Date: Wed, 5 Jan 2011 16:59:24 +0100 From: Matthias Apitz <guru@unixarea.de> To: robert@webtent.com Cc: FreeBSD <freebsd-questions@freebsd.org> Subject: Re: Bot? Message-ID: <20110105155924.GA6326@current.Sisis.de> In-Reply-To: <4D249129.6090008@webtent.net> References: <4D249129.6090008@webtent.net>
next in thread | previous in thread | raw e-mail | index | archive | help
El día Wednesday, January 05, 2011 a las 10:41:29AM -0500, Robert Fitzpatrick escribió: > Keep getting calls from our provider at one location that our FreeBSD > 8.0-RELEASE server is sending bursts of >1000 spam messages to >70K > recipients. Since the first call a few weeks ago, I have MRTG and Mail > Statistics graphs setup and see no spikes in traffic. Their last > sighting was over the weekend and graphs show a reduction in traffic > during that time as expected, again with no spikes in traffic or > messages sent/received by our Postfix/Amavisd-maia MTA. All services on > that server including SSH, SMTP and mail queue size all monitored by > Nagios and have had no alerts from that server. > > Nonetheless, they claim I must have a bot and the mail is not passing > through my own SMTP. And I suspect little traffic is needed for the > alleged bursts. They have no envelope info. Can someone advise on what > port(s) are available for bot detection and/or prevention? In all my > years of running FreeBSD as mail gateways, this is the first time I've > had this issue. > > --Robert Check with tcpdump (on another host connected by a HUB, no switch, to the box) if you can see that port 25 traffic of the NIC of the host; that would be my 1st check to catch it... If someone has lifted up your FreeBSD into a VM running on that bot, you will not see this inside the FreeBSD, I think. matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e <guru@unixarea.de> - w http://www.unixarea.de/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110105155924.GA6326>