|
Home > Archive > Unix administration > March 2004 > big headache: track down problem on my sendmail
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
big headache: track down problem on my sendmail
|
|
| inussd 2004-03-11, 12:34 am |
| I just found hundreds of sendmail processes pop up on my SUN server,
the following are some of the syslog. Is that any way I can tracking
down who/which procss that sending out so much of junk email within
our network (with firewall)? is it possible that some virus going on
in my server/network?
Our exchange email server point to this sun machine for the smtp mail
out, is that possible that one of our PC are the one to blame?
Thanks
>
Mar 10 14:34:51 my_machine_name sendmail[189]: i277JT317677:
to=, delay=3+15:15:22,
xdelay=00:00:01, mailer=esmtp, pri=27840728,
relay=wherehasmylovelifegone.com. [211.99.38.55], dsn=4.0.0,
stat=Deferred: Connection refused by wherehasmylovelifegone.com.
Mar 10 14:34:51 my_machine_name sendmail[189]: i276vL317440:
to=, delay=3+15:37:30, xdelay=00:00:00,
mailer=esmtp, pri=27930427, relay=218.106.114.212., dsn=4.0.0,
stat=Deferred: Connection refused by 218.106.114.212.
Mar 10 14:34:51 my_machine_name sendmail[189]: i276sR317410:
to=, delay=3+15:40:24, xdelay=00:00:00, mailer=esmtp,
pri=28020428, relay=218.106.114.212., dsn=4.0.0, stat=Deferred:
Connection refused by 218.106.114.212.
Mar 10 14:34:51 my_machine_name sendmail[189]: i276n9317365:
to=<18bqevujbs@lookingforlostsouls.com>, delay=3+15:45:42,
xdelay=00:00:00, mailer=esmtp, pri=28020547,
relay=lookingforlostsouls.com. [202.102.245.125], dsn=4.0.0,
stat=Deferred: Connection refused by lookingforlostsouls.com.
Mar 10 14:34:51 my_machine_name sendmail[189]: i276mY317361:
to=, delay=3+15:46:17,
xdelay=00:00:00, mailer=esmtp, pri=27932726, relay=218.106.116.147.,
dsn=4.0.0, stat=Deferred: Connection refused by 218.106.116.147.
Mar 10 14:34:51 my_machine_name sendmail[189]: i275iC316872:
to=, delay=3+16:50:39, xdelay=00:00:00,
mailer=esmtp, pri=28111003, relay=virtual.finland.fi., dsn=4.0.0,
stat=Deferred: Connection timed out with virtual.finland.fi.
Mar 10 14:34:52 my_machine_name sendmail[189]: i276UB317195:
to=,
delay=3+16:04:41, xdelay=00:00:00, mailer=esmtp, pri=28120464,
relay=bounceto.activeconsumer.net., dsn=4.0.0, stat=Deferred:
Connection
refused by bounceto.activeconsumer.net.
Mar 10 14:34:52 my_machine_name sendmail[189]: i275uZ316958:
to=, delay=3+16:38:17, xdelay=00:00:00,
mailer=esmtp, pri=28290410, relay=218.106.114.212., dsn=4.0.0,
stat=Deferred: Connection refused by 218.106.114.212.
Mar 10 14:34:53 my_machine_name sendmail[8276]: ypbind client: can't
get rdev
Mar 10 14:34:54 my_machine_name sendmail[8276]: i2AMYq308276:
from=, size=3547, class=0,
nrcpts=1, msgid=<200403102234.i2AMYq308276@my_machine_name.dgt.com>,
proto=ESMTP,
daemon=MTA, relay=genewall [199.106.225.100]
Mar 10 14:34:54 my_machine_name sendmail[8277]: ypbind client: can't
get rdev
Mar 10 14:34:54 my_machine_name sendmail[8277]: i2AMYq308276: forward
/export/home/pcguest/.forward.my_machine_name+: Group writable
directory
Mar 10 14:34:54 my_machine_name sendmail[8277]: i2AMYq308276: forward
/export/home/pcguest/.forward+: Group writable directory
Mar 10 14:34:54 my_machine_name sendmail[8277]: i2AMYq308276: forward
/export/home/pcguest/.forward.my_machine_name: Group writable
directory
Mar 10 14:34:54 my_machine_name sendmail[8277]: i2AMYq308276: forward
/export/home/pcguest/.forward: Group writable directory
Mar 10 14:34:55 my_machine_name sendmail[8277]: i2AMYq308276:
to=pcguest,
delay=00:00:02, xdelay=00:00:01, mailer=local, pri=33163, dsn=2.0.0,
stat=Sent
Mar 10 14:35:10 my_machine_name sendmail[8285]: ypbind client: can't
get rdev
Mar 10 14:35:12 my_machine_name sendmail[8285]: i2AMZA308285:
from=, size=10425, class=0, nrcpts=1,
msgid=<20040310223508.43524.qmail@web80505.mail.yahoo.com>,
proto=SMTP,
daemon=MTA, relay=genewall [199.106.225.100]
Mar 10 14:35:12 my_machine_name sendmail[8286]: ypbind client: can't
get rdev
Mar 10 14:35:12 my_machine_name sendmail[8286]: i2AMZA308285:
to=linda@crick,
delay=00:00:02, xdelay=00:00:00, mailer=esmtp, pri=39659,
relay=crick.dgtdomain. [199.106.225.10], dsn=2.0.0, stat=Sent (
<20040310223508.43524.qmail@web80505.mail.yahoo.com> Queued mail for
delivery)
Mar 10 14:35:14 my_machine_name sendmail[3983]: i29Acb314997:
to=<6400@2714.emailhardworker.com>, delay=1+11:56:37, xdelay=00:03:44,
mailer=esmtp, pri=9211065, relay=2714.emailhardworker.com.
[69.6.57.7],
| |
| Davide Bianchi 2004-03-11, 1:34 am |
| inussd <chenlg@hotmail.com> wrote:
> Our exchange email server point to this sun machine for the smtp mail
> out, is that possible that one of our PC are the one to blame?
There are two possibilities: 1) one of your Win PC have been infected
by a virus or 2) you are receiving SPAM and your Exponge server is
trying to send away 'user does not exist' error messages to
non-exitent domain/users (common trick for spammers).
Check the _incoming_ mail for 2) and run antivirus for 1).
Davide
--
| I gave up Smoking, Drinking and Sex. It was the most *horrifying* 20
| minutes of my life!
|
|
| |
| phn@icke-reklam.ipsec.nu 2004-03-11, 1:34 am |
| inussd <chenlg@hotmail.com> wrote:
> I just found hundreds of sendmail processes pop up on my SUN server,
> the following are some of the syslog. Is that any way I can tracking
> down who/which procss that sending out so much of junk email within
> our network (with firewall)? is it possible that some virus going on
> in my server/network?
Possible, hard to say without examining the mail(s) in detail
Rean dome of the mails in the queue-dir and find out what type of
mails you send
> Our exchange email server point to this sun machine for the smtp mail
> out, is that possible that one of our PC are the one to blame?
Quite possible, there is about a zillion ways to root a wintendo box
and have it become a spam-sender.
> Thanks
[color=darkred]
( logsnippets removed )
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
| |
| Doug Freyburger 2004-03-11, 10:38 am |
| inussd wrote:
>
> Mar 10 14:34:51 my_machine_name sendmail[189]: i277JT317677:
> to=, delay=3+15:15:22,
> xdelay=00:00:01, mailer=esmtp, pri=27840728,
> relay=wherehasmylovelifegone.com. [211.99.38.55], dsn=4.0.0,
> stat=Deferred: Connection refused by wherehasmylovelifegone.com.
Relay. Bingo. *Someone* is trying to use your machine as a relay
to send spam. The question becomes internal or external. Where
is 211.99.38.55?
> Mar 10 14:34:51 my_machine_name sendmail[189]: i276mY317361:
> to=, delay=3+15:46:17,
> xdelay=00:00:00, mailer=esmtp, pri=27932726, relay=218.106.116.147.,
> dsn=4.0.0, stat=Deferred: Connection refused by 218.106.116.147.
Deferred *can* mean the message is stored locally. Look in
/var/spool/mqueue for files with i276mY317361 in their name and
read their headers carefully to see if any of your local IP
numbers appear in any of the lines.
> Mar 10 14:34:54 my_machine_name sendmail[8277]: i2AMYq308276: forward
> /export/home/pcguest/.forward.my_machine_name+: Group writable
> directory
Time to take a look at that account!
> Mar 10 14:35:12 my_machine_name sendmail[8286]: i2AMZA308285:
> to=linda@crick,
> delay=00:00:02, xdelay=00:00:00, mailer=esmtp, pri=39659,
> relay=crick.dgtdomain. [199.106.225.10], dsn=2.0.0, stat=Sent (
> <20040310223508.43524.qmail@web80505.mail.yahoo.com> Queued mail for
> delivery)
Queued. Another bingo. Look in /var/spool/mqueue for files with
i2AMZA308285 in their name and investigate any local machine whose
IP number appears in the headers.
If it's remote, and if it's only one remote host, have your firewall
drop all traffic from that host for a month. Big ifs, but if you're
lucky it's easy.
|
|
|
|
|