I am having an interesting morning to say the least. I host a few
dedicated servers running Redhat 7.0.. They are all my servers.
I rarely log in as root. Well last night, I needed to make some httpd
changes. While running around as root I kept getting messages telling me
of new mail arrival.. Which is funny because root shouldnt be getting tons
of mail. I went into pine... Low and behold, I have about 6000 email
messages. Most are "Invalid user bounces", and spam notifications.
Luckilly, my domain hasnt been blacklisted yet.
All my servers are behind a Nokia Checkpoint firewall appliance, the
router is a Cisco 2600 series with IOS firewall as well. I consider my
boxes pretty secure, few to no ports answer. Always up to the minute
exploit paches. Plus, I am the only one that has all the login info for
the servers. I don't run an ISP, they are mine. No customers or users.
Did some extensive checking and searching of the boxes this morning, and
am confident they have not been comprimised.
This leaves me to believe that someone, a spammer, is relaying through me.
I have telneted to sendmail directly, and cannot get my sendmail to relay
by hand. It always responds with relaying denied. I have also used some
of the web based relay testers, and they all agree that relaying will be
denied.
Can you guys give it a shot?? And try to relay through my mailserver? My
domain is superfreeway.com, you can try mail.superfreeway.com.
Anything else you think I should look for?
I am attaching one of the bounced messages, so you can check out the
headers. You can clearly see the superfreeway.com relayed the mail. The
only thing I can think of is that the spammer is modifying thier headers
big time to make it appear as if it is comming from me.
Another thing I have noticed is that all the bounced messages are going to
nobody@superfreeway.com ... The only processes which run as nobody is
httpd. But, this may be standard if sendmail has no idea where to send
the bounce message.
Here is a clip of one of the spam bounces:
<<< 550 cyberdog25 IS NOT ACCEPTING MAIL FROM THIS SENDER
550 <cyberdog25@aol.com>... User unknown
>>> RCPT To:<bluefish146@aol.com>
<<< 550 bluefish146 IS NOT ACCEPTING MAIL FROM THIS SENDER
550 <bluefish146@aol.com>... User unknown
>>> RCPT To:<avoidreflection@aol.com>
<<< 550 MAILBOX NOT FOUND
550 <avoidreflection@aol.com>... User unknown
[ Part 2: "Delivery Status" ]
Reporting-MTA: dns; rly-xd05.mx.aol.com
Arrival-Date: Thu, 17 May 2001 22:01:19 -0400 (EDT)
Final-Recipient: RFC822; avoidreflection@aol.com
Action: failed
Status: 2.0.0
Remote-MTA: DNS; air-xd01.mail.aol.com
Diagnostic-Code: SMTP; 250 OK
Last-Attempt-Date: Thu, 17 May 2001 22:01:32 -0400 (EDT)
Final-Recipient: RFC822; bluefish146@aol.com
Action: failed
Status: 2.0.0
Remote-MTA: DNS; air-xd01.mail.aol.com
Diagnostic-Code: SMTP; 250 OK
Last-Attempt-Date: Thu, 17 May 2001 22:01:32 -0400 (EDT)
Final-Recipient: RFC822; cyberdog25@aol.com
Action: failed
Status: 2.0.0
Remote-MTA: DNS; air-xd01.mail.aol.com
Diagnostic-Code: SMTP; 250 OK
Last-Attempt-Date: Thu, 17 May 2001 22:01:32 -0400 (EDT)
[ Part 3: "Included Message" ]
Received: from superfreeway.com ([63.140.74.35]) by rly-xd05.mx.aol.com
(v77_r1.36) with ESMTP; Thu, 17 May 2001 22:01:18 2000
Received: (from nobody@localhost)
by superfreeway.com (8.11.0/8.11.0) id f4I1uKV18460;
Thu, 17 May 2001 21:56:20 -0400
Date: Thu, 17 May 2001 21:56:20 -0400
Message-Id: <200105180156.f4I1uKV18460@superfreeway.com>
To: AvoidReflection@aol.com, BarnesStarman@aol.com, Blacbird08@aol.com,
BlueFish146@aol.com, Cyberdog25@aol.com
From: New_Credit_4u@yahoo.com ()
Subject: Re: New Credit
Below is the result of your feedback form. It was submitted by
(New_Credit_4u@yahoo.com) on Thursday, May 17, 2001 at 21:56:20
-- vgextend /dev/myself /dev/nichole /dev/sarah /dev/misty /dev/julie "I extend myself over many women - Aharon"Unix Administrator Tampa, Florida
Websites: http://www.tamparacing.com http://www.ls6.com http://www.lastgen.com
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:55:34 EDT