From owner-freebsd-questions@FreeBSD.ORG Wed Jan 5 15:41:37 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EAC841065679 for ; Wed, 5 Jan 2011 15:41:37 +0000 (UTC) (envelope-from lists@webtent.net) Received: from mx1.webtent.net (mx1.webtent.net [208.38.145.4]) by mx1.freebsd.org (Postfix) with ESMTP id BECEF8FC12 for ; Wed, 5 Jan 2011 15:41:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mx1.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with ESMTP id 0C0182E058 for ; Wed, 5 Jan 2011 10:41:35 -0500 (EST) Received: from mx1.webtent.net ([127.0.0.1]) by localhost (mx1.webtent.net [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 76788-01 for ; Wed, 5 Jan 2011 10:41:34 -0500 (EST) Received: from [192.168.1.78] (mail.webtent.org [72.64.244.50]) (Authenticated sender: robert@mx1.webtent.net) by mx1.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with ESMTPSA id 4AC152E043 for ; Wed, 5 Jan 2011 10:41:34 -0500 (EST) Message-ID: <4D249129.6090008@webtent.net> Date: Wed, 05 Jan 2011 10:41:29 -0500 From: Robert Fitzpatrick Organization: WebTent Networking, Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: FreeBSD Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: WebTent Mailguard 1.0.2a Subject: Bot? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: robert@webtent.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2011 15:41:38 -0000 Keep getting calls from our provider at one location that our FreeBSD 8.0-RELEASE server is sending bursts of >1000 spam messages to >70K recipients. Since the first call a few weeks ago, I have MRTG and Mail Statistics graphs setup and see no spikes in traffic. Their last sighting was over the weekend and graphs show a reduction in traffic during that time as expected, again with no spikes in traffic or messages sent/received by our Postfix/Amavisd-maia MTA. All services on that server including SSH, SMTP and mail queue size all monitored by Nagios and have had no alerts from that server. Nonetheless, they claim I must have a bot and the mail is not passing through my own SMTP. And I suspect little traffic is needed for the alleged bursts. They have no envelope info. Can someone advise on what port(s) are available for bot detection and/or prevention? In all my years of running FreeBSD as mail gateways, this is the first time I've had this issue. --Robert