[CentOS] Relaying of spam

Sun Feb 5 19:11:13 UTC 2006
Alexander Dalloz <ad+lists at uni-x.org>

Am So, den 05.02.2006 schrieb Marcel um 19:53:

> I'm running Brian's CentOS/BlueQuartz CD, version  3.5 from Nuonce.net. 
> Everything seemed to be running fine for several days until this 
> morning, when I received a zillion "returned mail" notices from the 
> mailer daemon. Within it, it said it was unable to complete sending to 
> the following users for various reasons and blah blah blah. That's fine, 
> but I never initiated the email.
> In my logs, entries like the following shows up ('portal' is the name of 
> the box obviously):
> Feb  5 12:11:45 portal sendmail[17135]: k15EXFZf015093: SMTP outgoing 
> connect on portal.xxxxxxx.com
> Feb  5 12:12:51 portal sendmail[17135]: k15EXFZf015093: makeconnection 
> (mobilemail.caii-dc.com. []) failed: Connection timed out 
> with mobilemail.caii-dc.com.
> Feb  5 12:12:51 portal sendmail[17135]: k15EXFZf015093: 
> to=<aldara at caii-dc.com>, 
> ctladdr=<username at portal.xxxxxxxxxxxxxxxxxxxx.com> (502/100), 
> delay=03:39:35, xdelay=00:01:06, mailer=esmtp, pri=3188891, 
> relay=mobilemail.caii-dc.com. [], dsn=4.0.0, 
> stat=Deferred: Connection timed out with mobilemail.caii-dc.com.
> Irregardless of the errors, I can't figure out why/where the outbound 
> email is being generated. There are many entries in the log like this, 
> and I assume alot of it, is going through. The user never initiated it. 
> It has to be the server itself?
> Plus, it's using the full name of the server which is 
> portal.domainname.com in the email address. It seems to only use ONE 
> user's name though. AND it's ONLY using 1 user's name from a list of 
> several.

Your log snipplet only shows the second half of the show. I guess there
is running some kind of insecure web form forum software, so connections
are initiated locally. Check the content of your user UID 502. He runs
malicious software.


Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 20:07:19 up 63 days, 44 users, load average: 3.91, 4.00,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://lists.centos.org/pipermail/centos/attachments/20060205/acfdc8c3/attachment-0005.sig>