David Legg wrote: > Unfortunately, yes. It looks like James is trying to send spam. > > If the laptop or PC you use to compose emails has been compromised with > a virus it could be responsible for sending the spam via your James > server. After all your PC knows how to authenticate itself. > > Next on the list of suspects could be a process running on your server > and sending spam locally via James. This is possible if you have set up > James to not require authentication from messages originating from the > localhost IP address (127.0.0.1). Perhaps you have a web app on your > server which allows messages to be sent and this has been compromised? > > Check your config file and see if the tag is set > to 127.0.0.0/8 under the smtpserver> handler section. Like so... > > > 25 > > ... > true > 127.0.0.0/8 > > > > This setting requires authorization except for anything originating from > 127.0.0.1 >
In my config file the XML element values were already set to what you specified above. I checked to make sure that there wasn't a duplicate set of elements anywhere else in the file. I've done several staggered tcpdump network packet captures for ports 25, 110, 465, and 995. In what I've seen so far all the port 25 traffic has been "legit" inbound spam and email coming to addresses in my domain, plus the outgoing delivery of the transmitted spam. I see a bunch of inbound traffic on port 995 from my home computer's IP which is encrypted, of course, so I can't see what's inside the packets, but I just realized that I left Thunderbird open during all of the captures so it's probably just Thunderbird checking for new mail. During the periods when I was capturing there wasn't any port 25 or port 465 traffic from my home or office computer's IP addresses. (And actually, there wasn't any port 465 traffic at all.) I'll keep doing more packet captures, but is there any way to ask JAMES to log every SMTP authentication so that I can tenatively rule out whether or the spam is getting in that way? I'm using the default file-based repositories; is it feasible that if an attacker had complete access to the OS on my server, they might be inserting messages into the spool by directly creating files? I could try setting up something to log the creation of files if that seems feasible to you. Ken _________________________________________________________________ More storage. Better anti-spam and antivirus protection. Hotmail makes it simple. http://go.microsoft.com/?linkid=9671357 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
