LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 06-02-2004, 09:57 AM   #1
Nutska1
LQ Newbie
 
Registered: Aug 2003
Location: Brooklyn
Distribution: RH 9
Posts: 3

Rep: Reputation: 0
Question Spam in /var/spool/mail/root


Greetings,

My first post so please forgive me is something is wrong with it. While I don't consider myself a NOOB, I must admit that I'm not a seasoned Linux pro either. I have several services up and running including Samba, Squid, VSFTP, SOCKS5 etc. - all on Redhat 9 with updates and no signs of trouble.

However, I recently made some major changes to my /etc/hosts file in which I denied access to my LAN for certain workstations. I received a message immediately after restarting my network stating that I had mail in /var/spool/mail/root. Examining the file I noticed that it was approximately 20mb in size and contained several hundred Spam e-mails.

I ran ethereal several times and haven't noticed anything particularly suspicious and I do not have this unit set up as a mail server of any kind. The only e-mail I use is 'excite' which is web based and only on certain workstations. SpamAssassin is running; as I was planning to set up a mail server in the future.

Any information relating to this matter is very greatly appreciated. I usually browse these groups when I have troubles and very many helpful people have resolved them, but alas I am perplexed.

Thanks.
 
Old 06-02-2004, 10:16 PM   #2
kbcnetau
Member
 
Registered: Dec 2003
Location: South Australia (ex-Devon, UK)
Distribution: SuSE, Slackware, Fedora, Debian, Knoppix
Posts: 141

Rep: Reputation: 15
To whom were the mails addressed? To users that don't exist?

I'm guessing that your system is configured so that unknown addresses go to postmaster and that you have postmaster aliased to root.

Have a look in your aliases file (probably /etc/aliases or /etc/mail/aliases) - you may find a clue as to what is happening.
 
Old 06-04-2004, 01:47 PM   #3
Nutska1
LQ Newbie
 
Registered: Aug 2003
Location: Brooklyn
Distribution: RH 9
Posts: 3

Original Poster
Rep: Reputation: 0
Greetings all;

kbcnetau, thank you very much for the reply and the information was right on target. I guess I am confused as to how I'm getting e-mail sent to the computer in the first place. Are they just taking an IP address and filling it with various names hoping to reach one or two users? I hope not because that sounds completely ludicrous to me.

Is there a way I can completely stop any mail from reaching any user anywhere on my Linux box? The only access I would even prefer to have to /var/spool/mail/ is by root and only to check for errors. Maybe not even for that. I figure that I don't need any type of e-mail services at all, as all the e-mail accounts here are web based requiring only http proxy services.

It wouldn't seem safe to me that junk mailers can simply send hundreds of spam e-mails to my IP address, if that is what they are doing, and instead of being blocked somehow they are merely redirected. I've been looking for a way to stop all e-mail services in my unit, but I can find nothing.

Thanks again for any and all help.
 
Old 06-05-2004, 02:48 AM   #4
kbcnetau
Member
 
Registered: Dec 2003
Location: South Australia (ex-Devon, UK)
Distribution: SuSE, Slackware, Fedora, Debian, Knoppix
Posts: 141

Rep: Reputation: 15
Having looked at rejects on my own mail server logs, what the spammers are doing is taking a domain (rather than an IP address) and are putting just about every concievable name in front of the @ in hope of hitting a legitimate account. If the MTA on your machine is not set to reject non-existent users, postmaster and thus root ends up getting all the junk.

If you don't need your mail server to handle incoming traffic and your Web mail is coming through on the normal http port (80), you could just block the smtp port (25) on your firewall. This should also cut down your incoming bandwidth...
 
Old 06-11-2004, 03:35 PM   #5
Nutska1
LQ Newbie
 
Registered: Aug 2003
Location: Brooklyn
Distribution: RH 9
Posts: 3

Original Poster
Rep: Reputation: 0
Thumbs up

Greetings,

Thank you again for the information. I know this follow-up is extremely late, but I wanted to let anyone know who may search this thread that kbcnetau's method worked. I now only have errors reported to local users in my mail folders and no spam at all.

Very much appreciated.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Individual user's mail file in /var/spool/mail Swakoo Linux - General 1 09-07-2005 07:33 AM
/var/spool/mail/root mail message absalon Linux - General 1 07-04-2005 10:08 PM
sendmail error Fetching mail could not lock /var/spool/mail/username sukhdev50 Linux - Networking 0 05-04-2005 04:41 AM
How to read /var/spool/mail/root? neo_in_matrix Linux - Newbie 1 04-04-2005 09:49 PM
/var/spool/mail/root j-me Linux - Newbie 5 02-14-2003 07:48 AM


All times are GMT -5. The time now is 10:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration