Hi, sorry if this isn't the right place to post, but I'm having some trouble figuring out a spamming issue. If anyone here can help, that'd be amazing.
I'm running Brian's CentOS/BlueQuartz CD, version 3.5 from Nuonce.net. Everything seemed to be running fine for several days until this morning, when I received a zillion "returned mail" notices from the mailer daemon. Within it, it said it was unable to complete sending to the following users for various reasons and blah blah blah. That's fine, but I never initiated the email.
In my logs, entries like the following shows up ('portal' is the name of the box obviously):
Feb 5 12:11:45 portal sendmail[17135]: k15EXFZf015093: SMTP outgoing connect on portal.xxxxxxx.com Feb 5 12:12:51 portal sendmail[17135]: k15EXFZf015093: makeconnection (mobilemail.caii-dc.com. [209.135.227.253]) failed: Connection timed out with mobilemail.caii-dc.com. Feb 5 12:12:51 portal sendmail[17135]: k15EXFZf015093: to=aldara@caii-dc.com, ctladdr=username@portal.xxxxxxxxxxxxxxxxxxxx.com (502/100), delay=03:39:35, xdelay=00:01:06, mailer=esmtp, pri=3188891, relay=mobilemail.caii-dc.com. [209.135.227.253], dsn=4.0.0, stat=Deferred: Connection timed out with mobilemail.caii-dc.com.
Irregardless of the errors, I can't figure out why/where the outbound email is being generated. There are many entries in the log like this, and I assume alot of it, is going through. The user never initiated it. It has to be the server itself?
Plus, it's using the full name of the server which is portal.domainname.com in the email address. It seems to only use ONE user's name though. AND it's ONLY using 1 user's name from a list of several.
The user account gets some spam every now and then with the following header info, then these returned emails. These emails are from the local server using an account that doesn't exist:
=============================== Subject: The hottest issue we've seen this year From: ThePickOfTheYear2696@domainname.com Date: Sun, 5 Feb 2006 08:52:47 -0600 To: ThePickOfTheYear2696@portal.domainname.com ===============================
Since the "pickoftheyear" account doesn't exist....
Is there any suggestions from the group? I'm a newb at running a mail server, just trying to figure out what's going on. The site in question did have a couple formmail scripts that I deleted.
I am interested in running chkrootkit but is there a specific package required for CentOS/BQ? Or just download and compile?
Thanks.
M
I've been getting them to but a different message. Mine are originating from Korea, kornet.net
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Marcel Sent: Sunday, February 05, 2006 1:53 PM To: centos@centos.org Subject: [CentOS] Relaying of spam
Hi, sorry if this isn't the right place to post, but I'm having some trouble figuring out a spamming issue. If anyone here can help, that'd be amazing.
I'm running Brian's CentOS/BlueQuartz CD, version 3.5 from Nuonce.net. Everything seemed to be running fine for several days until this morning, when I received a zillion "returned mail" notices from the mailer daemon. Within it, it said it was unable to complete sending to the following users for various reasons and blah blah blah. That's fine, but I never initiated the email.
In my logs, entries like the following shows up ('portal' is the name of the box obviously):
Feb 5 12:11:45 portal sendmail[17135]: k15EXFZf015093: SMTP outgoing connect on portal.xxxxxxx.com Feb 5 12:12:51 portal sendmail[17135]: k15EXFZf015093: makeconnection (mobilemail.caii-dc.com. [209.135.227.253]) failed: Connection timed out with mobilemail.caii-dc.com. Feb 5 12:12:51 portal sendmail[17135]: k15EXFZf015093: to=aldara@caii-dc.com, ctladdr=username@portal.xxxxxxxxxxxxxxxxxxxx.com (502/100), delay=03:39:35, xdelay=00:01:06, mailer=esmtp, pri=3188891, relay=mobilemail.caii-dc.com. [209.135.227.253], dsn=4.0.0, stat=Deferred: Connection timed out with mobilemail.caii-dc.com.
Irregardless of the errors, I can't figure out why/where the outbound email is being generated. There are many entries in the log like this, and I assume alot of it, is going through. The user never initiated it. It has to be the server itself?
Plus, it's using the full name of the server which is portal.domainname.com in the email address. It seems to only use ONE user's name though. AND it's ONLY using 1 user's name from a list of several.
The user account gets some spam every now and then with the following header info, then these returned emails. These emails are from the local server using an account that doesn't exist:
=============================== Subject: The hottest issue we've seen this year From: ThePickOfTheYear2696@domainname.com Date: Sun, 5 Feb 2006 08:52:47 -0600 To: ThePickOfTheYear2696@portal.domainname.com ===============================
Since the "pickoftheyear" account doesn't exist....
