[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] HELP Spam attack

Subject: [cobalt-users] HELP Spam attack
From: "Dawn D. Pfaltzgraff" <ddpfz@xxxxxxxxxx>
Date: Mon Dec 9 08:39:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Need some help on this one.

We are running a RAQ 3 and I have been receiving the mail for the adminaccount. About Wednesday of last week I noticed that we started to get aWHOLE BUNCH of Mail Delivery unknown. So I went into the maillog andnotice that someone appears to be trying to use our server as a relay forspam. What I don't understand, is the following:We are using poprelayd and we have are caught up on all thepatches from Cobalt so I KNOW we got the fix for poprelayd way back in July.I have done tests from abuse.net and it says that none of ourrelays are open??? Does it have to be someone inside our network? How canI track this down. Please let me know what other info I might have thatcould be helpful. I really at a lost here. Thanks in advance.


EXAMPLE OF MAIL LOG  ( you'll see the mail sent to all those aol users.)

Dec 9 07:41:44 sage in.qpopper[7644]: (v?) Unable to get canonical name ofclient 207.174.213.122: Unknown host (1)Dec 9 07:41:44 sage in.qpopper[7644]: (v?) POP login by user "rseedorf" at(207.174.213.122) 207.174.213.122Dec 9 07:41:46 sage in.qpopper[7645]: (v?) Unable to get canonical name ofclient 206.168.65.20: Unknown host (1)Dec 9 07:41:53 sage sendmail[7665]: NOQUEUE: Null connection from[206.168.65.20]

Dec  9 07:42:03 sage sendmail[7666]: gethostbyaddr(206.168.65.251) failed: 1
Dec  9 07:42:03 sage sendmail[7666]: gethostbyaddr(206.168.65.250) failed: 1

Dec 9 07:42:03 sage sendmail[7666]: HAA07666: from=admin, size=15963,class=0, pri=615963, nrcpts=20,msgid=<200212091442.HAA07666@xxxxxxxxxxxxxxx>, relay=admin@localhostDec 9 07:42:05 sage sendmail[7668]: HAA07666:to=delphisman@xxxxxxx,jcallaham1@xxxxxxx,jcallahan2@xxxxxxx,shacked44@xxxxxxx,shacked5@xxxxxxx,gammonja@xxxxxxx,gammonje@xxxxxxx,shackee@xxxxxxx,aholnewrld@xxxxxxx,lamonique1@xxxxxxx,pltrobert@xxxxxxx,delphiserv@xxxxxxx,tlrubin@xxxxxxx,delphisis@xxxxxxx,pltroiani@xxxxxxx,jcallagy@xxxxxxx,gammonite@xxxxxxx,gammonites@xxxxxxx,jcallah@xxxxxxx,missyheel@xxxxxxx,ctladdr=admin (110/27), delay=00:00:02, xdelay=00:00:02, mailer=esmtp,relay=mailin-04.mx.aol.com. [64.12.136.153], stat=Sent (OK)Dec 9 07:42:29 sage sendmail[7597]: HAA07597:from=<test@xxxxxxxxxxxxxxxxxx>, size=0, class=0, pri=0, nrcpts=0,proto=SMTP, relay=CPE-203-45-170-23.qld.bigpond.net.au [203.45.170.23]


Dawn


Dawn D. Pfaltzgraff
System Administrator
Premier Systems -plains.net
ddpfz@xxxxxxxxxx

(970-848-0475)

Follow-Ups:
- Re: [cobalt-users] HELP Spam attack
  - From: Larry Smith
- RE: [cobalt-users] HELP Spam attack
  - From: Dan Kriwitsky

Prev by Date: RE: [cobalt-users] HOWTO: Rebuild PostgreSQL 'cobalt' database due to corrupt quota table
Next by Date: [cobalt-users] [RAQ3] Apache User-Agent blocking for all sites
Previous by thread: Re: [cobalt-users] Re: How to list more than 15 users in user management - anyone?
Next by thread: Re: [cobalt-users] HELP Spam attack

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index