Date: Sat, 28 Sep 2002 01:05:53 -0400 (EDT) From: "David A. Panariti" <davep.freebsd@meduseld.net> To: freebsd-stable@freebsd.org Subject: Re: Possible trojan since upgrade Message-ID: <20020928.010553.730557972.davep@meduseld.net> In-Reply-To: <001301c266a7$90784d50$1200a8c0@gsicomp.on.ca> References: <20020928035657.21042.qmail@web21402.mail.yahoo.com> <001301c266a7$90784d50$1200a8c0@gsicomp.on.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Perhaps we should add the following to the the default greeting message used by sendmail (SmtpGreeting in /usr/src/contrib/sendmail/src/main.c) Welcome! This is a for profit mail relay server. We charge $250 per piece of mail relayed. To accept these terms, please type HELO or EHLO. To refuse them, please type QUIT. davep >>>>> "Matthew" == Matthew Emmerton <matt@gsicomp.on.ca> writes: >> Since I upgraded to a recent Stable CVSUP, I've seen this kind >> of message about once a day in the /var/log/maillog file. I >> suspect a trojan as the "root" user did not send email at this >> time, there is no matching entry indicating that the mail was >> sent, queued, or so forth. The system seems to slow after this >> entry shows in the logs. >> >> Don't know for sure whether this came from a CVSUP or somewhere >> else... there are only two users on the system. >> >> Can anyone point me where to look to eliminate whatever is >> causing this email connection? q Matthew> Just because the message comes from 'root@zzzzzz.com' Matthew> doesn't mean it originated on your system. See below for Matthew> details. >> ----------------- from /var/log/maillog >> >> assume host zzzzzz.com >> >> -----------This is the entry in question-------- Sep 27 13:44:40 >> medusa sm-mta[1742]: g8RIiXgt001742: from=<root@zzzzzz.com>, >> size=0, class=0, nrcpts=1, proto=ESMTP, daemon=MTA, >> relay=[202.80.192.29] -------------Next entry------------- Sep >> 27 13:46:59 medusa sm-mta[1746]: ruleset=check_relay, >> arg1=host101-38.pool21 758.interbusiness.it, arg2=217.58.38.101, >> relay=host101-38.pool21758.interbusiness.it [217.58.38.101], >> reject=550 5.7.1 Mail Rejected - see http> //relays.osirusoft.com Matthew> In short, it looks like you're running a mailserver Matthew> configured as an open relay. All these sendmail log Matthew> messages that you see are from people relaying mail Matthew> through your SMTP server. (This is how spammers spread Matthew> their spam to the massess.) Matthew> First, shut down sendmail entirely on your box. Edit Matthew> /etc/rc.conf and set sendmail_enable="NONE" and reboot. Matthew> Second, go to http://www.sendmail.org and read about how Matthew> to configure your machine to be a closed relay. Matthew> -- Matt Emmerton Matthew> To Unsubscribe: send mail to majordomo@FreeBSD.org with Matthew> "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020928.010553.730557972.davep>