Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

From Can someone look at a maillog to see if I am realying someone's m 2

Status
Not open for further replies.
bkonner

bkonner

MIS
Apr 28, 2001
101
US
Hi,

I was hacked the other day. I fixed the problem I hope, but I now know to check my logs more carefully. Any way, I am running a Linux server with Sendmail. Here is a log that I find interesting:

My web server is cantonma.org.

What I don't get is the relay part. Am I relaying this stuff?

Mar 3 08:44:49 cantonma sendmail[25717]: g23DT0L25717: from=<bounce-10-adamse#cantonma.org@bostonherald.publishmail.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[64.39.30.253]

I also got this one, which may be interesting:

Mar 3 08:46:01 cantonma sendmail[25980]: g23DgFL25980: from=<bounce-11-adamse#cantonma.org@bostonherald.publishmail.com>, size=33872, class=0, nrcpts=1, msgid=<20020303.13003600.bounce-11-adamse#cantonma.org@bostonherald.publishmail.com>, bodytype=8BITMIME, proto=SMTP, daemon=MTA, relay=pm1.publishmail.com [64.39.30.253] (may be forged)

Thanks,

bkonner
 
Sort by date Sort by votes
You gotta be kidding me when you said these were sendmail logs,
Server itself is using qmail.
So..?
By the way don't use telnet to administer to your server,
It's like begging to be hacked since it sends the password in clear text, use Secure CRT instead.
 
Upvote 0 Downvote
Sure looks like Sendmail to me...

bostonherald.publishmail.com, on the other hand, doesn't seem to be running Sendmail...is that where you looked Stingreen?

bkonner, it doesn't look like you're an open relay, at least, judging by a couple of attempts to send mail through your server. [If you see some suspicious log entries from 206.x.x.x, it was benign suspicious behavior.]

The address portion of the log entries does look kinda funny, but I don't think the relay information is saying that you're relaying the message; the IP given is the IP for pm1.publishmail.com, which would probably be correct for the relay to bostonherald.publishmail.com...
Matt
matt@paperlove.org
If I can help, I will.
 
Upvote 0 Downvote
if you want to check that you realy ... in any way, you can check by telnet'ing from your mail server to: relay-test.mail-abuse.org ... and they will run a handful of relay tests off you.

it was nice to know that we were reasonably secure by this method.

Jon
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

JRFEG
  • Locked
  • Question
Hack attempts overloading server by hogging memory
Replies
0
Views
933
JRFEG
JRFEG
cndgk
  • Locked
  • Question
What might cause local-originated (submit.cf?) mail not to show up in syslog,but incoming mail does?
Replies
0
Views
3K
cndgk
cndgk
mduddytel
  • Locked
  • Question
How to save a huge Sent folder then clear it - Linux
Replies
0
Views
841
mduddytel
mduddytel
jamby
  • Locked
  • Question
system emails not being masqueraded while command line calls ar
Replies
0
Views
859
jamby
jamby
withoutaclue2
  • Locked
  • Question
modify body of forwarding email
Replies
0
Views
461
withoutaclue2
withoutaclue2

Part and Inventory Search

Sponsor

Back
Top