Today I had a TOS Violation on my Linode VPS for sending spam e-mails. Odd I thought as I only have 1 mail user. So I stopped Postfix and examined the logs and it was pretty obvious that it was sending lots of spam e-mails. Odd though that the connections were coming from 127.0.0.1… which pointed that it could be a script or something like that… but I only have 3 websites on here, all low-traffic and I’m fairly confident there’s no security issues there. I checked through the Apache access logs, but nothing seemed odd there. I then did a “netstat -a” and discovered there were hundreds and hundreds of connections to a particular port. Running “netstat -pant” showed these connections were to Squid – which is where the problem lay. Basically a couple of weeks ago, I installed Squid (a proxy server) to play around with. I configured it so I could use it as an HTTP proxy. Unfortunately I left a gaping hole where anyone could’ve used the proxy for anything. Unfortunately for me, it allowed spammers to send mail via my otherwise secure Postfix installation… but of course Postfix didn’t require SASL Authentication because the connections were from 127.0.0.1 – it’s own network. Anyway, it seems to be fixed now (I removed Squid altogether as I have no real use for it), but this highlights the importance of configuring stuff properly so that all possible security holes are sealed shut!
