Fedora This forum is for the discussion of the Fedora Project. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-21-2005, 08:16 PM
|
#1
|
Senior Member
Registered: May 2004
Location: Indianapolis, Indiana
Distribution: FC-KDE, 32 and 64 bit
Posts: 1,721
Rep:
|
Spam email
Anyone ever get a email like this from there ISP, It is coming from my Fedor4 box,
Any Ideals ?, I don't use $Windows
Jim
We have detected that your account was used to send a large amount of spam messages during the last week.
We recommend that you follow instructions in order to keep your computer safe.
Best regards,
The sbcglobal.net team.
|
|
|
08-21-2005, 11:32 PM
|
#2
|
Member
Registered: May 2005
Distribution: Ubuntu 9.04
Posts: 320
Rep:
|
Yeah, I've seen that before.
Here's what's happening: Windows, with its many holes, actually has "spambots" that infect one's computer and generate spam. They use "spoofing" to hide the true sender's e-mail address (so that *his* e-mail provider doesn't get suspicious) and makes it appear as though someone else sent it. Usually it picks this e-mail address randomly from the user's Outlook Address Book. Since it's using your e-mail address, it appears that the spam came from you.
However, since you didn't send it, there's not much you can do about it other than to tell everyone who knows your e-mail address to update their spyware detectors or to switch to Linux or Mac OS. Unless you can find out who actually sent the spam (which is technically possible, but I'm sure it's not easy and takes a while).
|
|
|
08-22-2005, 05:26 AM
|
#3
|
Senior Member
Registered: May 2004
Location: Indianapolis, Indiana
Distribution: FC-KDE, 32 and 64 bit
Posts: 1,721
Original Poster
Rep:
|
I don't use $Windows, I only use Linux Fedora4 for my Email.
Jim
|
|
|
08-22-2005, 06:24 AM
|
#4
|
Senior Member
Registered: Oct 2003
Posts: 3,057
Rep:
|
There maybe someone tapped into your system, just using your mail server as a relay. I would run chkrootkit while most stuff like firefox is shut down. If you find a problem there, it may be easier to reload and tighten up your firewall.
Also, shut off any services which you don't need. If you are not using a mail server like sendmail, then you don't need it installed / running.
If you run the command:chkconfig --listor the GUI tool system-config-services , you should be able to shut down the un-used stuff.
|
|
|
08-22-2005, 07:00 PM
|
#5
|
Senior Member
Registered: May 2004
Location: Indianapolis, Indiana
Distribution: FC-KDE, 32 and 64 bit
Posts: 1,721
Original Poster
Rep:
|
I have 5 different maillogs in /var/log/maillog dating all the way back to Jul 25 up to present, It appears
that sendmail has been busy.
I leave my computer running all the time. mickeyboy is hostname of my box and the router is gateway.2wire hook to sbc DSL,as you can see below, Can someone tell me what this means below. I have shown just two different dates since Jul 25. I have uninstalled sendmail , it wasn't even enabled
in Services for runlevel 5 but it was enabled in runlevel 2,3,4
Jul 25 04:02:06 mickeyboy sendmail[9895]: j6P9260l009895: from=root, size=3083, class=0, nrcpts=1, msgid=<200507250902.j6P9260l009895@mickeyboy.gateway.2wire.net>, relay=root@localhost
Aug 18 04:02:06 mickeyboy sendmail[13220]: j7I926QL013220: to=root, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31713, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
|
|
|
08-22-2005, 08:14 PM
|
#6
|
Senior Member
Registered: May 2004
Location: Indianapolis, Indiana
Distribution: FC-KDE, 32 and 64 bit
Posts: 1,721
Original Poster
Rep:
|
What is port 5353 it doesn't show up in /etc/services.
To put it bluntly, what does this rule mean .
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
Jim
Last edited by mickeyboa; 08-22-2005 at 08:34 PM.
|
|
|
08-22-2005, 08:48 PM
|
#7
|
Senior Member
Registered: Oct 2003
Posts: 3,057
Rep:
|
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-p protocol is udp
--dport is destination port, in this case 5353
-d 224.0.0.251 is the destination ip address
-j ACCEPT accept anything that matches the above
If you didn't put that in there, I would be concerned unless you have some program which needs that.
On my box, I'm not using any mail servers so maillog is totally empty.
What did you see from the command:chkrootkit
|
|
|
08-22-2005, 09:04 PM
|
#8
|
Member
Registered: May 2005
Distribution: Ubuntu 9.04
Posts: 320
Rep:
|
Quote:
Originally posted by mickeyboa
I don't use $Windows, I only use Linux Fedora4 for my Email.
Jim
|
Yes, I understand that - you said that before.
What I was saying was that someone else who does use Windows - and has your e-mail address in their Address Book - could have one of these "spambots" installed on their computer. Since the "spambot" uses e-mail address "spoofing" by putting your e-mail address in the "From:" line of the e-mail, it makes it appear that the e-mail came from you.
|
|
|
08-23-2005, 06:05 AM
|
#9
|
Senior Member
Registered: May 2004
Location: Indianapolis, Indiana
Distribution: FC-KDE, 32 and 64 bit
Posts: 1,721
Original Poster
Rep:
|
Chkrootkit, no worms found or anything infected, or any rootkits found.
Jim
|
|
|
08-23-2005, 07:24 AM
|
#10
|
Senior Member
Registered: Jul 2004
Location: France
Distribution: Arch Linux
Posts: 1,897
Rep:
|
Port 5353 is nothing to worry about
This port is for Multicast DNS (Google for "ZeroConf", "tmdns", "mDNSresponder"...).
Yves.
|
|
|
08-23-2005, 11:39 AM
|
#11
|
Senior Member
Registered: Oct 2003
Posts: 3,057
Rep:
|
Quote:
Chkrootkit, no worms found or anything infected, or any rootkits found.
|
That's good. You can find some great tips on iptables at http://www.linuxguruz.com/iptables/ .
If you don't feel comfy rolling your own yet, you can use the GUI tool called firestarter which makes it easy to setup firewall and internet sharing.
Now that you have sendmail and extra services stopped, I would call or email your ISP and ask them if everything checks out ok and would they keep me informed if something happens.
|
|
|
All times are GMT -5. The time now is 08:55 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|