On Wed, 5 Apr 2017, Jim McLachlan wrote:
Hi John,
That sounds like a good move. I don't have a lot of experience using
tcpdump. Could you help prevent me from fumbling around like a ****wit with
it and let me know what I need to do with it to identify the source of the
spamd traffic?
At the most basic you'd filter for the port spamd is listening on:
tcpdump -n tcp dst port 783
You'd probably also want to filter for SYN packets to reduce the clutter:
tcpdump -n tcp dst port 783 and 'tcp[tcpflags] & tcp-syn != 0'
Note the source IP address. If it's a different host you can look there
for what's sending the traffic.
You can also run this to get an idea of what programs are calling spamd:
netstat -natp | grep ":783 "
You could run the netstat first, under the assumption that the source is
most likely local rather than remote, then run tcpdump if you can't find a
plausible local source.
All of this needs to be done as root, of course.
On 05/04/17 01:21, John Hardin wrote:
Perhaps run tcpdump and see where the spamd traffic is coming from, to
rule out something other than the local MTAs?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The more you believe you can create heaven on earth
the more likely you are to set up guillotines in the public square
to hasten the process. -- James Lileks
-----------------------------------------------------------------------
9 days until Thomas Jefferson's 274th Birthday
