spammers

u-noneinc-s · #1 11th January 2006, 09:58 PM

I am not currently concerned about spammers relaying. In fact, I often get relaying denied for attempted
spam relaying,
But I am curious, if someone should find a hole and relay spam through my system, what kind of numbers
might I expect to see in my sendmail log.
An example of today (slightly higher than typical but still well within reason)...

Code:

Message traffic by domain:
                         |   Inbound   |  Outbound   |  Internal   |    Total
Domain                   | Msgs Kbytes | Msgs Kbytes | Msgs Kbytes | Msgs Kbytes
-------------------------+-------------+-------------+-------------+------------
localhost                |    3      4 |    0      0 |    0      0 |    3      4
localhost.localdomain    |    0      0 |    0      0 |    3     42 |    3     
noneinc.us               |   25    110 |    0      0 |    3      4 |   28    114
-------------------------+-------------+-------------+-------------+------------
TOTAL                    |   28    114 |    0      0 |    6     46 |   34    160


Message Size Distribution:
Range          # Msgs       KBytes
0 - 10k            35          121
10k - 20k           3           51
20k - 50k           2           51
50k - 100k          0            0
100k - 500k         0            0
500k - 1Mb          0            0
1Mb - 2Mb           0            0
2Mb - 5Mb           0            0
5Mb - 10Mb          0            0
10Mb+               0            0
----------------------------------
TOTAL              40          225
Avg. Size                        5

I think about 15 orf them were spams to me.
I concider myself lucky as this is the most I have recieved and I'm sure many of you see (possibly)
hundreds.

Also note the zero "outbound". This is due to most ISP's refusing mail from me as I am on dynamic DSL,
so I am using my ISP's smtp to send mail (just in case anyone also has a thought on how to get AOL
and CS and GTE to accept mail from my dynamic IP. (This may not be doable do to me not actually
"owning" the domain. dig noneinc.us maps to my dynamic IP, but whois noneinc.us returns a friend of
mine as the actual owner).

Main question is the spam one, the other is just "putting out feelers" in case anyone has any thoughts.
Thank you

wgh · #2 26th May 2006, 01:57 AM

Where is the sendmail log located?

u-noneinc-s · #3 26th May 2006, 02:12 AM

/var/log/maillog I assumed sendmail log as I use sendmail but I guess it's a generic mail log for sendmail postfix or whatever(?).

wgh · #4 26th May 2006, 02:16 AM

How did you get your maillog to look nice like that?

Iron_Mike · #5 26th May 2006, 02:29 AM

This is a good baseline to determine daily mail. Should your outbounds jump up into the thousands of msgs and size increase dramatically I would be alarmed. But as it stands right now with your numbers relax enjoy. Congrats...

u-noneinc-s · #6 26th May 2006, 02:35 AM

This is not actually the "maillog", but rather the maillog section of logwatch which you "should" find every day
in your root mailbox.
Somewhere I set some loglevel to 10. I thought it was /etc/syslog.conf but I just looked there and there is no
option for that. Maybe it was an option in logwatch itself...

I'm checking...

It wasn't /usr/share/logwatch/default.conf/logfiles/maillog.conf either....still looking...Ahh, here it is...

/usr/share/logwatch/default.conf/logwatch.conf in the following section...

Code:

# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = 10

u-noneinc-s · #7 26th May 2006, 02:40 AM

Wow, thousands? I guess I'll definately know if and when I get zombied then. Thanks Iron_Mike
I think one day last week there were a record 30 or 40 relaying denied attempted spams (all from the same address though). Usually 4-5 attempts/day max so I do feel pretty lucky.

wgh · #8 26th May 2006, 02:59 AM

Once you change the logwatch.conf file, do you have to restart anything?

Also, I setup Evolution to local delivery of mail, /var/spool/mail/root. Is that what most people do to view these reports? I am also getting junk mail and what not in my root mailbox. Is the root = postmaster?

u-noneinc-s · #9 26th May 2006, 03:15 AM

I believe it will be /var/mail/root. If not, look in /root/mail. And last but not least, there is /root/mbox.

I read mine via Webmin, but you can run mutt or some other text based mail utility, or you can use a terminal and
do <cat /var/mail/root |more>, but if you haven't read it in a while there's probably a whole bunch so a mailer would be best.
I like mutt (but webmin has me spoiled).

Of corse, you'll have to be root so first do <su -> and after you enter root password type mutt.

You may be able to run thunderbird as root and set up a root mail account there I havn't tried it and I don't know if it's a
good idea or not from a security standpoint. Anybody care to comment on this?

EDIT removed hint to pine or elm, don't know if they are still around

wgh · #10 31st May 2006, 09:40 PM

How come my log doesn't see Outbound?

And how would you know if someone is using your computer for spam?

u-noneinc-s · #11 31st May 2006, 09:53 PM

I don't know, but let me start by saying that this post (and this log) is a few months old. Recent updates have changed the behavior
of my logs and I now no longer get outbound either. Everything that is listed now is based on 1 or greater "attemps" If I get 0 relay
attempts, there is no mention of relaying in the logs. Otherwise I get a message relaying denied x# times and a list of addresses and
x# attempts by each.
So, maybe it's because there is no outbound traffic "from the server". I'll have to test that with mutt (which will send from this server
rather than from my ISP's smtp).

SHtRO · #12 31st May 2006, 10:13 PM

An aside, you can configure your sendmail (SMTP) to relay through your ISP SMTP (who should accept no problem, since you are on his net).

u-noneinc-s · #13 31st May 2006, 10:32 PM

I am relaying through them. My mail arrives at its destination as coming from me@myemail.me with my ISPs address
xxx.xxx.xxx.xxx. I can send mail all day long from me@outgiong.nydomain.com with mutt but have never been able
to get thunderbird to use it, Plus my ISP along with AOL and a couple others reject it because "if it's dynamic it's spam"
at least that's the explaination I get from the returned mail (rejected by their spam filter). Kmail also delevers mail from
my own smtp but I don't much like kmail

And if it's going to get rejected anyway, what's the use?
But thanks anyway

MN

u-noneinc-s · #14 1st June 2006, 07:46 PM

wgh; I sent myself a few test mails from my smtp and still got no "outbound" in my logwatch so I don't know what has changed there.

Quote:

And how would you know if someone is using your computer for spam?

that was the intent of
the origional post. I guess there are 2 answers. 1, Watch your logs for a sudden excessive jump in the volume of messages.
2, If the spammers know what they are doing, I think they would know how to cover their tracks and you probably wont know
(until you start getting blocked yourself and find yourself on a bunch of spam block lists).
Group: Is this a reasonable assumption?

mnisay · #15 1st June 2006, 09:15 PM

here's a a package, besides from logwatch and other anti-spam software that comes with fedora.
this software is normally being cronjob every N minutes to check for too much numbers for email received and sent from a certain IP or host,based on a limit you set from its conf.

if true, sends notification email immediately to you, SMS you, and/or block route the said host or IP...and more.

saves your tiring eyes and fingers, server resources and bandwidth should you fell asleep while working

check out http://www.spamshield.org/

future readings
man mailstats

HTH