From owner-freebsd-questions@FreeBSD.ORG  Tue Jan  9 02:43:08 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: questions@freebsd.org
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6AE1016A40F
	for <questions@freebsd.org>; Tue,  9 Jan 2007 02:43:08 +0000 (UTC)
	(envelope-from david+dated+1168741471.eb2ad3@skytracker.ca)
Received: from 3s1.com (3s1.com [209.161.205.12])
	by mx1.freebsd.org (Postfix) with ESMTP id F0DEB13C457
	for <questions@freebsd.org>; Tue,  9 Jan 2007 02:43:07 +0000 (UTC)
	(envelope-from david+dated+1168741471.eb2ad3@skytracker.ca)
Received: from 3s1.com (3s1.com [209.161.205.12])
	by 3s1.com (8.13.6/8.13.6) with ESMTP id l092OVHM065817
	for <questions@freebsd.org>; Mon, 8 Jan 2007 21:24:31 -0500 (EST)
	(envelope-from david+dated+1168741471.eb2ad3@skytracker.ca)
Received: (from david@localhost)
	by 3s1.com (8.13.6/8.13.6/Submit) id l092OVl7065816
	for questions@freebsd.org; Mon, 8 Jan 2007 21:24:31 -0500 (EST)
	(envelope-from david+dated+1168741471.eb2ad3@skytracker.ca)
X-Authentication-Warning: 3s1.com: david set sender to
	david+dated+1168741471.eb2ad3@skytracker.ca using -f
Received: by 3s1.com (tmda-sendmail, from uid 1000);
	Mon, 08 Jan 2007 21:24:31 -0500
Date: Mon, 8 Jan 2007 21:24:30 -0500
To: Garrett Cooper <youshi10@u.washington.edu>, questions@freebsd.org
Message-ID: <20070109022428.GA63703@skytracker.ca>
References: <20070106194117.GA8958@skytracker.ca>
	<45A00376.9040501@u.washington.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <45A00376.9040501@u.washington.edu>
User-Agent: Mutt/1.4.2.1i
X-Delivery-Agent: TMDA/1.1.5 (Fettercairn)
From: David Banning <david+dated+1168741471.eb2ad3@skytracker.ca>
Cc: 
Subject: Re: stopping my server from spamming
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jan 2007 02:43:08 -0000

I think I located the problem. I discovered through one of the blacklist
hosters when exactly they received the spam and that helped me track
it to a virus infected windows box.

> 
> Using nmap / tcpdump / snort to find rogue SMTP hosts is the next step I
> would pursue. Remember though, your hosts may not be causing the spam
> and it could instead be spoofing of some kind. For that, you can't do
> anything except talk to the mail providers that blacklisted your domain
> and get things cleared up.

These utilities where the direction of what I was looking for. Thanks for
that - I will look at the use of each and how I can trace what is going on
for future reference.

> Ultimately, I suggest switching to entirely AUTH based SMTP though to
> prevent this issue from occurring. You can either block port 25 from
> being routed or use net/smtptrapd (see <http://smtptrapd.inodes.org/>).

done.

Thanks Garret