Path looks pretty authentic.
