Logs and how to read them

Mike Rambour mikey at b2systems.com
Wed Apr 21 21:14:13 UTC 2004 

At 01:27 PM 4/21/2004, you wrote:
>Am Mi, den 21.04.2004 schrieb Mike Rambour um 22:07:
> >     I am a very newbie here and my ISP is saying they received a complaint
> > about SPAM being sent from my machine, they claim its my IP that sent it
> > (fixed IP, not DHCP).
>
>You should ask them for the log entries they used to determine your
>machine as the culprit.
>
> >    I have checked and I have relaying turned off and only 6 valid users on
> > the machine, I forced a password change for all accounts.  I also used
> > Abuse.Nets relay test to make sure I was not allowing relays. I have no
> > idea how that SPAM got out.  Since this machine is a firewall for our
> > office,  I tested all internal machines for virus/worms/etc with the 
> latest
> > tools.
>
>I suppose these machines are windows. You should check their mail
>program configuration. What smtp host do they use for sending mail? In
>addition you should reconfigure one client to directly use a smtp host
>outside your office network (assuming they are configured to use the
>smtpd on your firewall box). Your firewall configuration should block
>this type of communication. Otherwise a client can send mail which will
>not show up in your log file.
>
> >    But lines like these 2 below did NOT have matching lines, does this 
> mean
> > they got sent ? relayed thru my machine somehow ?  I could not find a fail
> > or sent line for many lines like the ones below.
> >
> > Apr 21 12:25:00 mail sendmail[1067]: MAA01067:
> > from=<postmaster at hoteiscontinental.com.br>, size=1657, class=0, pri=0
> > , nrcpts=0, proto=ESMTP, relay=[200.213.72.130]
> > Apr 21 12:29:03 mail sendmail[1214]: MAA01214: from=<>, size=0, class=0,
> > pri=0, nrcpts=0, proto=SMTP, relay=fw1-81-80-126-2.bplc.fr [81.80.126.2]
>
>You should perform a
>   grep MAA01067   /var/log/maillog
>rsp a
>   grep MAA01214   /var/log/maillog
>and you should see the complete communication
>
> >    Where do I learn to read the various logs on Fedora/Linux ?  If I 
> missed
> > a google what should have I googled for ?

    I had already done the grep that was suggested, those 2 lines only show 
up once in the maillog (there are others that only show up once also)  Does 
this mean that the relay was successful ?  I sure hope not.   And yes the 
internal machines are mostly Windows and I did check for viruses and worms.

    One thing I did notice after reading this reply is yes, I can set up a 
external SMTP on a Windows machine and go through my firewall and connect 
to it, but the internal machines are all using my SMPT server, there are 
only 8 internal machines so it was easy to check.  I dont think that is how 
the SPAM got out, I trust these users.  I will go browse the web some more 
on viruses and worms to make sure that my tools can catch them,  i am using 
the latest anti-virus and adaware and stinger.

   I will probably switch to Postfix several people have said it would 
easier also.

         mike

More information about the fedora-list mailing list