I personally leaning towards that these headers are being modified and
that there is no spam leaving my box (I may be wrong of couse)
here is what I did to come up with that thought....
I sent myself an email
-bash-3.2# echo $$ | mail ale...@gmail.com
-bash-3.2#
through google headers I see follwoing:
Delivered-To: ale...@gmail.com
Received: by 10.68.60.97 with SMTP id g1cs121928pbr;
Mon, 15 Aug 2011 10:52:26 -0700 (PDT)
Received: from mr.google.com ([10.52.21.70])
by 10.52.21.70 with SMTP id t6mr5504300vde.56.1313430746298
(num_hops = 1);
Mon, 15 Aug 2011 10:52:26 -0700 (PDT)
Received: by 10.52.21.70 with SMTP id t6mr3999448vde.56.1313430745493;
Mon, 15 Aug 2011 10:52:25 -0700 (PDT)
Return-Path: <r...@alexus.org>
Received: from alexus.biz ([64.237.55.83])
by mx.google.com with ESMTPS id co6si13861841vdc.76.2011.08.15.10.52.23
(version=TLSv1/SSLv3 cipher=OTHER);
Mon, 15 Aug 2011 10:52:24 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning
r...@alexus.org does not designate 64.237.55.83 as permitted sender)
client-ip=64.237.55.83;
Authentication-Results: mx.google.com; spf=softfail (google.com:
domain of transitioning r...@alexus.org does not designate
64.237.55.83 as permitted sender) smtp.mail=r...@alexus.org
Received: from alexus.org (lama [64.237.55.83])
by alexus.biz (8.14.4/8.14.3) with ESMTP id p7FHqNvO049613
for <ale...@gmail.com>; Mon, 15 Aug 2011 13:52:23 -0400 (EDT)
(envelope-from r...@alexus.org)
Received: (from root@localhost)
by alexus.org (8.14.4/8.14.3/Submit) id p7FHqIl1049612
for ale...@gmail.com; Mon, 15 Aug 2011 13:52:18 -0400 (EDT)
(envelope-from root)
Date: Mon, 15 Aug 2011 13:52:18 -0400 (EDT)
From: Charlie Root <r...@alexus.org>
Message-Id: <201108151752.p7fhqil1049...@alexus.org>
To: ale...@gmail.com
49609
I see that whenever mail leaves my box (assuming it was left my box in
a standard way) I see sendmail involves in the process and I see
remote server tried to resolve my IP
while the "original" email that was provided to me by my ISP doesn't
have any of that... so that makes me think that nothing ever happened
on my box and that my IP in that original email was just manually
added there (without any emails ever leaving my box)
but then again here is scenario #2
a user connects to a remote server not using standard ways but making
a connection to remote webmail.west.cox.net directly (bypassing my
sendmail)
in that case my firewall rule should prevent this user from doing so ever again
then again doing so is not really resolving it (I still dont know
where its origin from, and thats what I want/need to find out)
I'm running apache httpd, so as far as I see it could be pretty much
any site that I host generate that kind of issue
so I'm back to square 1, how do I find it? if it's in php could be
famous base64_decode();/base64_encode();
and then good luck for locating one of that...
any other ideas?
On Mon, Aug 15, 2011 at 1:39 PM, Chuck Swiger <cswi...@mac.com> wrote:
> On Aug 15, 2011, at 10:05 AM, alexus wrote:
>> what else can I do to find it on my system who's trying to connect to
>> remote webmail.west.cox.net ?
>
> Monitor your network for SMTP traffic:
>
> tcpdump -nA -s 0 port 25
>
> If malware is sending out spam, you'll see it and can then use lsof or
> whatever to identify the specific user/process.
>
> Regards,
> --
> -Chuck
>
>
--
http://alexus.org/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
