Advertisement

12.20.2007 at 03:03PM PST, ID: 23037247
[x]
Attachment Details

Sendmail log files: is my_server being used to send spam?

Asked by Time_Logger in SendMail Email Server, Linux Administration, Miscellaneous Security

Doing some work for a client of mine, I need to determine if some entity is using "my_server.com" to send SPAM.

[NOTE: The domains have been changed to protect the inocent (but not the guilty).

Below is the full email saved as text that was received at kevin.howe@xyz.com

Following is the /var/log/maillog that shows this email being processed along with other log entries that look suspicious.

I am ignorant about what these log entries mean.  What I want to know is:

A) Did the sendmail server at my_server.com process and originate this email?

or

B) Did the sendmail server at my_server.com simply receive the email and the log reflects what it did?

If A, then obviously there's some unauthorized entity inititating these emails via an unsecure form-mail or something else.  There's about 12 domains running on this server and a ton of code and pages that could be the culprit.  Or, some script could be on the server.

I have run "rkhunter" and received only a couple of warnings.  

What's the best way to go about finding what process is sending it and/or shutting this down.

Thanks!

RUNNING:

Linux: 2.6.9-023stab044.11-enterprise

Sendmail: 8.12.11-4.25.3.legacy.2.swsoftStart Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:

==========================================================================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
==========================================================================================================
Received:  from mail pickup service by xyz.com with Microsoft SMTPSVC; Thu, 20 Dec 2007 10:15:56 -0800
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_004_01C84334.5D231600"
Subject: *****SPAM***** How would You like to divert 1000s of fresh new visitors daily.
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Thu, 20 Dec 2007 10:15:56 -0800
Message-ID: <9D5A926E11254EE6813B75165763D725@otbcorp.local>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: *****SPAM***** How would You like to divert 1000s of fresh new visitors daily.
thread-index: AchDNF1xA13yKsRwSayCGdd0OFtHxg==
From: <Instant.Booster@my_server.com>
To: <info@abc.com>
Reply-To: <webmaster@promote-biz.net>
 
This is a multi-part message in MIME format.
 
------_=_NextPart_004_01C84334.5D231600
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
 
Can you afford to lose 300,000 potential customers per year ?
 
How would You like to divert 1000s of fresh,
new visitors daily to Your web site or affiliate web site from
Google, stu123, MSN and others At $0 cost to you...?
 
...iNSTANT BOOSTER diverts 1000s of fresh,
new visitors daily to Your web site or affiliate
web site from Google, stu123, MSN and others
at $0 cost to you!
 
...No matter what you are selling or offering -
INTSANT BOOSTER will pull in hordes of potential customers to your =
website=20
- instantly!
 
http://www.solercio.com/instantbooster/
 
 
http://www.solercio.com/remove/
 
 
------_=_NextPart_004_01C84334.5D231600
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7652.24">
<TITLE>*****SPAM***** How would You like to divert 1000s of fresh new =
visitors daily.</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
 
<P><FONT SIZE=3D2>Can you afford to lose 300,000 potential customers per =
year ?</FONT>
</P>
 
<P><FONT SIZE=3D2>How would You like to divert 1000s of fresh,</FONT>
 
<BR><FONT SIZE=3D2>new visitors daily to Your web site or affiliate web =
site from</FONT>
 
<BR><FONT SIZE=3D2>Google, stu123, MSN and others At $0 cost to =
you...?</FONT>
</P>
 
<P><FONT SIZE=3D2>...iNSTANT BOOSTER diverts 1000s of fresh,</FONT>
 
<BR><FONT SIZE=3D2>new visitors daily to Your web site or =
affiliate</FONT>
 
<BR><FONT SIZE=3D2>web site from Google, stu123, MSN and others</FONT>
 
<BR><FONT SIZE=3D2>at $0 cost to you!</FONT>
</P>
 
<P><FONT SIZE=3D2>...No matter what you are selling or offering -</FONT>
 
<BR><FONT SIZE=3D2>INTSANT BOOSTER will pull in hordes of potential =
customers to your website </FONT>
 
<BR><FONT SIZE=3D2>- instantly!</FONT>
</P>
 
<P><FONT SIZE=3D2><A =
HREF=3D"http://www.solercio.com/instantbooster/">http://www.solercio.com/=
instantbooster/</A></FONT>
</P>
<BR>
 
<P><FONT SIZE=3D2><A =
HREF=3D"http://www.solercio.com/remove/">http://www.solercio.com/remove/<=
/A></FONT>
</P>
<BR>
 
</BODY>
</HTML>
------_=_NextPart_004_01C84334.5D231600--
 
==========================================================================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
==========================================================================================================
 
 
 
L O G    OF     S E N D M A I L      IN      /VAR/LOG/MAILLOG    FROM    my_server.com
 
The log entries to notice have been marked below with my comments as "tap:".
 
