[lug] Sendmail 8.12.2 & outgoing spam

D. Stimits stimits at idcomm.com
Tue Jan 15 13:31:36 MST 2002


FYI, it's fairly common for me to turn in a spammer, and have it turn
out they forged the header.

D. Stimits, stimits at idcomm.com

Sean Reifschneider wrote:
> 
> On Mon, Jan 14, 2002 at 02:50:53PM -0700, Shannon Johnston wrote:
> >My server is spamming others. I want to find the source of the problem
> >but I don't know what I'm looking for. Please help!!!
> 
> The first thing you need to do is find out if it's actually coming from
> your server.  I've found that the reports people send in about a domain
> being used for spamming are unreliable (at best).  We have one domain which
> not infrequently gets used in the from address sent out by spammers.  So,
> while the messages *NEVER* touch our box, we get a lot of angry reports to
> our upstream ISP, etc...
> 
> You need to look at the Received lines of the messages that people are
> forwarding back to you.  If you are getting abbreviated copies of the
> messages, or no copy of the message being setn out at all, you need to
> scold the reporters...
> 
> Take the received lines from your message, they are in reverse order of
> delivery (first mail server that is hit is the last to occur in the
> headers):
> 
>    Received: (qmail 10460 invoked by uid 500); 14 Jan 2002 21:01:14 -0000
>    Received: (qmail 10455 invoked by uid 10); 14 Jan 2002 21:01:14 -0000
>    Received: (qmail 4926 invoked by alias); 14 Jan 2002 21:01:11 -0000
>    Received: (qmail 4921 invoked by uid 0); 14 Jan 2002 21:01:11 -0000
> 
> These are all local deliveries as the mail funnels down to my mailbox
> (across a couple of machines via UUCP).
> 
>    Received: from fr.pythoneers.org (HELO community.tummy.com) (216.17.150.13)
>      by tummy.com with SMTP; 14 Jan 2002 21:01:09 -0000
> 
> Ok, here my mail server ("by tummy.com") received the mail from the mailing
> list server (216.17.150.13, community.tummy.com).  The "from
> fr.pythoneers.org" means that the reverse DNS for the IP that sent the mail
> resolves to that name.  The "HELO community.tummy.com" means that the mail
> server identified itself as that name to my mail server.
> 
>    Received: from localhost (HELO community.tummy.com) (mailman at 127.0.0.1)
>      by localhost with SMTP; 14 Jan 2002 21:01:02 -0000
> 
> This line is because of the mailing list software, which sends the mail
> via SMTP to the localhost.
> 
>    Received: from engineer.lanxtra.com (HELO localhost.localdomain)
>      (63.214.33.10) by community.tummy.com with SMTP; 14 Jan 2002 21:00:30 -0000
> 
> This is where your machine sent the mail to the mailing list server.  You
> can see that it's configured to identify itself as "localhost.localdomain",
> while it's reverse DNS is "engineer.lanxtra.com"...  You probably want to
> fix that.
> 
> Looking at the above, I can see that the mail came from the
> community.tummy.com box, so if somone were reporting this as a spam, I'd
> know that somone had found a way to send mail from that server.
> 
> I'd then start digging through the mail server logs looking for instances
> of this mail or similar mails (it shouldn't be hard to find if somone is
> using you to spam).  Look at where that mail is coming from, see if it's
> coming in via SMTP from another host which is allowed to relay for some
> reason, or from a web-based form, or what have you...
> 
> Hopefully, this give you some hints on tracking down where mail is actually
> occuring.
> 
> Remember, the from line of an e-mail address is incredibly easy to forge.
> 
> Sean
> --
>  This mountain is PURE SNOW!  Do you know what the street value of this
>  mountain is!?!                -- Better Off Dead
> Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
> tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list