Am Mi, den 21.04.2004 schrieb Mike Rambour um 22:07: > I am a very newbie here and my ISP is saying they received a complaint > about SPAM being sent from my machine, they claim its my IP that sent it > (fixed IP, not DHCP).
You should ask them for the log entries they used to determine your machine as the culprit.
> I have checked and I have relaying turned off and only 6 valid users on
> the machine, I forced a password change for all accounts. I also used
> Abuse.Nets relay test to make sure I was not allowing relays. I have no
> idea how that SPAM got out. Since this machine is a firewall for our
> office, I tested all internal machines for virus/worms/etc with the latest
> tools.
I suppose these machines are windows. You should check their mail program configuration. What smtp host do they use for sending mail? In addition you should reconfigure one client to directly use a smtp host outside your office network (assuming they are configured to use the smtpd on your firewall box). Your firewall configuration should block this type of communication. Otherwise a client can send mail which will not show up in your log file.
> But lines like these 2 below did NOT have matching lines, does this mean
> they got sent ? relayed thru my machine somehow ? I could not find a fail
> or sent line for many lines like the ones below.
>
> Apr 21 12:25:00 mail sendmail[1067]: MAA01067:
> from=<postmaster@xxxxxxxxxxxxxxxxxxxxxxxx>, size=1657, class=0, pri=0
> , nrcpts=0, proto=ESMTP, relay=[200.213.72.130]
> Apr 21 12:29:03 mail sendmail[1214]: MAA01214: from=<>, size=0, class=0,
> pri=0, nrcpts=0, proto=SMTP, relay=fw1-81-80-126-2.bplc.fr [81.80.126.2]
You should perform a grep MAA01067 /var/log/maillog rsp a grep MAA01214 /var/log/maillog and you should see the complete communication
> Where do I learn to read the various logs on Fedora/Linux ? If I missed
> a google what should have I googled for ?
I had already done the grep that was suggested, those 2 lines only show up once in the maillog (there are others that only show up once also) Does this mean that the relay was successful ? I sure hope not. And yes the internal machines are mostly Windows and I did check for viruses and worms.
One thing I did notice after reading this reply is yes, I can set up a external SMTP on a Windows machine and go through my firewall and connect to it, but the internal machines are all using my SMPT server, there are only 8 internal machines so it was easy to check. I dont think that is how the SPAM got out, I trust these users. I will go browse the web some more on viruses and worms to make sure that my tools can catch them, i am using the latest anti-virus and adaware and stinger.
I will probably switch to Postfix several people have said it would easier also.
mike
