I received a message today from my ISP informing me that spam had been reported as being relayed from my system, which seemed pretty darn curious to me. I double checked, and my Postfix main.cf was set to mynetworks_style = host, which theoretically only trusts the host system and rejects all outside systems. A quick Google search turned up Anti-Relay’s relay tester (utilizing Chip Rosenthal’s rlytest script – the Network Abuse Clearinghouse seems to do the same thing), and my system appeared to be fine:
Tested host banner: 220 muffins.randomfoo.net ESMTP Postfix
System appeared to reject relay attempts
Connection closed by foreign host.
So I’m pretty mystified. There’s certainly some fishy business going on. Decoding the headers do indeed apparently point to my machine. The url mentioned in the spam is http://www.bestsaleschannel.com/, which doesn’t give any results when digging or tracerouting, however, it does seem to somehow browse on my computer (but again, not dig). Doing a sniffer cap on browsing seems resolve to an IP: 208.255.131.202 (which doesn’t rdns and dies of dns errors), but provides a link to the registrar: eNom, which well, gives the same whois info.
Since neither the receiving mail server nor my mail server were open relays, that it seems to suggest a few things: either I’ve been rooted (chkrootkit at least seems clean), or there’s some funky DNS stuff going on (see above), or the IP was simply spoofed. Time to do some sniffing, I suppose.