LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-15-2006, 04:52 AM   #1
rotsky
LQ Newbie
 
Registered: Jun 2004
Posts: 3

Rep: Reputation: 0
Sendmail sending dubious messages


I just happened to look at the output from sendmail the other day and found that batches of dubious-looking messages are going out at 8.20am each day, and can't think why this is happening.

The setup is this: we have a home network. The server (SuSE 9.1 fully patched) acts as an email server, but mostly for incoming mail as our client machines connect directly to our ISPs to send mail. However, it runs 'sendmail -q' once an hour, starting at 7.20am and ending at midnight. The 7.20 run always shows no queued mail, as does every other run except the 8.20.

The dubious mails, which look like spam and are going to addresses we don't send mail to, originate from two user accounts - our main accounts, in fact, but there are others. They are being generated on the server, I believe (at 8.20am, the two workstations used as our main machines are switched off. They also run Linux, BTW).

All the machines have local 192.168.0.x static IPs and sit behind a Linksys router which has a permanent Internet IP (Internet access is via Wimax). The router passes incoming HTTP (port 80) and FTP (port 21) requests to the server. (I've since disabled FTP and have set up snort to watch HTTP requests, which should be very few, if any. So we'll see what happens tomorrow).

At first, I suspected procmail recipes that might be bouncing back messages (we had one on each of the suspect accounts that bounced back a message to people using specific & no longer used email addresses). But turning those off had no effect.

Checking the logs, I could not find any incoming messages with the dubious email addresses to which our outgoing messages are being addressed - ie, I don't think this is a result of messages being bounced by our server, though I need to explore that more.

I figured I'd disable the cronjob that runs 'sendmail -q' so I can take a better look at what's in the outgoing mail queue - won't know until tomorrow about that. In the meantime, does anyone have any clues about what might be happening?
 
Old 05-16-2006, 05:52 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I'd be interested in seeing any updates on this. I think you're on the right track on how to proceed investigating this, at least in regards to where these emails are originating. From what you've posted, it's unclear as to whether this is something malicious or not (though it does sound highly suspect). It might help if you could post an example of one of the suspicious entries from your maillog. Also have a look through the list of processes in the output of ps aux and see if anything looks abnormal.
 
  


Reply

Tags
mail, outgoing, security, sendmail, spam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/var/spool/mqueue/ is empty, but Sendmail keeps on sending messages guarriman Linux - Software 1 02-20-2006 04:46 AM
Sending messages in LAN?? Umanga Linux - Newbie 1 10-26-2004 01:32 AM
Sending messages tired Linux - Newbie 2 08-11-2004 02:37 AM
Sending messages over SSH jeucken Linux - Networking 1 12-15-2003 01:54 PM
Sending messages across a network... kierl Linux - General 3 04-07-2003 01:11 PM


All times are GMT -5. The time now is 07:17 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration