>
> From: "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]>
>
> > Hi,
> >
> > At around 1p yesterday all of a sudden I started to see some
> > messages out of the ordinary. I've tracked it down to happening around
> > the same time SA is running.
> >
> > I syslog everything to /var/log/spool, and if I do :
> >
> > egrep 'clean |nologin' /var/log/spool | grep -v kernel
> >
> > I see things like:
> >
> > Jul 19 11:52:26 asgard spamd[2499]: spamd: clean message (2.6/5.0) for
> > mkasper:2005 in
> > 7.2 seconds, 1538 bytes.
> > Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 11:52:50 asgard spamd[2499]: spamd: clean message (5.0/5.0) for
> > aries:2000 in 7.8
> > seconds, 70282 bytes.
> > Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 13:09:29 asgard spamd[2499]: spamd: clean message (3.7/5.0) for
> > mkasper:2005 in
> > 2.3 seconds, 1635 bytes.
> > Jul 19 13:09:29 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 13:23:07 asgard spamd[2499]: spamd: clean message (1.3/5.0) for
> > mariansb:2004 in
> > 1.6 seconds, 11011 bytes.
> > Jul 19 13:23:07 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 13:26:50 asgard spamd[2499]: spamd: clean message (0.8/5.0) for
> > mariansb:2004 in
> > 1.4 seconds, 2251 bytes.
> > Jul 19 13:26:50 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 13:26:56 asgard spamd[2499]: spamd: clean message (1.5/5.0) for
> > mariansb:2004 in
> > 1.7 seconds, 11323 bytes.
> > Jul 19 13:26:56 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 13:28:14 asgard spamd[2499]: spamd: clean message (0.4/5.0) for
> > aries:2000 in 4.4
> > seconds, 20370 bytes.
> > Jul 19 13:28:14 asgard nologin: Attempted login by root on UNKNOWN
> >
> > I know this sounds the usual, but I didn't change or upgrade
> > anything when it started.
> >
> >
> > Any thoughts? How do I debug?
>
> Recognize that you likely have two different "problems."
>
> The clean simply means spamd correctly processed a message that was not
> spam.
>
Right, I know. I was trying to point out that every time I had a
clean message, I had one of those attempts... Showing it was
related in my investigation.
>
> The attempted login messages are some other item attempting to
> break into your machine on the root account. I'd suspect an ssh based
> attack.
>
Actually, no, its not. SSH is closed up pretty tight, open to only
a single box in the datacenter.
It turns out the solution to this was to put :
SHELL=/bin/sh
in the top of each users .procmailrc that ran spamc.
Thanks for the reply though.
Tuc/TBOH
