Chris Arnold put forth on 11/10/2009 7:56 PM: > On 11/10/09 8:36 PM, "Stan Hoeppner" <s...@hardwarefreak.com> wrote: > >> Chris Arnold put forth on 11/10/2009 7:21 PM: >> >>> Don't want to post the whole pflogsumm file as 1 it is very long and 2 there >>> are somethings that don't need to be shared on a mailinglist :) >>> What are some things I should be looking for in the pflogsumm.pl report? >> You should be concentrating your focus on the "Senders by message count" >> section. > That is what I thought (just wanted to make sure) and the high count is 166 > so I think I need to move on from someone sending spam from the mail server.
Do you have any PCs NAT/PAT'd behind the same IP as the mail server? Do you perform egress blocking of TCP 25 on all internal IPs cept the mail server? This is a common way to get blacklisted--mail server and PCs behind the same NAT'd public address, and a PC gets infected with botware. -- Stan
