Spam email
 

Anyone ever get a email like this from there ISP, It is coming from my Fedor4 box,
Any Ideals ?, I don't use $Windows

Jim

We have detected that your account was used to send a large amount of spam messages during the last week.

We recommend that you follow instructions in order to keep your computer safe.

Best regards,
The sbcglobal.net team.

Yeah, I've seen that before.

Here's what's happening: Windows, with its many holes, actually has "spambots" that infect one's computer and generate spam. They use "spoofing" to hide the true sender's e-mail address (so that *his* e-mail provider doesn't get suspicious) and makes it appear as though someone else sent it. Usually it picks this e-mail address randomly from the user's Outlook Address Book. Since it's using your e-mail address, it appears that the spam came from you.

However, since you didn't send it, there's not much you can do about it other than to tell everyone who knows your e-mail address to update their spyware detectors or to switch to Linux or Mac OS. Unless you can find out who actually sent the spam (which is technically possible, but I'm sure it's not easy and takes a while).

I don't use $Windows, I only use Linux Fedora4 for my Email.

Jim

There maybe someone tapped into your system, just using your mail server as a relay. I would run chkrootkit while most stuff like firefox is shut down. If you find a problem there, it may be easier to reload and tighten up your firewall.
Also, shut off any services which you don't need. If you are not using a mail server like sendmail, then you don't need it installed / running.
If you run the command:chkconfig --listor the GUI tool system-config-services , you should be able to shut down the un-used stuff.

I have 5 different maillogs in /var/log/maillog dating all the way back to Jul 25 up to present, It appears
that sendmail has been busy.
I leave my computer running all the time. mickeyboy is hostname of my box and the router is gateway.2wire hook to sbc DSL,as you can see below, Can someone tell me what this means below. I have shown just two different dates since Jul 25. I have uninstalled sendmail , it wasn't even enabled
in Services for runlevel 5 but it was enabled in runlevel 2,3,4

Jul 25 04:02:06 mickeyboy sendmail[9895]: j6P9260l009895: from=root, size=3083, class=0, nrcpts=1, msgid=<200507250902.j6P9260l009895@mickeyboy.gateway.2wire.net>, relay=root@localhost

Aug 18 04:02:06 mickeyboy sendmail[13220]: j7I926QL013220: to=root, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31713, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]

What is port 5353 it doesn't show up in /etc/services.
To put it bluntly, what does this rule mean .
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

Jim

-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

-p protocol is udp
--dport is destination port, in this case 5353
-d 224.0.0.251 is the destination ip address
-j ACCEPT accept anything that matches the above

If you didn't put that in there, I would be concerned unless you have some program which needs that.

On my box, I'm not using any mail servers so maillog is totally empty.

What did you see from the command:chkrootkit

Yes, I understand that - you said that before.
What I was saying was that someone else who does use Windows - and has your e-mail address in their Address Book - could have one of these "spambots" installed on their computer. Since the "spambot" uses e-mail address "spoofing" by putting your e-mail address in the "From:" line of the e-mail, it makes it appear that the e-mail came from you.

Chkrootkit, no worms found or anything infected, or any rootkits found.

Jim

Port 5353 is nothing to worry about :)
This port is for Multicast DNS (Google for "ZeroConf", "tmdns", "mDNSresponder"...).

Yves.

That's good. You can find some great tips on iptables at http://www.linuxguruz.com/iptables/ .
If you don't feel comfy rolling your own yet, you can use the GUI tool called firestarter which makes it easy to setup firewall and internet sharing.

Now that you have sendmail and extra services stopped, I would call or email your ISP and ask them if everything checks out ok and would they keep me informed if something happens.