Hello folks:
Some of my users have had their email addresses harvested by the so.big virus.
I am blocking any incoming virus emails now.
However I see this entry in my /var/log/mail file:
Sep 4 19:31:36 falcon postfix/smtp[21404]: connect to smtp.myrealbox.com[192.108.102.204]: server refused mail service (port 25)
Sep 4 19:31:36 falcon postfix/smtp[21404]: 1DEB71C159: to=
* Jim Norton
Some of my users have had their email addresses harvested by the so.big virus. I am blocking any incoming virus emails now.
However I see this entry in my /var/log/mail file:
Sep 4 19:31:36 falcon postfix/smtp[21404]: connect to smtp.myrealbox.com[192.108.102.204]: server refused mail service (port 25) Sep 4 19:31:36 falcon postfix/smtp[21404]: 1DEB71C159: to=
, relay=none, delay=71626, status=deferred (connect to smtp.myrealbox.com[192.108.102.204]: server refused mail service) Is this a connection to my mail server or my mail server being used to attempt to send mail to oleg_inconnu@myrealbox.com? I can't believe that any legitimate users of my system would be attempting to send mail to this address.
Would this be in indication that my server is compromised? And if so, what tools or resources might I get access to in order to fix any possible compromise?
No, they are telling you that you must relay your mail thru your provider. They will not accept mail directly from your computer, port 25. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org
The 03.09.04 at 20:01, Jim Norton wrote:
Some of my users have had their email addresses harvested by the so.big virus. I am blocking any incoming virus emails now.
However I see this entry in my /var/log/mail file:
Sep 4 19:31:36 falcon postfix/smtp[21404]: connect to smtp.myrealbox.com[192.108.102.204]: server refused mail service (port 25) Sep 4 19:31:36 falcon postfix/smtp[21404]: 1DEB71C159: to=
, relay=none, delay=71626, status=deferred (connect to smtp.myrealbox.com[192.108.102.204]: server refused mail service) Is this a connection to my mail server or my mail server being used to attempt to send mail to oleg_inconnu@myrealbox.com?
The second.
I can't believe that any legitimate users of my system would be attempting to send mail to this address.
It could be a reject or bounce. You said you blocked incoming mail for the virus; if you did it my way, it is possible that you are sending them a reject mail.
Would this be in indication that my server is compromised? And if so, what tools or resources might I get access to in order to fix any possible compromise?
Check carefully your mail log. Above those lines you will detect the from address. Also, simply use "mailq" command, and that should list deferred mail, with the from, and the to for each one. -- Cheers, Carlos Robinson
participants (3)
-
Carlos E. R.
-
jrn@oregonhanggliding.com
-
Patrick Shanahan