Topic: Need help with some weird e-mail ????

[Texasboy]

I have recently started receiving some e-mails to my root account stating that I can't deliver messages to allot of e-mail accounts. The mail that is not being delivered is not coming from my users. I have check to make sure the users haven't been sending them in the day to day business of the office. I ran virus scanners on everyone's pc in the office to make sure it wasn't some virus doing it. I then ran a mail relay checker against my SME box to make sure I wasn't open for spam and SME passed with flying colors. I am still getting messages to my root account stating that these mail messages have not been delivered to strange and random e-mail address that no one in the office knows about. Can someone tell me how to track down why I am sending this stuff out and to verify if I am actualy sending all this mess in the first place? Thanks for the help.

Thanks
Texasboy

 

[JonB]

Texasboy,

What is the content of the emails. If it is bounce notifications i.e fred@domain is not a user on this server then the chances are that some spammer is spoofing you email address.

If the content is actually spam then you either have a compromised email account that spammers are sending through or it is a machine on your network.

I made the unfortunate mistake once to set up a demo on my server and created a username and password of demo, demo. It didn't take the spammers long to access the account via SMTP-Auth and start sending spam through the account. Luckily I caught it after a couple of hours. If you have SMTP-Auth enabled on your server then check the CVM logs to see what accounts are logging on. Generally user@localhost entries are webmail.

I have also worked on a couple of PC's that were affected with a spam sending trojan. None of my AV scans would detect it. I only picked it up by looking at the processes running and stopping any that I was unsure of, until the spam stopped sending. Whatever you do, don't rely on Nortons to pick up trojans.

Jon

[Texasboy]

Jon the mail I am getting is a bounce. I looked at my e-mail settup and web mail is disabled and e-mail access should only be for local network. I looked at my current cvm log and this is what I see

2005-09-20 08:03:17.046747500 Starting.

not sure what that means ??

I have check the mail logs for sender stitics and this is what I see

One line per sender. Information on each line:
* mess is the number of messages sent by this sender.
* bytes is the number of bytes sent by this sender.
* sbytes is the number of bytes successfully received from this sender.
* rbytes is the number of bytes from this sender, weighted by recipient.
* recips is the number of recipients (success plus failure).
* tries is the number of delivery attempts (success, failure, deferral).
* xdelay is the total xdelay incurred by this sender.

mess     bytes    sbytes    rbytes  recips  tries      xdelay  sender

1782  28797202         0  28797202    1782   2117  548.249743  101/<#@[]>
1786  28635392  28635392  28635392    1786   1786  629.536753  400/<#@[]>
1786  28398782  28398782  28398782    1786   1786  677.719553  406/<#@[]>

looks like it might be on a PC

texasboy

[Texasboy]

Jon thanks for the help