View Full Version : Is my sendmail being used by spammers?

5th March 2005, 04:37 PM
Hello All,

I've got a box with a clean FC3 installation
I'm using sendmail as an MTA
I set it up using these instructions


This guy's tutorials are realy quite good
Each day somebody does a logfile analysis on my machine and send me the results
I'd be tickled if someone explained to me just how this works :)
Anyway the stuff about sendmail looks like this

--------------------- sendmail Begin ------------------------

Bytes Transferred: 2740571
Messages Sent: 94
Total recipients: 116

Possible Attack:
Attempt from UNKNOWN with:
Fixed MIME Content-Type header field : 1 Time(s)

Unknown local users:

Total: 8

Top relays (recipients/connections - min 10 rcpts, max 50 lines):
35/26: lists.netspace.org []

Relaying denied:
From [] to cara@donate-your-car.com: 1 Time(s)

Total: 1

Client quit before communicating: : 1 Time(s) : 1 Time(s) : 1 Time(s) : 1 Time(s) : 1 Time(s) : 1 Time(s) : 1 Time(s) : 1 Time(s)

BlackHole Totals:

Unresolved sender domains:
kkiagb@pilot.ac: 1 Time(s)

Total: 1

Total Mail Rejected: 10

---------------------- sendmail End -------------------------

The machine is just for my home use and has 3-4 acounts on it
I don't believe it should be sending ~100 mails a day
Is someone relaying through my machine
I setup the access.db just like that guy suggested

# by default we allow relaying from localhost...
localhost.localdomain RELAY
localhost RELAY RELAY
192.168.10 RELAY
mydomain.com RELAY

shouldn't this prevent anyone not on my local network from sending mail from my machine?
I do have 1 Windoz machine on my network, could it be compromised? (silly quetsion)
How can I get more detailed info on just who is sending mail from my machine??


5th March 2005, 05:29 PM
this is actually kinda fun
I'm running ethereal on the machine and watching what's going on with sendmail
you guy's help me setup my packet filters
what happens if someone tries to relay thru my machine??
it would come in on port 25, right?
what would identify it, would it have some kinda of header requesting that it be realyed???
right now my filter is just "tcp port 25"


5th March 2005, 06:27 PM
Yes, it does appear that someone is trying to use your server to relay, but because they're not an allowed IP, it doesn't work. And yes, ethereal will show the packets on port 25 - the "trick" to seeing the invalid packets is that they're not originating from your network.