-   Linux - Security (
-   -   Sendmail sending dubious messages (

rotsky 05-15-2006 04:52 AM

Sendmail sending dubious messages
I just happened to look at the output from sendmail the other day and found that batches of dubious-looking messages are going out at 8.20am each day, and can't think why this is happening.

The setup is this: we have a home network. The server (SuSE 9.1 fully patched) acts as an email server, but mostly for incoming mail as our client machines connect directly to our ISPs to send mail. However, it runs 'sendmail -q' once an hour, starting at 7.20am and ending at midnight. The 7.20 run always shows no queued mail, as does every other run except the 8.20.

The dubious mails, which look like spam and are going to addresses we don't send mail to, originate from two user accounts - our main accounts, in fact, but there are others. They are being generated on the server, I believe (at 8.20am, the two workstations used as our main machines are switched off. They also run Linux, BTW).

All the machines have local 192.168.0.x static IPs and sit behind a Linksys router which has a permanent Internet IP (Internet access is via Wimax). The router passes incoming HTTP (port 80) and FTP (port 21) requests to the server. (I've since disabled FTP and have set up snort to watch HTTP requests, which should be very few, if any. So we'll see what happens tomorrow).

At first, I suspected procmail recipes that might be bouncing back messages (we had one on each of the suspect accounts that bounced back a message to people using specific & no longer used email addresses). But turning those off had no effect.

Checking the logs, I could not find any incoming messages with the dubious email addresses to which our outgoing messages are being addressed - ie, I don't think this is a result of messages being bounced by our server, though I need to explore that more.

I figured I'd disable the cronjob that runs 'sendmail -q' so I can take a better look at what's in the outgoing mail queue - won't know until tomorrow about that. In the meantime, does anyone have any clues about what might be happening?

Capt_Caveman 05-16-2006 05:52 PM

I'd be interested in seeing any updates on this. I think you're on the right track on how to proceed investigating this, at least in regards to where these emails are originating. From what you've posted, it's unclear as to whether this is something malicious or not (though it does sound highly suspect). It might help if you could post an example of one of the suspicious entries from your maillog. Also have a look through the list of processes in the output of ps aux and see if anything looks abnormal.

All times are GMT -5. The time now is 08:26 AM.