Hi, sorry if this isn't the right place to post, but I'm having some trouble figuring out a spamming issue. If anyone here can help, that'd be amazing. I'm running Brian's CentOS/BlueQuartz CD, version 3.5 from Nuonce.net. Everything seemed to be running fine for several days until this morning, when I received a zillion "returned mail" notices from the mailer daemon. Within it, it said it was unable to complete sending to the following users for various reasons and blah blah blah. That's fine, but I never initiated the email. In my logs, entries like the following shows up ('portal' is the name of the box obviously): Feb 5 12:11:45 portal sendmail[17135]: k15EXFZf015093: SMTP outgoing connect on portal.xxxxxxx.com Feb 5 12:12:51 portal sendmail[17135]: k15EXFZf015093: makeconnection (mobilemail.caii-dc.com. [209.135.227.253]) failed: Connection timed out with mobilemail.caii-dc.com. Feb 5 12:12:51 portal sendmail[17135]: k15EXFZf015093: to=<aldara at caii-dc.com>, ctladdr=<username at portal.xxxxxxxxxxxxxxxxxxxx.com> (502/100), delay=03:39:35, xdelay=00:01:06, mailer=esmtp, pri=3188891, relay=mobilemail.caii-dc.com. [209.135.227.253], dsn=4.0.0, stat=Deferred: Connection timed out with mobilemail.caii-dc.com. Irregardless of the errors, I can't figure out why/where the outbound email is being generated. There are many entries in the log like this, and I assume alot of it, is going through. The user never initiated it. It has to be the server itself? Plus, it's using the full name of the server which is portal.domainname.com in the email address. It seems to only use ONE user's name though. AND it's ONLY using 1 user's name from a list of several. The user account gets some spam every now and then with the following header info, then these returned emails. These emails are from the local server using an account that doesn't exist: ==============================Subject: The hottest issue we've seen this year From: ThePickOfTheYear2696 at domainname.com Date: Sun, 5 Feb 2006 08:52:47 -0600 To: ThePickOfTheYear2696 at portal.domainname.com ============================== Since the "pickoftheyear" account doesn't exist.... Is there any suggestions from the group? I'm a newb at running a mail server, just trying to figure out what's going on. The site in question did have a couple formmail scripts that I deleted. I am interested in running chkrootkit but is there a specific package required for CentOS/BQ? Or just download and compile? Thanks. M
I've been getting them to but a different message. Mine are originating from Korea, kornet.net> -----Original Message----- > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of Marcel > Sent: Sunday, February 05, 2006 1:53 PM > To: centos at centos.org > Subject: [CentOS] Relaying of spam > > Hi, sorry if this isn't the right place to post, but I'm > having some trouble figuring out a spamming issue. If anyone > here can help, that'd be amazing. > > I'm running Brian's CentOS/BlueQuartz CD, version 3.5 from > Nuonce.net. > Everything seemed to be running fine for several days until > this morning, when I received a zillion "returned mail" > notices from the mailer daemon. Within it, it said it was > unable to complete sending to the following users for various > reasons and blah blah blah. That's fine, but I never > initiated the email. > > In my logs, entries like the following shows up ('portal' is > the name of the box obviously): > > Feb 5 12:11:45 portal sendmail[17135]: k15EXFZf015093: SMTP > outgoing connect on portal.xxxxxxx.com Feb 5 12:12:51 portal > sendmail[17135]: k15EXFZf015093: makeconnection > (mobilemail.caii-dc.com. [209.135.227.253]) failed: > Connection timed out with mobilemail.caii-dc.com. > Feb 5 12:12:51 portal sendmail[17135]: k15EXFZf015093: > to=<aldara at caii-dc.com>, > ctladdr=<username at portal.xxxxxxxxxxxxxxxxxxxx.com> (502/100), > delay=03:39:35, xdelay=00:01:06, mailer=esmtp, pri=3188891, > relay=mobilemail.caii-dc.com. [209.135.227.253], dsn=4.0.0, > stat=Deferred: Connection timed out with mobilemail.caii-dc.com. > > Irregardless of the errors, I can't figure out why/where the > outbound email is being generated. There are many entries in > the log like this, and I assume alot of it, is going through. > The user never initiated it. > It has to be the server itself? > > Plus, it's using the full name of the server which is > portal.domainname.com in the email address. It seems to only > use ONE user's name though. AND it's ONLY using 1 user's name > from a list of several. > > The user account gets some spam every now and then with the > following header info, then these returned emails. These > emails are from the local server using an account that doesn't exist: > > ==============================> Subject: > The hottest issue we've seen this year > From: > ThePickOfTheYear2696 at domainname.com > Date: > Sun, 5 Feb 2006 08:52:47 -0600 > To: > ThePickOfTheYear2696 at portal.domainname.com > ==============================> > Since the "pickoftheyear" account doesn't exist.... > > Is there any suggestions from the group? I'm a newb at > running a mail server, just trying to figure out what's going > on. The site in question did have a couple formmail scripts > that I deleted. > > I am interested in running chkrootkit but is there a > specific package required for CentOS/BQ? Or just download and compile? > > Thanks. > > M > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
Am So, den 05.02.2006 schrieb Marcel um 19:53:> I'm running Brian's CentOS/BlueQuartz CD, version 3.5 from Nuonce.net. > Everything seemed to be running fine for several days until this > morning, when I received a zillion "returned mail" notices from the > mailer daemon. Within it, it said it was unable to complete sending to > the following users for various reasons and blah blah blah. That's fine, > but I never initiated the email. > > In my logs, entries like the following shows up ('portal' is the name of > the box obviously): > > Feb 5 12:11:45 portal sendmail[17135]: k15EXFZf015093: SMTP outgoing > connect on portal.xxxxxxx.com > Feb 5 12:12:51 portal sendmail[17135]: k15EXFZf015093: makeconnection > (mobilemail.caii-dc.com. [209.135.227.253]) failed: Connection timed out > with mobilemail.caii-dc.com. > Feb 5 12:12:51 portal sendmail[17135]: k15EXFZf015093: > to=<aldara at caii-dc.com>, > ctladdr=<username at portal.xxxxxxxxxxxxxxxxxxxx.com> (502/100), > delay=03:39:35, xdelay=00:01:06, mailer=esmtp, pri=3188891, > relay=mobilemail.caii-dc.com. [209.135.227.253], dsn=4.0.0, > stat=Deferred: Connection timed out with mobilemail.caii-dc.com. > > Irregardless of the errors, I can't figure out why/where the outbound > email is being generated. There are many entries in the log like this, > and I assume alot of it, is going through. The user never initiated it. > It has to be the server itself? > > Plus, it's using the full name of the server which is > portal.domainname.com in the email address. It seems to only use ONE > user's name though. AND it's ONLY using 1 user's name from a list of > several.Your log snipplet only shows the second half of the show. I guess there is running some kind of insecure web form forum software, so connections are initiated locally. Check the content of your user UID 502. He runs malicious software. Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 20:07:19 up 63 days, 44 users, load average: 3.91, 4.00, 3.50 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: <http://lists.centos.org/pipermail/centos/attachments/20060205/acfdc8c3/attachment-0002.sig>
On Sunday 05 February 2006 1:53 pm, Marcel wrote:> ?Is there any suggestions from the group? I'm a newb at running a mail > server, just trying to figure out what's going on. The site in question > did have a couple formmail scripts that I deleted. > > ?I am interested in running chkrootkit but is there a specific package > required for CentOS/BQ? Or just download and compile?Chkrootkit RPMs http://dag.wieers.com/packages/chkrootkit/ Also, check out http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-server-mail.html