[CentOS] Relaying of spam

Sun Feb 5 19:11:13 UTC 2006
Alexander Dalloz <ad+lists at uni-x.org>

Am So, den 05.02.2006 schrieb Marcel um 19:53:

> I'm running Brian's CentOS/BlueQuartz CD, version  3.5 from Nuonce.net. 
> Everything seemed to be running fine for several days until this 
> morning, when I received a zillion "returned mail" notices from the 
> mailer daemon. Within it, it said it was unable to complete sending to 
> the following users for various reasons and blah blah blah. That's fine, 
> but I never initiated the email.
> 
> In my logs, entries like the following shows up ('portal' is the name of 
> the box obviously):
> 
> Feb  5 12:11:45 portal sendmail[17135]: k15EXFZf015093: SMTP outgoing 
> connect on portal.xxxxxxx.com
> Feb  5 12:12:51 portal sendmail[17135]: k15EXFZf015093: makeconnection 
> (mobilemail.caii-dc.com. [209.135.227.253]) failed: Connection timed out 
> with mobilemail.caii-dc.com.
> Feb  5 12:12:51 portal sendmail[17135]: k15EXFZf015093: 
> to=<aldara at caii-dc.com>, 
> ctladdr=<username at portal.xxxxxxxxxxxxxxxxxxxx.com> (502/100), 
> delay=03:39:35, xdelay=00:01:06, mailer=esmtp, pri=3188891, 
> relay=mobilemail.caii-dc.com. [209.135.227.253], dsn=4.0.0, 
> stat=Deferred: Connection timed out with mobilemail.caii-dc.com.
> 
> Irregardless of the errors, I can't figure out why/where the outbound 
> email is being generated. There are many entries in the log like this, 
> and I assume alot of it, is going through. The user never initiated it. 
> It has to be the server itself?
> 
> Plus, it's using the full name of the server which is 
> portal.domainname.com in the email address. It seems to only use ONE 
> user's name though. AND it's ONLY using 1 user's name from a list of 
> several.

Your log snipplet only shows the second half of the show. I guess there
is running some kind of insecure web form forum software, so connections
are initiated locally. Check the content of your user UID 502. He runs
malicious software.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 20:07:19 up 63 days, 44 users, load average: 3.91, 4.00,
3.50 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://lists.centos.org/pipermail/centos/attachments/20060205/acfdc8c3/attachment-0005.sig>