Spam problem
Slackrat
slackrat4Q-MOdoAOVCFFcswetKESUqMA at public.gmane.org
Thu Jun 14 14:48:40 UTC 2007
Madison Kelly <linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org> writes:
> John Van Ostrand wrote:
>> On Thu, 2007-06-14 at 02:21 -0400, Madison Kelly wrote:
>>> Sadly, it is/was coming from my machine. :<
>>>
>>> I've upgraded the server and blocked about 8 class A networks at my
>>> firewall. It's draconian, but it seems to have stemmed the tide
>>> until I can look at the problem tomorrow (it's 2:30am now...).
>>>
>>> It looks like they've found a way to connect to my machine's
>>> sendmail even though relaying should be denied. Any idea how this
>>> could have happened? At any rate, I will look into that
>>> tomorrow. Thanks for your help!
>>>
>>> a tired Madi
>>
>> If you are running any web applications you may want to look at
>> fill-in-forms. Also I saw a squirrelmail exploit recently, although I
>> didn't pay much attention to it, just upgraded.
>>
>> There is also an MSP (mail submission port) that usually requires
>> authentication by default. Make sure you don't have guessable
>> passwords.
>>
>> It's also possible that it's coming from a machine internal to your
>> network that is using your email server for sending email or for
>> NAT/firewall.
>>
>> Finally, an open proxy server could be the culprit.
>>
>> Is your machine the 192.139.81.120? How did you determine it was your
>> system? Does the email show up in logs? Was it just an IP address in the
>> received header that tipped you off?
>>
>> --
>> The Toronto Linux Users Group. Meetings: http://gtalug.org/
>> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
>> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>>
>
> I've shut down all webmail apps at the moment, and the spam is still
> getting through. My mail server is at 192.139.81.120 and I can tell
> the mail is coming from it because all the headers on the bounced
> messages show that the connection came from me with the email
> originating from IPs in Poland and Russia (primarily).
>
> Currently I've blocked about 20 class A subnets from the bounces from
> those regions as a short-term measure. I am pretty sure they have
> found a way to connect to sendmail despite the fact that it shouldn't
> relay for anyone except people on the office or server LAN. If the
> mail was coming from one of the internal machines I wouldn't see how
> the origin IPs would all be from those geographic locals so that
> doesn't seem to be the case.
>
> I've installed wireshark and will try to figure out more in an hour or
> so when I get into the office (very late night last night).
>
> I HATE spammer scum. grrrr.
>
You have an open DNS
http://www.dnsstuff.com/tools/dnsreport.ch?%26domain%3Dalteeve.com
--
SlackRat aka bill henderson
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list