Logs and how to read them
Mike Rambour
mikey at b2systems.com
Wed Apr 21 21:14:13 UTC 2004
At 01:27 PM 4/21/2004, you wrote:
>Am Mi, den 21.04.2004 schrieb Mike Rambour um 22:07:
> > I am a very newbie here and my ISP is saying they received a complaint
> > about SPAM being sent from my machine, they claim its my IP that sent it
> > (fixed IP, not DHCP).
>
>You should ask them for the log entries they used to determine your
>machine as the culprit.
>
> > I have checked and I have relaying turned off and only 6 valid users on
> > the machine, I forced a password change for all accounts. I also used
> > Abuse.Nets relay test to make sure I was not allowing relays. I have no
> > idea how that SPAM got out. Since this machine is a firewall for our
> > office, I tested all internal machines for virus/worms/etc with the
> latest
> > tools.
>
>I suppose these machines are windows. You should check their mail
>program configuration. What smtp host do they use for sending mail? In
>addition you should reconfigure one client to directly use a smtp host
>outside your office network (assuming they are configured to use the
>smtpd on your firewall box). Your firewall configuration should block
>this type of communication. Otherwise a client can send mail which will
>not show up in your log file.
>
> > But lines like these 2 below did NOT have matching lines, does this
> mean
> > they got sent ? relayed thru my machine somehow ? I could not find a fail
> > or sent line for many lines like the ones below.
> >
> > Apr 21 12:25:00 mail sendmail[1067]: MAA01067:
> > from=<postmaster at hoteiscontinental.com.br>, size=1657, class=0, pri=0
> > , nrcpts=0, proto=ESMTP, relay=[200.213.72.130]
> > Apr 21 12:29:03 mail sendmail[1214]: MAA01214: from=<>, size=0, class=0,
> > pri=0, nrcpts=0, proto=SMTP, relay=fw1-81-80-126-2.bplc.fr [81.80.126.2]
>
>You should perform a
> grep MAA01067 /var/log/maillog
>rsp a
> grep MAA01214 /var/log/maillog
>and you should see the complete communication
>
> > Where do I learn to read the various logs on Fedora/Linux ? If I
> missed
> > a google what should have I googled for ?
I had already done the grep that was suggested, those 2 lines only show
up once in the maillog (there are others that only show up once also) Does
this mean that the relay was successful ? I sure hope not. And yes the
internal machines are mostly Windows and I did check for viruses and worms.
One thing I did notice after reading this reply is yes, I can set up a
external SMTP on a Windows machine and go through my firewall and connect
to it, but the internal machines are all using my SMPT server, there are
only 8 internal machines so it was easy to check. I dont think that is how
the SPAM got out, I trust these users. I will go browse the web some more
on viruses and worms to make sure that my tools can catch them, i am using
the latest anti-virus and adaware and stinger.
I will probably switch to Postfix several people have said it would
easier also.
mike
More information about the fedora-list
mailing list