Quoting Greg Ward <gward@???>:
> Not clear. The forged notifications were completely
> different-looking, so I would assume different scanners. Either
> that or we have one piece of stupidware that's highly configurable,
> whose clueless admins take the time and trouble to craft notification
> messages. I'm inclined to believe in multiple pieces of stupidware.
Hmmm.. Could have it been your server which qualified an address of
<postmaster> to <postmaster@???>? Multiple pieces of stupidware
using an unqualified address is probably more probable than qualifying
such an address with the recipient domain. Still a wrongly configured
software though.
If that's the scenario, does your ACL works against it or the
domain qualification happends before?