I am a very newbie here and my ISP is saying they received a complaint about SPAM being sent from my machine, they claim its my IP that sent it (fixed IP, not DHCP).
I have checked and I have relaying turned off and only 6 valid users on the machine, I forced a password change for all accounts. I also used Abuse.Nets relay test to make sure I was not allowing relays. I have no idea how that SPAM got out. Since this machine is a firewall for our office, I tested all internal machines for virus/worms/etc with the latest tools.
Are these Windows machines, by any chance? Are you sure they don't have a Bagel or Klez virus?
So, in the process I looked at all my logs in /var/log I specifically grep'd for the email address that the spam was sent as and to and found no references to it in my logs implying it was not my machine. But I found other things that I dont know how to read.
Such as? The logs you are interested in are (predominately) /var/log/messages /var/log/maillog /var/log/dmesg (well, you really don't need that one)
I googled and found no place for a "how-to read logs and what they mean". In /var/log/messages, I googled for "lame servers" and found that is ok along with a few other items.
in maillog however, I see very few "Relaying denied" messages (I expected more of them) and a lot of "lost input" messages that from googling appears to be a spammer that got blocked and ok (is that true?). In every case where a "lost input" was I could find 2 lines, one for the "from" and one for lost input with the matching "sendmail[xxxx]" number.
That sounds right.
But lines like these 2 below did NOT have matching lines, does this mean they got sent ? relayed thru my machine somehow ? I could not find a fail or sent line for many lines like the ones below.
Apr 21 12:25:00 mail sendmail[1067]: MAA01067: from=<postmaster@xxxxxxxxxxxxxxxxxxxxxxxx>, size=1657, class=0, pri=0
, nrcpts=0, proto=ESMTP, relay=[200.213.72.130]
That looks like a relay attempt. The sending system's IP was 200.213.72.130. Look for another entry with that same "sendmail[1067]" bit, and you'll see the delivery attempt.
Apr 21 12:29:03 mail sendmail[1214]: MAA01214: from=<>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=fw1-81-80-126-2.bplc.fr [81.80.126.2]
That's also a relay attempt. Look for another entry with "sendmail[1214]" in it to see the delivery attempt. BTW, that's one of the classic spammer ploys...using "<>" as the sending address. Your sendmail.cf should catch that and not relay it.
You should go to sendmail.org's site and read up on anti-spam and anti- relay setups. Also make sure you have current sendmail binaries installed. ---------------------------------------------------------------------- - Rick Stevens, Senior Systems Engineer rstevens@xxxxxxxxxxxxxxx - - VitalStream, Inc. http://www.vitalstream.com - - - - Artificial Intelligence usually beats real stupidity. - ----------------------------------------------------------------------
