From owner-freebsd-security Fri May 5 4:53:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (ipl-229-026.npt-sdsl.stargate.net [208.223.229.26]) by hub.freebsd.org (Postfix) with ESMTP id D06CC37B7AE for ; Fri, 5 May 2000 04:53:11 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo.pgh.pa.us (shazam.w2xo.pgh.pa.us [192.168.5.3]) by w2xo.pgh.pa.us (8.9.3/8.9.3) with ESMTP id LAA46027; Fri, 5 May 2000 11:52:26 GMT (envelope-from durham@w2xo.pgh.pa.us) Message-ID: <3912B61A.9E0DD9A5@w2xo.pgh.pa.us> Date: Fri, 05 May 2000 07:52:58 -0400 From: Jim Durham Organization: dis- X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Warner Losh Cc: freebsd-security@FreeBSD.ORG Subject: Re: I got spammed from my localhost.. References: <39124044.EAB72303@w2xo.pgh.pa.us> <200005050637.AAA46998@harmony.village.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh writes: > >In message <39124044.EAB72303@w2xo.pgh.pa.us> Jim Durham writes: >: I found that someone has been relaying through my sendmail all day >: long. He is appearing as "localhost" which is an allowable address >: to relay in my access database for sendmail. > >Without a header, it is impossible to know if this is a localhost or a >localhost. There are differences :-). He might have is IP address >setup to return localhost for queries to it (reverse dns). I don't have an outgoing header. When I saw the problem, I shut down sendmail. I brought it back up in about 10 minutes in -odq mode. Apparently all the mail had cleared. The only thing that tipped me off were the messages from my Mailer-Daemon about refused connections. Here is one of those. You will see it lists the original as from localhost. I hesitate to post something this long to the list, so I have truncated this. You will see that the original is listed as from "localhost 127.0.0.1" in the 2nd case. Another thing is that /var/log/maillog doesn't seem to show any *successful* connections, only rejects. The body of the message was some cell-phone offer. It does have a "mailto:" on it. Truthfully, I'm not sure *what* was going on. >From MAILER-DAEMON Thu May 4 06:02:07 2000 Return-Path: Received: from localhost (localhost) by w2xo.pgh.pa.us (8.9.3/8.9.3) with internal id GAB38613; Thu, 4 May 2000 06:02:07 GMT (envelope-from MAILER-DAEMON) Date: Thu, 4 May 2000 06:02:07 GMT From: Mail Delivery Subsystem Message-Id: <200005040602.GAB38613@w2xo.pgh.pa.us> To: postmaster MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="GAB38613.957420127/w2xo.pgh.pa.us" Subject: Postmaster notify: User unknown Auto-Submitted: auto-generated (postmaster-notification) Status: RO X-Status: D X-Keywords: X-UID: 50153 This is a MIME-encapsulated message --GAB38613.957420127/w2xo.pgh.pa.us The original message was received at Thu, 4 May 2000 06:01:01 GMT from localhost ----- The following addresses had permanent fatal errors ----- ----- Transcript of session follows ----- ... while talking to pnet.seojon.co.kr.: >>> RCPT To: <<< 550 ... User unknown 550 ... User unknown --GAB38613.957420127/w2xo.pgh.pa.us Content-Type: message/delivery-status Reporting-MTA: dns; w2xo.pgh.pa.us Received-From-MTA: DNS; localhost Arrival-Date: Thu, 4 May 2000 06:01:01 GMT Final-Recipient: RFC822; e7QZWNbG6@seojon.co.kr Action: failed Status: 5.1.1 Remote-MTA: DNS; pnet.seojon.co.kr Diagnostic-Code: SMTP; 550 ... User unknown Last-Attempt-Date: Thu, 4 May 2000 06:02:00 GMT --GAB38613.957420127/w2xo.pgh.pa.us Content-Type: message/rfc822 Return-Path: Received: from localhost (localhost) Date: Thu, 4 May 2000 06:01:01 GMT From: Mail Delivery Subsystem Message-Id: <200005040601.GAA38613@w2xo.pgh.pa.us> To: MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="GAA38613.957420061/w2xo.pgh.pa.us" Content-Transfer-Encoding: 8bit Subject: Returned mail: User unknown Auto-Submitted: auto-generated (failure) This is a MIME-encapsulated message --GAA38613.957420061/w2xo.pgh.pa.us The original message was received at Thu, 4 May 2000 05:55:47 GMT from localhost [127.0.0.1] -- Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message