Been blacklisted >_< Was: Re:Is this spam coming from inside my network?

[Madison Kelly]

Madison Kelly wrote:
> Jason Shein wrote:
>> On Monday 13 February 2006 14:04, Madison Kelly wrote:
>>> How could I check to see if I am an open relay?
>>
>> These will work.
>>
>> http://members.iinet.net.au/~remmie/relay/
>> http://www.globedom.com/cgi-bin/relay
> 
>   Thanks for the links! My server passed (not open).
> 
>   Since then I've been digging through my logs and found this in 
> '/var/log/messages'
> 
> Feb 12 05:01:01 srv01 crond(pam_unix)[2456]: session opened for user 
> root by (uid=0)
> Feb 12 05:01:01 srv01 crond(pam_unix)[2456]: session closed for user root
> 
>   Which is just seconds before the first spam from my 'apache' user was 
> sent. From '/var/log/maillog':
> 
> Feb 12 05:01:15 srv01 sendmail[2445]: k186LxI0005105: 
> to=<mdenika-5SK1gwG8BQs at public.gmane.org>, ctladdr=<apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org> (48/48), 
> delay=4+03:39:16, xdelay=00:02:00, mailer=esmtp, pri=11822817, 
> relay=qaol.com. [38.119.83.27], dsn=4.0.0, stat=Deferred: Connection 
> timed out with qaol.com.
> 
>   So it looks like something connected for less than a second and then 
> somehow started the flood. I've tried upgrading to Apache 2.0.54 and I 
> (re)set the user password for 'apache' but the mail is still being sent. 
> Needless to say, I am starting to get desperate!
> 
> Madison

For what it's worth, the site in all the spam being sent from my domain 
point to 'http://dy-yellow.com'. Anyone else been hit by them?

Arsehats.

Madison

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
           Madison Kelly (Digimer)
    TLE-BU; The Linux Experience, Back Up
Main Project Page:  http://tle-bu.org
Community Forum:    http://forum.tle-bu.org
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml