LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices


Reply
  Search this Thread
Old 08-21-2005, 08:16 PM   #1
mickeyboa
Senior Member
 
Registered: May 2004
Location: Indianapolis, Indiana
Distribution: FC-KDE, 32 and 64 bit
Posts: 1,721

Rep: Reputation: 68
Spam email


Anyone ever get a email like this from there ISP, It is coming from my Fedor4 box,
Any Ideals ?, I don't use $Windows

Jim

We have detected that your account was used to send a large amount of spam messages during the last week.

We recommend that you follow instructions in order to keep your computer safe.

Best regards,
The sbcglobal.net team.
 
Old 08-21-2005, 11:32 PM   #2
NetRAVEN5000
Member
 
Registered: May 2005
Distribution: Ubuntu 9.04
Posts: 320

Rep: Reputation: 30
Yeah, I've seen that before.

Here's what's happening: Windows, with its many holes, actually has "spambots" that infect one's computer and generate spam. They use "spoofing" to hide the true sender's e-mail address (so that *his* e-mail provider doesn't get suspicious) and makes it appear as though someone else sent it. Usually it picks this e-mail address randomly from the user's Outlook Address Book. Since it's using your e-mail address, it appears that the spam came from you.

However, since you didn't send it, there's not much you can do about it other than to tell everyone who knows your e-mail address to update their spyware detectors or to switch to Linux or Mac OS. Unless you can find out who actually sent the spam (which is technically possible, but I'm sure it's not easy and takes a while).
 
Old 08-22-2005, 05:26 AM   #3
mickeyboa
Senior Member
 
Registered: May 2004
Location: Indianapolis, Indiana
Distribution: FC-KDE, 32 and 64 bit
Posts: 1,721

Original Poster
Rep: Reputation: 68
I don't use $Windows, I only use Linux Fedora4 for my Email.

Jim
 
Old 08-22-2005, 06:24 AM   #4
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 61
There maybe someone tapped into your system, just using your mail server as a relay. I would run chkrootkit while most stuff like firefox is shut down. If you find a problem there, it may be easier to reload and tighten up your firewall.
Also, shut off any services which you don't need. If you are not using a mail server like sendmail, then you don't need it installed / running.
If you run the command:chkconfig --listor the GUI tool system-config-services , you should be able to shut down the un-used stuff.
 
Old 08-22-2005, 07:00 PM   #5
mickeyboa
Senior Member
 
Registered: May 2004
Location: Indianapolis, Indiana
Distribution: FC-KDE, 32 and 64 bit
Posts: 1,721

Original Poster
Rep: Reputation: 68
I have 5 different maillogs in /var/log/maillog dating all the way back to Jul 25 up to present, It appears
that sendmail has been busy.
I leave my computer running all the time. mickeyboy is hostname of my box and the router is gateway.2wire hook to sbc DSL,as you can see below, Can someone tell me what this means below. I have shown just two different dates since Jul 25. I have uninstalled sendmail , it wasn't even enabled
in Services for runlevel 5 but it was enabled in runlevel 2,3,4

Jul 25 04:02:06 mickeyboy sendmail[9895]: j6P9260l009895: from=root, size=3083, class=0, nrcpts=1, msgid=<200507250902.j6P9260l009895@mickeyboy.gateway.2wire.net>, relay=root@localhost

Aug 18 04:02:06 mickeyboy sendmail[13220]: j7I926QL013220: to=root, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31713, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
 
Old 08-22-2005, 08:14 PM   #6
mickeyboa
Senior Member
 
Registered: May 2004
Location: Indianapolis, Indiana
Distribution: FC-KDE, 32 and 64 bit
Posts: 1,721

Original Poster
Rep: Reputation: 68
What is port 5353 it doesn't show up in /etc/services.
To put it bluntly, what does this rule mean .
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

Jim

Last edited by mickeyboa; 08-22-2005 at 08:34 PM.
 
Old 08-22-2005, 08:48 PM   #7
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 61
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

-p protocol is udp
--dport is destination port, in this case 5353
-d 224.0.0.251 is the destination ip address
-j ACCEPT accept anything that matches the above

If you didn't put that in there, I would be concerned unless you have some program which needs that.

On my box, I'm not using any mail servers so maillog is totally empty.

What did you see from the command:chkrootkit
 
Old 08-22-2005, 09:04 PM   #8
NetRAVEN5000
Member
 
Registered: May 2005
Distribution: Ubuntu 9.04
Posts: 320

Rep: Reputation: 30
Quote:
Originally posted by mickeyboa
I don't use $Windows, I only use Linux Fedora4 for my Email.

Jim
Yes, I understand that - you said that before.
What I was saying was that someone else who does use Windows - and has your e-mail address in their Address Book - could have one of these "spambots" installed on their computer. Since the "spambot" uses e-mail address "spoofing" by putting your e-mail address in the "From:" line of the e-mail, it makes it appear that the e-mail came from you.
 
Old 08-23-2005, 06:05 AM   #9
mickeyboa
Senior Member
 
Registered: May 2004
Location: Indianapolis, Indiana
Distribution: FC-KDE, 32 and 64 bit
Posts: 1,721

Original Poster
Rep: Reputation: 68
Chkrootkit, no worms found or anything infected, or any rootkits found.

Jim
 
Old 08-23-2005, 07:24 AM   #10
theYinYeti
Senior Member
 
Registered: Jul 2004
Location: France
Distribution: Arch Linux
Posts: 1,897

Rep: Reputation: 66
Port 5353 is nothing to worry about
This port is for Multicast DNS (Google for "ZeroConf", "tmdns", "mDNSresponder"...).

Yves.
 
Old 08-23-2005, 11:39 AM   #11
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 61
Quote:
Chkrootkit, no worms found or anything infected, or any rootkits found.
That's good. You can find some great tips on iptables at http://www.linuxguruz.com/iptables/ .
If you don't feel comfy rolling your own yet, you can use the GUI tool called firestarter which makes it easy to setup firewall and internet sharing.

Now that you have sendmail and extra services stopped, I would call or email your ISP and ask them if everything checks out ok and would they keep me informed if something happens.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Email and spam in different folders using spamassassin tensigh Linux - Software 3 08-11-2005 10:21 AM
email spam not addressed to me? pH* General 1 09-10-2004 11:05 AM
Spam filter Email Gateway zzero LinuxQuestions.org Member Success Stories 1 07-08-2004 07:17 AM
email considered spam kubicon Linux - Networking 4 02-02-2004 12:46 PM
I'll take some email with my spam awdoyle General 5 05-08-2003 07:29 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora

All times are GMT -5. The time now is 08:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration