Hi,
ok, here I attached a relevant piece of the logfile.
A few things you should know:
jon00793.speed.planet.nl is the name the provider gave this internet connection
sacred-key.org is the name I chose myself for this machine
onix.sacred-key.org is the machine itself
Mail is sent with sender '[EMAIL PROTECTED]'. This
('hrenzen.doc') is not a user on the system. A computer attached to that
network (locally, domain=sacred-key.org, ip-range=192.168.0.*) had been
affected by a virus which sends random pieces
of text documents to people we do not know.
Then you see 8 addresses this message is send to. These are the people
that complained about getting 20 mails a day.
Below that, you see a connection incoming from 194.151.193.83. This looks
suspicious. I have no idea what this does. It seems that it tries to send
a message, but stores it for about an hour before really doing it.
I traced this address down to: rt-dc2-ias-ar13.nl.kpn.net (195.190.236.78)
before traceroute only showed ***.
This contacts and sending mail is repeated every hour.
I have no idea why Postfix accepts mail from that address. It is
configured as a mail relay for sending mail from local clients (all have
set domain to 'sacred-key.org' and ip's 192.168.0.1, etc.).
I have only configured Postfix explicitely to relay for sending mail with
sender '[EMAIL PROTECTED]' with:
luser_relay = [EMAIL PROTECTED]
relay_domains = tudelft.nl
This is my mothers email address. I had to do this because their isp
account (conceptsfa.nl) was not very stable, but the other (more
stable) isp (tudelft.nl) that I have installed later, did not relay mail
for the domain conceptsfa.nl, so I configured my server to send their
mail with.
Now comes the strange part: soon after the virus became vital, Postfix (I
guess) deceided to give some mails as sender '[EMAIL PROTECTED]'
and link this address to '[EMAIL PROTECTED]', so everything that is sent
to 'hrenzen.doc' is delivered to '[EMAIL PROTECTED]'. Why does postfix
to this? I am sure that my mothers computer does not contain a virus
because the computer crashed a few weeks ago, so I keep an eye on the
mail.
Thanks for reading all of this, I am very curious about what happened.
Sebastiaan
On Wed, 25 Apr 2001, Joe 'Zonker' Brockmeier wrote:
> On Wed, 25 Apr 2001, Sebastiaan wrote:
> > I have reason to belive that my computer is used as a relay host for
> > spam. Walking through the logs, I found one ip number which has no ip
> > name, but it connects the computer every hour or so and sends some mail.
>
> Could you post the log please? It might help a little bit.
>
> > I want to block this address, but I have not succeeded in configuring the
> > hosts.deny file correctly. This is what I have:
> >
> > hosts.allow: empty
> > hosts.deny:
> > ALL: 1.2.3.4
> > ALL: PARANOID
> >
> > where 1.2.3.4 is the spammers' address. I want to deny him smtp access (or
> > all access to this machine).
> >
> > I tried to do this with my own ip, but I was still able to connect to port
> > 25. Telnet access was forbidden however.
> >
> > I use Postfix as maildaemon.
>
> You can find the Postfix faq here:
> http://www.postfix.org/faq.html
>
> It may give you the answer you're looking for. Also, you might want
> to track down the ISP for the IP that you believe is using your
> box as a relay. This is illegal, and I believe in many states you
> can prosecute the spammer, which I heartily encourage you to do.
> They are abusing your network and resources, as well as inflicting
> unwanted intrusions on a large number of other folks - if you lack
> the resources/expertise to track them down, please post the IP to
> the list rather than protecting them and allow someone from the list
> to do it.
>
> Take care,
>
> Zonker
> --
> Joe 'Zonker' Brockmeier -=- [EMAIL PROTECTED]
> http://www.ZonkerBooks.net/ -=- ICQ: 43599611
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Friends help you move. Real friends help you move bodies.
>
>
Apr 22 06:55:01 onix postfix/pickup[21378]: 9E13C17C23: uid=0 from=<root>
Apr 22 06:55:02 onix postfix/cleanup[26465]: 9E13C17C23: message-id=<[EMAIL
PROTECTED]>
Apr 22 06:55:02 onix postfix/qmgr[20169]: 9E13C17C23: from=<[EMAIL PROTECTED]>,
size=599 (queue active)
Apr 22 06:55:03 onix postfix/local[26467]: 9E13C17C23: to=<[EMAIL PROTECTED]>,
relay=local, delay=3, status=sent ("|/usr/bin/procmail")
Apr 22 06:59:40 onix postfix/smtpd[26470]: connect from
murphy.debian.org[216.234.231.6]
Apr 22 06:59:40 onix postfix/smtpd[26470]: DCFBB1728B:
client=murphy.debian.org[216.234.231.6]
Apr 22 06:59:42 onix postfix/cleanup[26471]: DCFBB1728B: message-id=<[EMAIL
PROTECTED]>
Apr 22 06:59:42 onix postfix/cleanup[26471]: DCFBB1728B:
resent-message-id=<[EMAIL PROTECTED]>
Apr 22 06:59:42 onix postfix/qmgr[20169]: DCFBB1728B: from=<[EMAIL PROTECTED]>,
size=3576 (queue active)
Apr 22 06:59:42 onix postfix/smtpd[26470]: disconnect from
murphy.debian.org[216.234.231.6]
Apr 22 06:59:43 onix postfix/local[26473]: DCFBB1728B: to=<[EMAIL PROTECTED]>,
relay=local, delay=3, status=sent ("|/usr/bin/procmail")
Apr 22 07:07:46 onix postfix/qmgr[20169]: 46EC81792A: from=<[EMAIL PROTECTED]>,
size=63332 (queue active)
Apr 22 07:07:47 onix postfix/qmgr[20169]: 81C171792B: from=<[EMAIL PROTECTED]>,
size=62772 (queue active)
Apr 22 07:07:49 onix postfix/smtp[26479]: 46EC81792A: to=<[EMAIL PROTECTED]>,
relay=mail.wxs.nl[195.121.6.51], delay=225040, status=deferred (lost connection
with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:07:49 onix postfix/smtp[26479]: 46EC81792A: to=<[EMAIL PROTECTED]>,
relay=mail.wxs.nl[195.121.6.51], delay=225040, status=deferred (lost connection
with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:07:50 onix postfix/smtp[26479]: 46EC81792A: to=<[EMAIL PROTECTED]>,
relay=mail.wxs.nl[195.121.6.51], delay=225040, status=deferred (lost connection
with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:07:50 onix postfix/smtp[26479]: 46EC81792A: to=<[EMAIL PROTECTED]>,
relay=mail.wxs.nl[195.121.6.51], delay=225041, status=deferred (lost connection
with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:07:50 onix postfix/smtp[26480]: 81C171792B: to=<[EMAIL PROTECTED]>,
relay=mail.wxs.nl[195.121.6.51], delay=215374, status=deferred (lost connection
with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:07:51 onix postfix/smtp[26480]: 81C171792B: to=<[EMAIL PROTECTED]>,
relay=mail.wxs.nl[195.121.6.51], delay=215374, status=deferred (lost connection
with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:07:51 onix postfix/smtp[26480]: 81C171792B: to=<[EMAIL PROTECTED]>,
relay=mail.wxs.nl[195.121.6.51], delay=215375, status=deferred (lost connection
with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:07:51 onix postfix/smtp[26480]: 81C171792B: to=<[EMAIL PROTECTED]>,
relay=mail.wxs.nl[195.121.6.51], delay=215375, status=deferred (lost connection
with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:08:01 onix postfix/smtpd[26483]: connect from unknown[194.151.193.83]
Apr 22 07:08:01 onix postfix/smtpd[26483]: 9C7121728B:
client=unknown[194.151.193.83]
Apr 22 07:08:01 onix postfix/cleanup[26484]: 9C7121728B: message-id=<[EMAIL
PROTECTED]>
Apr 22 07:08:02 onix postfix/qmgr[20169]: 9C7121728B: from=<>, size=1134 (queue
active)
Apr 22 07:08:02 onix postfix/smtpd[26483]: disconnect from
unknown[194.151.193.83]
Apr 22 07:08:02 onix postfix/cleanup[26484]: 93A6717C23: message-id=<[EMAIL
PROTECTED]>
Apr 22 07:08:02 onix postfix/qmgr[20169]: 93A6717C23: from=<>, size=1276 (queue
active)
Apr 22 07:08:02 onix postfix/local[26485]: 9C7121728B: to=<[EMAIL PROTECTED]>,
relay=local, delay=1, status=sent (forwarded as 93A6717C23)
Apr 22 07:08:03 onix postfix/smtp[26479]: 93A6717C23: to=<[EMAIL PROTECTED]>,
relay=mail.wxs.nl[195.121.6.51], delay=1, status=sent (250 Message received:
GC6GXE03.JMT)
Apr 22 07:48:06 onix postfix/smtpd[26495]: connect from
murphy.debian.org[216.234.231.6]
