Results 1 to 4 of 4
Going through my logs this morning I found that sendmail has been sending out what looks like spam at 8.20 each morning. Sendmail runs once an hour starting at 7.20. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 05-14-2006 #1
- Join Date
- May 2006
I seem to be sending spam
Going through my logs this morning I found that sendmail has been sending out what looks like spam at 8.20 each morning. Sendmail runs once an hour starting at 7.20. The spam is being sent out by two users only.
Here's the set-up. We're a home network connected to the Internet with a WRT54G router connected to a Wimax service. We have a permanent IP. The router is configured to forward HTTP (port 80) and FTP (port 21) to our server, but no other ports. All the machines on the network have 192.168.0.x addresses. The server is running SuSE 9.1, fully patched.
I checked the passwd file on the server and it has an entry that looks like this:
Is that normal?
'ps -A' doesn't show anything I wouldn't expect.
Any idea where I start looking for problems? I can then Google once I know what to start looking for. (I've spent a few hours googling so far, but I'm searching in the dark, so I need some pointers to refine my search).
I've changed the root password, but can't think what else to do for the moment. Any help would be appreciated.
- 05-14-2006 #2
- Join Date
- May 2006
I forgot to mention - the machines on the network used by the two users accounts sending these messages are: a) both running Linux (not Windows); and b) switched off at 8:20 when these messages are sent (and will have been switched off all night). So I reckon that these messages are originating from these users' accounts on the server itself.
- 05-16-2006 #3
that a really big problem, ok here 1st to do.
1) do a tcpdump. analyze every packets coming in and out from ur network.
2)put ur server on the DMZ if ur router has DMZ.. do not put ur servers on LAN, it might get easily infected like what happen now.
3)change ur sendmail to qmail or postfix, i prefer this for security reasons like this.
hope this help
- 05-17-2006 #4
At about quarter past 8 in the morning, unplug the lan cable from the sendmail server that runs to the outside world, let the mail get queued up, and take a look through it. It wont go anywhere if there is no link to the outside world and sendmail will keep it queued.
You might find that the email is utterly benign, and that you're just getting wound up about nothing. But if it's not, you'll be able to trace the email down with the email logs, and the copies of the messages - you'll know exactly which machine generated it, and you'll be able to investigate that machine.
If you dont put a stop to it, you might find that your IP gets logged as a spam-sender, and you'll end up with problems sending email in the future.Linux user #126863 - see http://linuxcounter.net/