Date: Fri, 27 Sep 2002 21:32:02 -0700 (PDT) From: Don Lewis <dl-freebsd@catspoiler.org> To: provencial1@yahoo.com Cc: freebsd-stable@FreeBSD.ORG Subject: Re: Possible trojan since upgrade Message-ID: <200209280432.g8S4W2vU002581@gw.catspoiler.org> In-Reply-To: <20020928035657.21042.qmail@web21402.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27 Sep, Heywood Jblome wrote: > Since I upgraded to a recent Stable CVSUP, I've seen > this kind of message about once a day in the > /var/log/maillog file. I suspect a trojan as the > "root" user did not send email at this time, there is > no matching entry indicating that the mail was sent, > queued, or so forth. The system seems to slow after > this entry shows in the logs. It looks more like some spammer has discovered that the host at IP address 217.58.38.101 is an unsecured proxy is either attempting to spam you or to use your host as a spam relay. According to the second log entry, this attempt is being rejected because 217.58.38.101 is listed in the relays.osirusoft.com database. Complain to <abuse@interbusiness.it>, but don't get your hopes up. The first entry appears to be unrelated because it is a different sendmail process ID, and the soure IP address, 202.80.192.29, is different. In this case, it looks like a spammer may be attempting to get past any filters and relay his junk email through your host by using <root@zzzzzz.com> as the return address. Grep the log file for more entries from sendmail pid 1742 to see if this spammer is succceeding or if his attempts are being rejected. If spammers are exploiting your mail server it is likely to feel the impact. Be very sure that your server is not vulnerable to being used to relay third party email, since this is sure to attract spammers. One way of testing it is to telnet to relay-test.mail-abuse.org from the host in question. > Don't know for sure whether this came from a CVSUP or > somewhere else... there are only two users on the > system. > > Can anyone point me where to look to eliminate > whatever is causing this email connection? > > ----------------- > from /var/log/maillog > > > assume host zzzzzz.com > > -----------This is the entry in question-------- > Sep 27 13:44:40 medusa sm-mta[1742]: g8RIiXgt001742: > from=<root@zzzzzz.com>, size=0, class=0, nrcpts=1, > proto=ESMTP, daemon=MTA, relay=[202.80.192.29] > -------------Next entry------------- > Sep 27 13:46:59 medusa sm-mta[1746]: > ruleset=check_relay, arg1=host101-38.pool21 > 758.interbusiness.it, arg2=217.58.38.101, > relay=host101-38.pool21758.interbusiness.it > [217.58.38.101], reject=550 5.7.1 Mail Rejected - see > http://relays.osirusoft.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209280432.g8S4W2vU002581>