Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: Texasboy on September 21, 2005, 03:06:56 AM
-
I have recently started receiving some e-mails to my root account stating that I can't deliver messages to allot of e-mail accounts. The mail that is not being delivered is not coming from my users. I have check to make sure the users haven't been sending them in the day to day business of the office. I ran virus scanners on everyone's pc in the office to make sure it wasn't some virus doing it. I then ran a mail relay checker against my SME box to make sure I wasn't open for spam and SME passed with flying colors. I am still getting messages to my root account stating that these mail messages have not been delivered to strange and random e-mail address that no one in the office knows about. Can someone tell me how to track down why I am sending this stuff out and to verify if I am actualy sending all this mess in the first place? Thanks for the help.
Thanks
Texasboy
:pint:
-
Texasboy,
What is the content of the emails. If it is bounce notifications i.e fred@domain is not a user on this server then the chances are that some spammer is spoofing you email address.
If the content is actually spam then you either have a compromised email account that spammers are sending through or it is a machine on your network.
I made the unfortunate mistake once to set up a demo on my server and created a username and password of demo, demo. It didn't take the spammers long to access the account via SMTP-Auth and start sending spam through the account. Luckily I caught it after a couple of hours. If you have SMTP-Auth enabled on your server then check the CVM logs to see what accounts are logging on. Generally user@localhost entries are webmail.
I have also worked on a couple of PC's that were affected with a spam sending trojan. None of my AV scans would detect it. I only picked it up by looking at the processes running and stopping any that I was unsure of, until the spam stopped sending. Whatever you do, don't rely on Nortons to pick up trojans.
Jon
-
Jon the mail I am getting is a bounce. I looked at my e-mail settup and web mail is disabled and e-mail access should only be for local network. I looked at my current cvm log and this is what I see
2005-09-20 08:03:17.046747500 Starting.
not sure what that means ??
I have check the mail logs for sender stitics and this is what I see
One line per sender. Information on each line:
* mess is the number of messages sent by this sender.
* bytes is the number of bytes sent by this sender.
* sbytes is the number of bytes successfully received from this sender.
* rbytes is the number of bytes from this sender, weighted by recipient.
* recips is the number of recipients (success plus failure).
* tries is the number of delivery attempts (success, failure, deferral).
* xdelay is the total xdelay incurred by this sender.
mess bytes sbytes rbytes recips tries xdelay sender
1782 28797202 0 28797202 1782 2117 548.249743 101/<#@[]>
1786 28635392 28635392 28635392 1786 1786 629.536753 400/<#@[]>
1786 28398782 28398782 28398782 1786 1786 677.719553 406/<#@[]>
looks like it might be on a PC
texasboy
-
Jon thanks for the help :-D