Virus mail
I have a Linux redhat 9.0 & 8.0 server running with sendmail but i have been reciving mails from complains from different persons saying that they receive mails as bellow.
But I donot allow my machine to relay any mails nor is the address a valid address of my server though the Ip belongs to me. Can any one tell me if this mails are really originated from my server if so how do i block them. thanking you sanjib gupta Received: from sidroy3.net ([202.141.148.23]) by mx.isti.cnr.it (PMDF V6.2-X27 #30838) with SMTP id <01LBA2SC3Z3EAMI7SJ@mx.isti.cnr.it |
If the ip address is yours, they are coming from an infected machine inside your network...
All the other details can be easily faked.. |
Surely originating from you
hi,
if the other servers are saying the originating point is you then it is definately you..... try installing messagewall or amavisd with spamassassin with the help of this pdf from @ your server www.spenneberg.com and try to scan your pc's inside your LAN with the online virus scanners from symantec or trendmicro Prashant |
As far as blocking them is concerned,
make an iptables rule that redirects all outgoing port 25 traffic, off to your smtp server to control the traffic. eg. iptables -t nat -I PREROUTING -i eth~ -p tcp --dport 25 -j REDIRECT service iptables save This will send it to 127.0.0.1 port 25 (Your smtp server should be listening on 127.0.0.1 (localhost) |
HI,
I have also experience the same thing! My IP was in the DSBL.org because they say I was an open Relay. I have trendmicro scanning incoming and outgoing mails plus Norton 2004 on all workstations. But still some people still complains that my server is sending SPAM. I made body checks in mail post dropping emails with attachments ending in .com, .exe, .bat. But still some SPAM with an attachment ending in .com can still pass through. HELP! HELP! HELP! |
my machine doesnot relay any mails to outside even not from the internal network . Is it is till possible
|
I have read where people have their e-mail addresses spoofed by spammers. I had someone that got one from me and I don't run windoze. Someone that has my e-mail address, and uses windoze, has been infected with a virus. That virus got my e-mail address from their address book and used it to send spam. It can happen and have absolutly nothing to do with you or really with the person that was infected. They don't know they are doing it either.
If your system is not infected, then it is likely coming from someone else using your address. Hope that helps. :D :D :D :D |
Quote:
paeng16, maybe you should give us more info. Your mail config probably needs to be changed so your system will no longer act as an open relay. Have you checked into your access control file? The only people that should be able to relay is localhost and possibly your internal network. |
benjithegreat98
Below is my SETUP! SENDING EMAIL client Server 1 SERVER 2 SERVER 3 W2K >>> RH7.2 >>>>>>> FEDORA >>>> FEDORA >>>>>> INTERNET TRENDMICRO MailPost SQUID RECEIVING EMAIL INTERNET>>>>>SERVER 3>>>>>>SERVER 1 >>>>> SERVER2 >>>>> CLIENT Specs.. Server 1 - RH7.2 - TrendMicro Anti-Virus w/ SPAM Guard - Basic Firewall (IPTABLES) - IBM X200 Series SERVER 2 - FEDORA - MAILPOST, LDAP,Posfix,SPAMAssassin - Firewall (IPTABLES) - IBM X230 Series, hardware RAID 2 (mirror) SERVER 3 - FEDORA - Squid - Fetchmail - Firewall (IPTABLES) - BASTILLE - 2 NIC (eth0=DSL & eth1=SWITCH) - CLONE PC (hehe!) Hope to hear from you soon! and thank you for your kind actions. :D |
I don't think your problem is with your servers..
If a workstation sends mail, it will use your mail servers.. However if a virus sends mail, it will go directly to the internet.. This is why your ip address shows up, but with strange enail addresses. It is quite possible to fix a virus but leave a spam programme installed.. One protection is to force ALL port 25 traffic into your server 1 eg using an iptables DNAT rule on server 1 iptables -t nat -I PREROUTING -i eth~ -p tcp --dport 25 -j REDIRECT This forces all client traffic to be checked.. change the eth~ number to match the internal interface. As benjithegreat98 suggested, do some logging on Server 1 on port 25 to see what's happening iptables -t nat -I PREROUTING -i eth~ -p tcp --dport 25 -j LOG --log-prefix "mail_out " and look in /var/log/messages |
Quote:
You guys are the F'CKN MASTER! I will try this tonight and will get back to you guys! MANY THANKS! _______________________________________________--- man is our friend my friend! :) :newbie: |
All times are GMT -5. The time now is 04:04 PM. |