[cobalt-security] RAQ 3 SPAM - How can they do this and how to prevent it again

["Render-Vue" <sales@xxxxxxxxxxxxxx>]

Hi Yah,

This header is from a spam mail that arrived in my email this afternoon,
opened it up to check the header and noticed it had come through one of our
Cobalt Raq3's and had a customers domain as a receipient. The RaQ has Telnet
disabled, it has pop before smtp and there is no smtp servers running or no
relaying allowed.

The servers been checked for old versions of formmail and other similiar
scripts - so how can the spammer manage to still filter stuff through this
server??

Return-Path: <1029843@xxxxxxxxxxx>
Delivered-To: me@xxxxxxxxxxxx (my private address ommitted)
X-Envelope-To: me@xxxxxxxxxxxx
Received: (qmail 90355 invoked by alias); 9 Nov 2001 04:32:52 -0000
Received: from unknown (HELO ns.our-raq3.com) (xxx.xxx.xxx.xxx)
  by debbie.paradise.net.nz with SMTP; 9 Nov 2001 04:32:52 -0000
Received: from femail19.sdc1.sfba.home.com (femail19.sdc1.sfba.home.com
[24.0.95.128])
	by ns.our-raq3.com (8.9.3/8.9.3) with ESMTP id VAA03451
	for <postmaster@xxxxxxxxxxxxxxxxxxxxxxxx>; Thu, 8 Nov 2001 21:32:46 -0700
From: 1029843@xxxxxxxxxxx
Received: from [24.5.52.138] by femail19.sdc1.sfba.home.com
          (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP
          id
<20011109043240.YJWP25027.femail19.sdc1.sfba.home.com@[24.5.52.138]>;
          Thu, 8 Nov 2001 20:32:40 -0800
Date: Thu, 08 Nov 01 19:49:57 EST
To: Friend@xxxxxxxxxx
Subject: AD: Tired Of Foul Language?
Message-ID: <>

Now after checking the customers hosting space and GUI - there are no cgi's
or PHP scripts running, no form to email, no mailing lists, their Telnet is
disabled and they have no relaying - the only thing they do have is two
aliases the catch-all activated and a forward to his ISP mail account which
happens to be an AOL address.

The customer is on a different IP from the ns's IP

Any words or wisdom or guidance would be grateful

Regards

Chae