Date: Fri, 05 May 2000 07:52:58 -0400 From: Jim Durham <durham@w2xo.pgh.pa.us> To: Warner Losh <imp@village.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: I got spammed from my localhost.. Message-ID: <3912B61A.9E0DD9A5@w2xo.pgh.pa.us> References: <39124044.EAB72303@w2xo.pgh.pa.us> <200005050637.AAA46998@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Warner Losh writes:
>
>In message <39124044.EAB72303@w2xo.pgh.pa.us> Jim Durham writes:
>: I found that someone has been relaying through my sendmail all day
>: long. He is appearing as "localhost" which is an allowable address
>: to relay in my access database for sendmail.
>
>Without a header, it is impossible to know if this is a localhost or a
>localhost. There are differences :-). He might have is IP address
>setup to return localhost for queries to it (reverse dns).
I don't have an outgoing header. When I saw the problem, I shut down
sendmail. I brought it back up in about 10 minutes in -odq mode.
Apparently all the mail had cleared. The only thing that tipped me off
were the messages from my Mailer-Daemon about refused connections.
Here is one of those. You will see it lists the original as from
localhost.
I hesitate to post something this long to the list, so I have truncated
this. You will see that the original is listed as from "localhost
127.0.0.1"
in the 2nd case.
Another thing is that /var/log/maillog doesn't seem to show any
*successful* connections, only rejects.
The body of the message was some cell-phone offer. It does have
a "mailto:" on it.
Truthfully, I'm not sure *what* was going on.
>From MAILER-DAEMON Thu May 4 06:02:07 2000
Return-Path: <MAILER-DAEMON>
Received: from localhost (localhost)
by w2xo.pgh.pa.us (8.9.3/8.9.3) with internal id GAB38613;
Thu, 4 May 2000 06:02:07 GMT
(envelope-from MAILER-DAEMON)
Date: Thu, 4 May 2000 06:02:07 GMT
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <200005040602.GAB38613@w2xo.pgh.pa.us>
To: postmaster
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="GAB38613.957420127/w2xo.pgh.pa.us"
Subject: Postmaster notify: User unknown
Auto-Submitted: auto-generated (postmaster-notification)
Status: RO
X-Status: D
X-Keywords:
X-UID: 50153
This is a MIME-encapsulated message
--GAB38613.957420127/w2xo.pgh.pa.us
The original message was received at Thu, 4 May 2000 06:01:01 GMT
from localhost
----- The following addresses had permanent fatal errors -----
<e7QZWNbG6@seojon.co.kr>
----- Transcript of session follows -----
... while talking to pnet.seojon.co.kr.:
>>> RCPT To:<e7QZWNbG6@seojon.co.kr>
<<< 550 <e7QZWNbG6@seojon.co.kr>... User unknown
550 <e7QZWNbG6@seojon.co.kr>... User unknown
--GAB38613.957420127/w2xo.pgh.pa.us
Content-Type: message/delivery-status
Reporting-MTA: dns; w2xo.pgh.pa.us
Received-From-MTA: DNS; localhost
Arrival-Date: Thu, 4 May 2000 06:01:01 GMT
Final-Recipient: RFC822; e7QZWNbG6@seojon.co.kr
Action: failed
Status: 5.1.1
Remote-MTA: DNS; pnet.seojon.co.kr
Diagnostic-Code: SMTP; 550 <e7QZWNbG6@seojon.co.kr>... User unknown
Last-Attempt-Date: Thu, 4 May 2000 06:02:00 GMT
--GAB38613.957420127/w2xo.pgh.pa.us
Content-Type: message/rfc822
Return-Path: <MAILER-DAEMON>
Received: from localhost (localhost)
Date: Thu, 4 May 2000 06:01:01 GMT
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <200005040601.GAA38613@w2xo.pgh.pa.us>
To: <e7QZWNbG6@seojon.co.kr>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="GAA38613.957420061/w2xo.pgh.pa.us"
Content-Transfer-Encoding: 8bit
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)
This is a MIME-encapsulated message
--GAA38613.957420061/w2xo.pgh.pa.us
The original message was received at Thu, 4 May 2000 05:55:47 GMT
from localhost [127.0.0.1]
--
Jim Durham
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3912B61A.9E0DD9A5>