On Fri, Jul 30, 2010 at 05:54:34PM -0400, Lisa L wrote:
I'll paste below the contents of the files John sent. To me, it appears to be a Viagra ad coming from a host in Spain, with a link to a website in Russia. What we're trying to determine is whether (1) Tux has been compromised by crackers and is being exploited as a spam relay, (2) we are receiving this message in error because Tux' mail server has been configured to relay Board messages, and the error was intended for the spammer, or (3) something went awry with Google's Gmail servers. Note, 204.225.221.10 is Tux' IP.
Based on the headers in that message, it looks like it's partly (2) -- the spammer is sending to board-members [ at ] oclug [ dot ] on [ dot ] ca, and Tux is just expanding the alias and relaying the mail onwards. However, you're not receiving the rejection messages in error, exactly, because as far as Google cares, you're contributing to the spam problem by not blocking the original instead of passing it on. Servers that relay mail are responsible for the mail they emit, even if they didn't originate it.
I'd suggest that someone needs to upgrade the spam filtering on Tux... if the header added is correct, you're running SpamAssassin 3.1.7, which is pretty much an antique as far as spam filtering goes -- it's almost 4 years old. Version 3.3.1 has been out since March 2010. I'm guessing that Tux is running something outdated (etch, or perhaps sarge), as stock Debian Lenny has 3.2.5, with 3.3.1 being available from backports.
It might be possible for me to set up free hosted antispam for OCLUG through my employer, if you're interested. It would remove the need to have someone maintain cutting-edge-current inbound spam filtering on Tux. I can find out on Tuesday if this is possible (unless David is still reading linux@... and would like to respond).
Cheers, Dave