> > From: "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> > > > Hi, > > > > At around 1p yesterday all of a sudden I started to see some > > messages out of the ordinary. I've tracked it down to happening around > > the same time SA is running. > > > > I syslog everything to /var/log/spool, and if I do : > > > > egrep 'clean |nologin' /var/log/spool | grep -v kernel > > > > I see things like: > > > > Jul 19 11:52:26 asgard spamd[2499]: spamd: clean message (2.6/5.0) for > > mkasper:2005 in > > 7.2 seconds, 1538 bytes. > > Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 11:52:50 asgard spamd[2499]: spamd: clean message (5.0/5.0) for > > aries:2000 in 7.8 > > seconds, 70282 bytes. > > Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 13:09:29 asgard spamd[2499]: spamd: clean message (3.7/5.0) for > > mkasper:2005 in > > 2.3 seconds, 1635 bytes. > > Jul 19 13:09:29 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 13:23:07 asgard spamd[2499]: spamd: clean message (1.3/5.0) for > > mariansb:2004 in > > 1.6 seconds, 11011 bytes. > > Jul 19 13:23:07 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 13:26:50 asgard spamd[2499]: spamd: clean message (0.8/5.0) for > > mariansb:2004 in > > 1.4 seconds, 2251 bytes. > > Jul 19 13:26:50 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 13:26:56 asgard spamd[2499]: spamd: clean message (1.5/5.0) for > > mariansb:2004 in > > 1.7 seconds, 11323 bytes. > > Jul 19 13:26:56 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 13:28:14 asgard spamd[2499]: spamd: clean message (0.4/5.0) for > > aries:2000 in 4.4 > > seconds, 20370 bytes. > > Jul 19 13:28:14 asgard nologin: Attempted login by root on UNKNOWN > > > > I know this sounds the usual, but I didn't change or upgrade > > anything when it started. > > > > > > Any thoughts? How do I debug? > > Recognize that you likely have two different "problems." > > The clean simply means spamd correctly processed a message that was not > spam. > Right, I know. I was trying to point out that every time I had a clean message, I had one of those attempts... Showing it was related in my investigation. > > The attempted login messages are some other item attempting to > break into your machine on the root account. I'd suspect an ssh based > attack. > Actually, no, its not. SSH is closed up pretty tight, open to only a single box in the datacenter.
It turns out the solution to this was to put : SHELL=/bin/sh in the top of each users .procmailrc that ran spamc. Thanks for the reply though. Tuc/TBOH