Is there any suggestions from the group? I'm a newb at running a mail server, just trying to figure out what's going on. The site in question did have a couple formmail scripts that I deleted.
I am interested in running chkrootkit but is there a specific package required for CentOS/BQ? Or just download and compile?
Thanks.
M
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Am So, den 05.02.2006 schrieb Marcel um 19:53:
I'm running Brian's CentOS/BlueQuartz CD, version 3.5 from Nuonce.net. Everything seemed to be running fine for several days until this morning, when I received a zillion "returned mail" notices from the mailer daemon. Within it, it said it was unable to complete sending to the following users for various reasons and blah blah blah. That's fine, but I never initiated the email.
In my logs, entries like the following shows up ('portal' is the name of the box obviously):
Feb 5 12:11:45 portal sendmail[17135]: k15EXFZf015093: SMTP outgoing connect on portal.xxxxxxx.com Feb 5 12:12:51 portal sendmail[17135]: k15EXFZf015093: makeconnection (mobilemail.caii-dc.com. [209.135.227.253]) failed: Connection timed out with mobilemail.caii-dc.com. Feb 5 12:12:51 portal sendmail[17135]: k15EXFZf015093: to=aldara@caii-dc.com, ctladdr=username@portal.xxxxxxxxxxxxxxxxxxxx.com (502/100), delay=03:39:35, xdelay=00:01:06, mailer=esmtp, pri=3188891, relay=mobilemail.caii-dc.com. [209.135.227.253], dsn=4.0.0, stat=Deferred: Connection timed out with mobilemail.caii-dc.com.
Irregardless of the errors, I can't figure out why/where the outbound email is being generated. There are many entries in the log like this, and I assume alot of it, is going through. The user never initiated it. It has to be the server itself?
Plus, it's using the full name of the server which is portal.domainname.com in the email address. It seems to only use ONE user's name though. AND it's ONLY using 1 user's name from a list of several.
Your log snipplet only shows the second half of the show. I guess there is running some kind of insecure web form forum software, so connections are initiated locally. Check the content of your user UID 502. He runs malicious software.
Alexander
On Sunday 05 February 2006 1:53 pm, Marcel wrote:
Is there any suggestions from the group? I'm a newb at running a mail server, just trying to figure out what's going on. The site in question did have a couple formmail scripts that I deleted.
I am interested in running chkrootkit but is there a specific package required for CentOS/BQ? Or just download and compile?
Chkrootkit RPMs http://dag.wieers.com/packages/chkrootkit/
Also, check out http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-serv...
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-serv...
Is there a reason to point to documentation that is 2+ years old?
http://centos.org/docs/4/html/rhel-sg-en-4/s1-server-mail.html
How about this link. It's far less likely to need a walker and yell about kids on its lawn.
-- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety'' Benjamin Franklin 1775
On Sunday 05 February 2006 4:39 pm, Jim Perrin wrote:
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-s erver-mail.html
Is there a reason to point to documentation that is 2+ years old?
http://centos.org/docs/4/html/rhel-sg-en-4/s1-server-mail.html
How about this link. It's far less likely to need a walker and yell about kids on its lawn.
The dramatic differences between the content on those links proves your point well.
:-D
The dramatic differences between the content on those links proves your point well.
I'm certain that the updated font brings the point out more clearly.... and there's a new comma. ... THOSE ARE MAJOR CHANGES!!!!!11111
/you win this round... :-P
-- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety'' Benjamin Franklin 1775
On Sunday 05 February 2006 10:43 pm, Jim Perrin wrote:
The dramatic differences between the content on those links proves your point well.
I'm certain that the updated font brings the point out more clearly.... and there's a new comma. ... THOSE ARE MAJOR CHANGES!!!!!11111
/you win this round... :-P
Hey, if we were Windows guys would be talking about NT 4 (10 yrs old) docs vs Win2k (6 yrs old) docs.
:-)
On Mon, 2006-02-06 at 06:42 -0500, ryan wrote:
On Sunday 05 February 2006 10:43 pm, Jim Perrin wrote:
The dramatic differences between the content on those links proves your point well.
I'm certain that the updated font brings the point out more clearly.... and there's a new comma. ... THOSE ARE MAJOR CHANGES!!!!!11111
/you win this round... :-P
Hey, if we were Windows guys would be talking about NT 4 (10 yrs old) docs vs Win2k (6 yrs old) docs.
:-)
I have to agree with Jim in principal though ... He is pointing to the documentation for CentOS-4 (for use on CentOS-4) and you are pointing to the Docs for RH-9.
While in this case the pages are the same, they are quite different in other areas.
We have full applicable docs here for everything we release :)
-
Alexander Dalloz -
Jim Perrin -
Johnny Hughes -
Marcel -
ryan -
Thomas E Dukes