[CentOS] Relaying of spam

Sun Feb 5 19:03:57 UTC 2006
Thomas E Dukes <edukes at alltel.net>

I've been getting them to but a different message.  Mine are originating
from Korea, kornet.net 

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Marcel
> Sent: Sunday, February 05, 2006 1:53 PM
> To: centos at centos.org
> Subject: [CentOS] Relaying of spam
> 
> Hi, sorry if this isn't the right place to post, but I'm 
> having some trouble figuring out a spamming issue. If anyone 
> here can help, that'd be amazing.
> 
> I'm running Brian's CentOS/BlueQuartz CD, version  3.5 from 
> Nuonce.net. 
> Everything seemed to be running fine for several days until 
> this morning, when I received a zillion "returned mail" 
> notices from the mailer daemon. Within it, it said it was 
> unable to complete sending to the following users for various 
> reasons and blah blah blah. That's fine, but I never 
> initiated the email.
> 
> In my logs, entries like the following shows up ('portal' is 
> the name of the box obviously):
> 
> Feb  5 12:11:45 portal sendmail[17135]: k15EXFZf015093: SMTP 
> outgoing connect on portal.xxxxxxx.com Feb  5 12:12:51 portal 
> sendmail[17135]: k15EXFZf015093: makeconnection 
> (mobilemail.caii-dc.com. [209.135.227.253]) failed: 
> Connection timed out with mobilemail.caii-dc.com.
> Feb  5 12:12:51 portal sendmail[17135]: k15EXFZf015093: 
> to=<aldara at caii-dc.com>,
> ctladdr=<username at portal.xxxxxxxxxxxxxxxxxxxx.com> (502/100), 
> delay=03:39:35, xdelay=00:01:06, mailer=esmtp, pri=3188891, 
> relay=mobilemail.caii-dc.com. [209.135.227.253], dsn=4.0.0,
> stat=Deferred: Connection timed out with mobilemail.caii-dc.com.
> 
> Irregardless of the errors, I can't figure out why/where the 
> outbound email is being generated. There are many entries in 
> the log like this, and I assume alot of it, is going through. 
> The user never initiated it. 
> It has to be the server itself?
> 
> Plus, it's using the full name of the server which is 
> portal.domainname.com in the email address. It seems to only 
> use ONE user's name though. AND it's ONLY using 1 user's name 
> from a list of several.
> 
> The user account gets some spam every now and then with the 
> following header info, then these returned emails. These 
> emails are from the local server using an account that doesn't exist:
> 
> ===============================
> Subject:
> The hottest issue we've seen this year
> From:
> ThePickOfTheYear2696 at domainname.com
> Date:
> Sun, 5 Feb 2006 08:52:47 -0600
> To:
> ThePickOfTheYear2696 at portal.domainname.com
> ===============================
> 
> Since the "pickoftheyear" account doesn't exist....
> 
>  Is there any suggestions from the group? I'm a newb at 
> running a mail server, just trying to figure out what's going 
> on. The site in question did have a couple formmail scripts 
> that I deleted.
> 
>  I am interested in running chkrootkit but is there a 
> specific package required for CentOS/BQ? Or just download and compile?
> 
> Thanks.
> 
> M
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>