Spam problem

E K ekg_ab-FFYn/CNdgSA at public.gmane.org
Thu Jun 14 14:53:49 UTC 2007


--- Madison Kelly <linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org> wrote:

> John Van Ostrand wrote:
> > On Thu, 2007-06-14 at 02:21 -0400, Madison Kelly wrote:
> >> Sadly, it is/was coming from my machine. :<
> >>
> >> I've upgraded the server and blocked about 8 class A networks at
> my 
> >> firewall. It's draconian, but it seems to have stemmed the tide
> until I 
> >> can look at the problem tomorrow (it's 2:30am now...).
> >>
> >> It looks like they've found a way to connect to my machine's
> sendmail 
> >> even though relaying should be denied. Any idea how this could
> have 
> >> happened? At any rate, I will look into that tomorrow. Thanks
> for your help!
> >>
> >> a tired Madi
> > 
> > If you are running any web applications you may want to look at
> > fill-in-forms. Also I saw a squirrelmail exploit recently,
> although I
> > didn't pay much attention to it, just upgraded.
> > 
> > There is also an MSP (mail submission port) that usually requires
> > authentication by default. Make sure  you don't have guessable
> > passwords.
> > 
> > It's also possible that it's coming from a machine internal to
> your
> > network that is using your email server for sending email or for
> > NAT/firewall.
> > 
> > Finally, an open proxy server could be the culprit.
> > 
> > Is your machine the 192.139.81.120? How did you determine it was
> your
> > system? Does the email show up in logs? Was it just an IP address
> in the
> > received header that tipped you off?
> > 
> > --
> > The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> > TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> > How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
> > 
> 
> I've shut down all webmail apps at the moment, and the spam is
> still 
> getting through. My mail server is at 192.139.81.120 and I can tell
> the 
> mail is coming from it because all the headers on the bounced
> messages 
> show that the connection came from me with the email originating
> from 
> IPs in Poland and Russia (primarily).
> 
> Currently I've blocked about 20 class A subnets from the bounces
> from 
> those regions as a short-term measure. I am pretty sure they have
> found 
> a way to connect to sendmail despite the fact that it shouldn't
> relay 
> for anyone except people on the office or server LAN. If the mail
> was 
> coming from one of the internal machines I wouldn't see how the
> origin 
> IPs would all be from those geographic locals so that doesn't seem
> to be 
> the case.
> 
> I've installed wireshark and will try to figure out more in an hour
> or 
> so when I get into the office (very late night last night).
> 
> I HATE spammer scum. grrrr.
> 
> Madi

But what does the line
Message-ID: <834032768.79579868946668-VRR/Z2xxn2bR7s880joybQ at public.gmane.org>
tell you? Your server is not thhebat.net and the message-ID says that
the mail originated at thhebat.net. I don't understand how an email
that originated from thhebat.net got received from your server. 

Can it be that these guys are using the email address (in the From
line) to send out spam and the bouce back come to you? In that case,
probably the only solution, if you are absolutely sure that there
will not be any legitmate email from that class, is to block the ip
class, which you did.

EK

Just a thought.

EK


      Get a sneak peak at messages with a handy reading pane with All new Yahoo! Mail: http://mrd.mail.yahoo.com/try_beta?.intl=ca
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list