From owner-freebsd-questions@FreeBSD.ORG Wed Jan 5 15:48:13 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DCFB4106564A for ; Wed, 5 Jan 2011 15:48:13 +0000 (UTC) (envelope-from jerry@nrdx.com) Received: from www3.stelesys.com (www3.stelesys.com [69.61.23.66]) by mx1.freebsd.org (Postfix) with ESMTP id B975A8FC15 for ; Wed, 5 Jan 2011 15:48:13 +0000 (UTC) Received: from c-76-17-97-137.hsd1.ga.comcast.net ([76.17.97.137] helo=[192.168.0.104]) by www3.stelesys.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.72 (FreeBSD)) (envelope-from ) id 1PaVau-000GH3-69 for freebsd-questions@freebsd.org; Wed, 05 Jan 2011 10:48:12 -0500 Message-ID: <4D249298.9080706@nrdx.com> Date: Wed, 05 Jan 2011 10:47:36 -0500 From: Jerry Bell User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4D249129.6090008@webtent.net> In-Reply-To: <4D249129.6090008@webtent.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - www3.stelesys.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [26 6] / [26 6] X-AntiAbuse: Sender Address Domain - nrdx.com Subject: Re: Bot? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2011 15:48:13 -0000 It's unlikely that the bot would relay outbound spam through your MTA - that would be inconvenient, slow and raise some suspicion. If the provider is right, you most likely have a bit of code running on the server that is directly connecting to external mail servers. There could be reasons you aren't seeing a spike, such as you're only looking at traffic processed by the MTA, or it simply doesn't show as a material increase on a graph of traffic on the network interface if the server is busy. Jerry On 1/5/2011 10:41 AM, Robert Fitzpatrick wrote: > Keep getting calls from our provider at one location that our FreeBSD > 8.0-RELEASE server is sending bursts of >1000 spam messages to >70K > recipients. Since the first call a few weeks ago, I have MRTG and Mail > Statistics graphs setup and see no spikes in traffic. Their last > sighting was over the weekend and graphs show a reduction in traffic > during that time as expected, again with no spikes in traffic or > messages sent/received by our Postfix/Amavisd-maia MTA. All services > on that server including SSH, SMTP and mail queue size all monitored > by Nagios and have had no alerts from that server. >