Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,211
I was going through my spam folder and noticed something interesting. There are some of them are actually spoofing my INTERNAL domain. That domain is not valid on the internet and is not part of the email addresses being sent to. How are they doing this? I also saw some where the spoofed email is a mix of the internal server name, and other email account names. Basically randomized based on info on the server. Interestingly a lot of these seem to also have two from emails and not just one, one of them will be the host name of my online mail server.
The way my setup works is that I have an online mail server, and my internal mail server uses fetchmail to get the mail from the online one. So all my mail resides locally on my network and is accessed via imap. When I send mail it just relays to the online mail server.
The local mail server is a very old server that is running fedora core 9, so it probably has tons of exploits, but that server is sitting behind a firewall on my internal network and has no services port forwarded to it. Is there somehow a way it could still have been compromised, through a specially formated email or something? I do have plans to decommission this server but still have services to migrate off it such as mail, just have not gotten around to it. I'm kinda curious to rename the server just to see if I start getting spam spoofing the new name too.
I checked the mail logs for some of these emails, but there's not really much details, just basic stuff, showing that it got delivered etc.
Should I be worried about this? One thing I can think of is that the server hostname is on the internet in the form of forum posts etc where I may have previously posted logs or other info when seeking help for something else. Spam bots could theoretically pick that up, but how would they associate it with me?
The way my setup works is that I have an online mail server, and my internal mail server uses fetchmail to get the mail from the online one. So all my mail resides locally on my network and is accessed via imap. When I send mail it just relays to the online mail server.
The local mail server is a very old server that is running fedora core 9, so it probably has tons of exploits, but that server is sitting behind a firewall on my internal network and has no services port forwarded to it. Is there somehow a way it could still have been compromised, through a specially formated email or something? I do have plans to decommission this server but still have services to migrate off it such as mail, just have not gotten around to it. I'm kinda curious to rename the server just to see if I start getting spam spoofing the new name too.
I checked the mail logs for some of these emails, but there's not really much details, just basic stuff, showing that it got delivered etc.
Should I be worried about this? One thing I can think of is that the server hostname is on the internet in the form of forum posts etc where I may have previously posted logs or other info when seeking help for something else. Spam bots could theoretically pick that up, but how would they associate it with me?