Frank
On 7/19/06 8:29 AM, Stephen Barner wrote:
I've got a server that hosts a few websites and a PHP BBS. It uses sendmail to handle a few light mail duties (though the spammers have found it, so I have to delete a few dozen spam messages that come in every day). I recently noticed some unusual activity on the server and checking var/log/maillog, I find a bunch of messages of this type being produced (I substituted mydomain for the real domain name of the local server): Jul 19 07:16:43 www sendmail[3541]: k6JBGh3U003541: <[EMAIL PROTECTED]>... User unknown Jul 19 07:16:43 www sendmail[3541]: k6JBGh3U003541: from=<>, size=21287, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=imail.mlode.com [208.12.100.136] If I am reading this correctly, the server sent a message with no sender listed to the nonexistant local user FaygjkFarris through imail.mlode.com. I can't figure out the logic behind this, especially since all the usernames are really odd and not likely to produce successful hits. I also have no idea what is initiating the exchanges. It would seem that there might be some kind of malware running on the local machine trying to send these messages out, but I can't find anything unusual. Perhaps I am reading the maillog incorrectly but for now I shut down sendmail until I can resolve the problem. The sendmail version is 8.12.4. Steve Barner
-- Frank Swasey | http://www.uvm.edu/~fcs Sr Systems Administrator | Always remember: You are UNIQUE, University of Vermont | just like everyone else. "I am not young enough to know everything." - Oscar Wilde (1854-1900)
smime.p7s
Description: S/MIME Cryptographic Signature
