new exploit ?

[wulfman]

Today as i opened my mail i was flooded with Undelivered Mail Returned to Sender emails about 3000 of them.
I read a post here from someone back a few years ago about an exploit that sounds like what i am getting now.

http://forum.spamcop.net/forums/index.php?showtopic=10734

Now i ran a open relay check on my server and it passed clean.

here is a returned email from a random server

_____________________________________________________________________________

Return-Path: <wulfman[at]wulfman.com>
Received: from localhost (wulfman [127.0.0.1])
by wulfman.com (Postfix) with ESMTP id C6A991FA41
for <25-131-807-2043[at]phone.com>; Wed, 25 Dec 2013 10:13:33 -0800 (PST)
X-Virus-Scanned: by amavisd-new-2.5.4 (20080312) (Debian) at wulfman.com
Received: from wulfman.com ([127.0.0.1])
by localhost (wulfman.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id TIvQt3AJHznZ for <25-131-807-2043[at]phone.com>;
Wed, 25 Dec 2013 10:13:32 -0800 (PST)
Received: from wulfman.com (NS29.NAXZA.com [61.19.251.188])
by wulfman.com (Postfix) with ESMTPA id D18F11FA3F
for <25-131-807-2043[at]phone.com>; Wed, 25 Dec 2013 10:13:31 -0800 (PST)
Date: Thu, 26 Dec 2013 1:13:29 +0700
From: "=?utf-8?Q?Dina_Knisely?=" <wulfman[at]wulfman.com>
Organization: gcxn
X-Priority: 3 (Normal)
Message-ID: <1370481270.20131226011329[at]wulfman.com>
To: 25-131-807-2043[at]phone.com
Subject: =?utf-8?Q?=D1=B5=C3=AE=E1=BA=A1=E1=B8=A0=C5=97=E1=BA=A1?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

http://palmedic.org/engineercharitypetersc....php?uid5520731
________________________________________________________________________________


as you can see NS29.NAXZA.com [61.19.251.188] is not my ip address

I added the fix that was in the older post but i do not think it has taken care of the problem
I can not find this problem anywhere. After looking in the mail logs my server is being hit hard with these
bounce attempts with the forged headers

I am using the latest version of postfix from debian which is not the latest from postfix

postfix mail_version = 2.9.6

i just upgraded 3 days ago via an apt-get update and upgrade

maybe somebody can help me out on this one or has just started seeing this behavior on their server today

[Benny Pedersen]

wulfman skrev den 2013-12-26 02:29:
> Today as i opened my mail i was flooded with Undelivered Mail
> Returned to Sender emails about 3000 of them.

why do you accept forged senders ?

more help show postconf -n

[Viktor Dukhovni]

On Thu, Dec 26, 2013 at 08:05:12AM +0100, Benny Pedersen wrote:

> >Today as i opened my mail i was flooded with Undelivered Mail
> >Returned to Sender emails about 3000 of them.
>
> why do you accept forged senders ?

He doesn't. This is a joe-job. Which is certainly not a new
phenomenon.

--
Viktor.

[Benny Pedersen]

in the example posted

Return-Path: <wulfman[at]wulfman.com>

he post here with

From: wulfman <wulfman[at]wulfman.com>

so it not forged accepted in his mailserver ?

[Viktor Dukhovni]

On Thu, Dec 26, 2013 at 08:20:23AM +0100, Benny Pedersen wrote:

> >He doesn't. This is a joe-job. Which is certainly not a new
> >phenomenon.
>
> in the example posted
>
> Return-Path: <wulfman[at]wulfman.com>

Read between the lines. He posted the headers of the returned
message, not the encapsulating bounce.

--
Viktor.