[unisog] I need help.

Joseph Brennan brennan at columbia.edu
Fri Jul 19 12:34:49 GMT 2002


 
> I'm not sure how big something has to get before it is "really big", but I 
> have been able to identify one of the major methods of porn-spam 
> distribution is via CacheFlow Server proxies (which are enabled by 
> default).
> 
> After discovering our Cacheflow server was sending out 20,000 porm spam 
> messages per day (or course we closed it immediately), I started reviewing 
> our maillogs.
> 
> I've been able to determine that the easiest way to identify these 
> messages is to search for the string "CacheFlowServer" 
> in your maillogs.  Of course we keep our logging turned up, so if you 
> don't find any results, try grepping for the same string in both your 
> /var/spool/mqueue and /var/mail directories.


I see it in Received headers where the hostname should be.  Note the
faked HELO name right after the "from", also.

Received: from hotmail.com (CacheFlowServer@[61.127.197.4])
Received: from mx1.mail.yahoo.com (CacheFlowServer@[210.181.4.174])
Received: from mx1.mail.yahoo.com (CacheFlowServer@[211.35.78.36])
Received: from mx1.mail.yahoo.com (CacheFlowServer@[211.234.92.5])
Received: from hotmail.com (CacheFlowServer@[200.30.47.70])
Received: from yahoo.com (CacheFlowServer@[210.217.42.101])
Received: from hotmail.com (CacheFlowServer@[63.73.1.180])

What is this?  Does any legitimate mail have this?  The above is from
mail identified as junk using other tests.  Some was porn sites, some
was dubious drugs.  

It would be easy to scan for it in mail.

Joseph Brennan                           postmaster at columbia.edu
Academic Technologies Group, Academic Information Systems (AcIS)





More information about the unisog mailing list