Spam problem
Madison Kelly
linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Thu Jun 14 13:52:36 UTC 2007
John Van Ostrand wrote:
> On Thu, 2007-06-14 at 02:21 -0400, Madison Kelly wrote:
>> Sadly, it is/was coming from my machine. :<
>>
>> I've upgraded the server and blocked about 8 class A networks at my
>> firewall. It's draconian, but it seems to have stemmed the tide until I
>> can look at the problem tomorrow (it's 2:30am now...).
>>
>> It looks like they've found a way to connect to my machine's sendmail
>> even though relaying should be denied. Any idea how this could have
>> happened? At any rate, I will look into that tomorrow. Thanks for your help!
>>
>> a tired Madi
>
> If you are running any web applications you may want to look at
> fill-in-forms. Also I saw a squirrelmail exploit recently, although I
> didn't pay much attention to it, just upgraded.
>
> There is also an MSP (mail submission port) that usually requires
> authentication by default. Make sure you don't have guessable
> passwords.
>
> It's also possible that it's coming from a machine internal to your
> network that is using your email server for sending email or for
> NAT/firewall.
>
> Finally, an open proxy server could be the culprit.
>
> Is your machine the 192.139.81.120? How did you determine it was your
> system? Does the email show up in logs? Was it just an IP address in the
> received header that tipped you off?
>
> --
> The Toronto Linux Users Group. Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
I've shut down all webmail apps at the moment, and the spam is still
getting through. My mail server is at 192.139.81.120 and I can tell the
mail is coming from it because all the headers on the bounced messages
show that the connection came from me with the email originating from
IPs in Poland and Russia (primarily).
Currently I've blocked about 20 class A subnets from the bounces from
those regions as a short-term measure. I am pretty sure they have found
a way to connect to sendmail despite the fact that it shouldn't relay
for anyone except people on the office or server LAN. If the mail was
coming from one of the internal machines I wouldn't see how the origin
IPs would all be from those geographic locals so that doesn't seem to be
the case.
I've installed wireshark and will try to figure out more in an hour or
so when I get into the office (very late night last night).
I HATE spammer scum. grrrr.
Madi
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list