Koozali.org: home of the SME Server

Who is this user on my server????

Offline jgates

  • *
  • 22
  • +0/-0
Who is this user on my server????
« on: March 29, 2007, 06:31:24 AM »
Hi everyone,

I am still using 6.01 and have spamassassin and clamscan running. everything has been fine for a while but I am getting the MailerDaemon "delivery failure notices.

In the pasted example below it is sent from my server (domain = marinesurveysnewcastle.com.au) by the user

amercedozanu@marinesurveysnewcastle.com.au

This is no one on my server.

These messages turn up every few minutes. The user is always amerce followed by a combination of letters.

Any ideas...I've looked at backscatter, I have RBL's configured through qmailfront SMTP or whatever it is.....Also, the domains this mail is being sent to are real...or rather they all have websites!!!

Regards,

JG

Text of mail is

Hi. This is the qmail-send program at me.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<hedrick@openexpo.com>:
Sorry, no mailbox here by that name. (#5.1.1)

<mckinley@openexpo.com>:
Sorry, no mailbox here by that name. (#5.1.1)

<rayford@openexpo.com>:
Sorry, no mailbox here by that name. (#5.1.1)

<tidwell@openexpo.com>:
Sorry, no mailbox here by that name. (#5.1.1)

<hoskinsn@openexpo.com>:
Sorry, no mailbox here by that name. (#5.1.1)

<wray@openexpo.com>:
Sorry, no mailbox here by that name. (#5.1.1)

<fink@openexpo.com>:
Sorry, no mailbox here by that name. (#5.1.1)

<goldstein@openexpo.com>:
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <amercedozanu@marinesurveysnewcastle.com.au>
Received: (qmail 2267 invoked by uid 503); 29 Mar 2007 03:18:16 -0000
Received: from unknown (HELO marinesurveysnewcastle.com.au) (124.114.107.12)
  by ns23619.ovh.net with SMTP; 29 Mar 2007 03:18:16 -0000
Message-ID: <f5eb01c771e8$0a3a4210$de313875@amercedozanu>
From: "Darren Thomas" <amercedozanu@marinesurveysnewcastle.com.au>
To: "Eldridge" <hedrick@openexpo.com>
Cc: "Maribeth Powell" <mckinley@openexpo.com>,
   "Tracey" <wray@openexpo.com>,
   "Kenna" <fink@openexpo.com>,
   "Agripina" <rayford@openexpo.com>,
   "Doretta" <tidwell@openexpo.com>,
   "Elease Greene" <hoskinsn@openexpo.com>,
   "Valda" <goldstein@openexpo.com>
Subject: Heck of a time
Date: Thu, 29 Mar 2007 09:53:02 +0700
MIME-Version: 1.0
Content-Type: multipart/related;
   type="multipart/alternative";
   boundary="----=_NextPart_6E7_A8AE_CEDC1AD9.97A5D6A0"
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700

This is a multi-part message in MIME format.

------=_NextPart_6E7_A8AE_CEDC1AD9.97A5D6A0
Content-Type: multipart/alternative;
   boundary="----=_NextPart_5AB_FE22_A9EE2837.97708F7B"

------=_NextPart_5AB_FE22_A9EE2837.97708F7B
Content-Type: text/plain;
   charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
...

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Who is this user on my server????
« Reply #1 on: March 29, 2007, 11:23:45 AM »
Have you checked your PC's in your domain for virusses? It could be that some infected PC in your domain is trying to send e-mail using your mail server.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline jgates

  • *
  • 22
  • +0/-0
Who is this user on my server????
« Reply #2 on: March 29, 2007, 01:00:24 PM »
Hi Cactus,

Yes I've done that....and doh!!! Checked the box that says "don't deliver mail to addresses not in this domain" and run an open relay test.

Seems to have stopped the problem but I will monitor the smtpfront-qmail logs for a while.

Cheers
...

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Who is this user on my server????
« Reply #3 on: April 17, 2007, 10:58:45 PM »
Quote from: "jgates"

...
Return-Path: <amercedozanu@marinesurveysnewcastle.com.au>
Received: (qmail 2267 invoked by uid 503); 29 Mar 2007 03:18:16 -0000
Received: from unknown (HELO marinesurveysnewcastle.com.au) (124.114.107.12)
  by ns23619.ovh.net with SMTP; 29 Mar 2007 03:18:16 -0000


Those lines are enough for you to determine where the email came from. What user has uid 503 on your system? A program running as that user injected the mail. Do you have an application running as uid 503 on your system? If so, I'd suspect that it allows mail relaying.

Don't trust the second Received line. It's forged.  The Return-Path is also forged.

> I am still using 6.01

So it wouldn't surpise anyone if your system was compromised, would it?