Slightly OT Hey gang, I tried to find the answer myself, but no such luck. I got a message to our abuse account this morning saying someone from our network sent them spam. We take this very seriously here so I investigated it. Here are the supplied headers he sent us:
Received: from pop.free.fr [213.228.0.165] by localhost with POP3 (fetchmail-6.2.2) for <user> (single-drop); Thu, 04 Sep 2003 11:12:01 +0100 (BST) Received: (qmail 15385 invoked from network); 4 Sep 2003 06:20:53 -0000 Received: from du1189.2khiway.net (63.160.179.189) by mrelay3-2.free.fr with SMTP; 4 Sep 2003 06:20:53 -0000 Received: from ys.g3hp.org [234.85.153.223] by du1189.2khiway.net for <user>; Thu, 04 Sep 2003 05:10:44 -0200 The du1 IP is from our dialup pool, but all logs for dialin/mail show no one was using that IP at that time, here are our dialin logs for that IP - time stamps only: Note the time listed in the above header.... 6:20:53 09/04/2003 04:14:10 STOP FRAMED-IP-ADDRESS=63.160.179.189 09/04/2003 07:42:10 START FRAMED-IP-ADDRESS=63.160.179.189 What I suspect is that someone's pc has been hacked, given that the first IP listed isn't ours, that's assigned to the Internet Assigned Numbers Authority so the message didn't ORIGINATE from us, but passed through a user's machine. The problem is finding the infected/hacked machine. Anyone got any ideas? Am I reading the time stamps wrong? Thanks for any help. Paul --- [This E-mail scanned for viruses by Declude Virus] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
