At work, I noticed one of our client’s mail server relaying SPAM. This was pretty odd as I just upgraded their system to the latest version of Postfix two weeks ago. I poked around a bit to find out how the mail was being relayed, and it ended up that Apache, which was running on the same box, was acting as a mail proxy. Here’s one of the lines that was showing up in the server logs:
xx.xx.xx.xx - - [26/Jan/2004:14:54:31 -0700] "POST http://xx.xx.xx.xx:25/ HTTP/1.1" 200 989 "-" "-"
It seems that when mod_proxy is configured on an Apache server, it can be used to proxy connections to any IP address and on any port that the user specifies in a POST request. In our case, someone was POSTing to the web server to open a connection to the same server on port 25 to send out SPAM. Since the connection was through the proxy, the mail server saw the connection as coming from localhost, and of course allowed the mail to be sent.
Anyway, I’ve never seen this happen before, and it seems like a lot of work to through just for a spammer to gain a single mail relay. If you ever notice this on a server that you administrate, the solution we used was to install mod_security and block all requests that contain the text “:25/”.