 
========================================
tap: the FROM record for lBKIEohx024164
Dec 20 13:15:05 my_server sendmail[24164]:|lBKIEohx024164:|from=<webmaster@promote-biz.net>| size=949| class=0| nrcpts=1| msgid=<20071220101452.68ACBE1240B3AE3F@from.header.has.no.domain>| proto=ESMTP| relay=[124.236.251.40]
========================================
 
Dec 20 13:15:10 my_server sendmail[24163]:|lBKIEouL024163:|from=<webmaster@promote-biz.net>| size=952| class=0| nrcpts=1| msgid=<20071220101452.9F8D7E0088871F67@from.header.has.no.domain>| proto=ESMTP| relay=[124.236.251.40]
 
Dec 20 13:15:10 my_server sendmail[24373]:|STARTTLS=client| relay=root.xyz.com.| version=TLSv1/SSLv3| verify=FAIL| cipher=DHE-RSA-AES256-SHA| bits=256/256
 
========================================
tap: the #1 TO record for lBKIEohx024164
Dec 20 13:15:10 my_server sendmail[24373]:|lBKIEohx024164:|to=kevin.howe@xyz.com| delay=00:00:07| xdelay=00:00:00| mailer=esmtp| pri=91146| relay=root.xyz.com. [216.222.197.178]| dsn=2.0.0| stat=Sent (ok 1198174510 qp 20532)
========================================
 
Dec 20 13:15:10 my_server sendmail[24428]:|lBKIEouL024163:|to=<tycyphy@abc.com>| delay=00:00:02| xdelay=00:00:00| mailer=esmtp| pri=30952| relay=g.mx.mail.stu.com. [209.191.88.239]| dsn=2.0.0| stat=Sent (ok dirdel)
 
Dec 20 13:15:44 my_server sendmail[25666]:|lBKIFf8N025666:|from=<jquiros@def.com>| size=3808| class=0| nrcpts=1| msgid=<f88001c84335$157de900$e0f53e3d@Miranda>| proto=SMTP| relay=61-62-245-224-adsl-kao.dynamic.so-net.net.tw [61.62.245.224]
 
Dec 20 13:15:44 my_server sendmail[25665]:|lBKIFfjP025665:|from=<jquiros@def.com>| size=4036| class=0| nrcpts=1| msgid=<f87f01c84335$15720220$e0f53e3d@Miranda>| proto=SMTP| relay=61-62-245-224-adsl-kao.dynamic.so-net.net.tw [61.62.245.224]
 
Dec 20 13:15:44 my_server sendmail[25692]:|lBKIFfjP025665:|to=root| delay=00:00:01| xdelay=00:00:00| mailer=local| pri=34306| dsn=2.0.0| stat=Sent
 
Dec 20 13:15:44 my_server sendmail[25667]:|lBKIFffB025667:|from=<jquiros@def.com>| size=3979| class=0| nrcpts=1| msgid=<f88101c84335$1589f6f0$e0f53e3d@Miranda>| proto=SMTP| relay=61-62-245-224-adsl-kao.dynamic.so-net.net.tw [61.62.245.224]
 
Dec 20 13:15:44 my_server sendmail[25691]:|lBKIFf8N025666:|to=root| delay=00:00:01| xdelay=00:00:00| mailer=local| pri=34084| dsn=2.0.0| stat=Sent
 
Dec 20 13:15:44 my_server sendmail[25695]:|lBKIFffB025667:|to=<root@pqr.com>| delay=00:00:01| xdelay=00:00:00| mailer=local| pri=34249| dsn=2.0.0| stat=Sent
 
Dec 20 13:15:44 my_server sendmail[25668]:|lBKIFfvJ025668:|from=<jquiros@def.com>| size=3934| class=0| nrcpts=1| msgid=<f88201c84335$1589f6f0$e0f53e3d@Miranda>| proto=SMTP| relay=61-62-245-224-adsl-kao.dynamic.so-net.net.tw [61.62.245.224]
 
Dec 20 13:15:44 my_server sendmail[25669]:|lBKIFfq5025669:|from=<jquiros@def.com>| size=3904| class=0| nrcpts=1| msgid=<f88301c84335$1589f6f0$e0f53e3d@Miranda>| proto=SMTP| relay=61-62-245-224-adsl-kao.dynamic.so-net.net.tw [61.62.245.224]
 
Dec 20 13:15:44 my_server sendmail[25701]:|lBKIFfq5025669:|to=root| delay=00:00:01| xdelay=00:00:00| mailer=local| pri=34174| dsn=2.0.0| stat=Sent
 
Dec 20 13:15:44 my_server sendmail[25698]:|STARTTLS=client| relay=root.xyz.com.| version=TLSv1/SSLv3| verify=FAIL| cipher=DHE-RSA-AES256-SHA| bits=256/256
 
Dec 20 13:15:48 my_server sendmail[25698]:|lBKIFfvJ025668:|to=<support@pqr.com>| delay=00:00:05| xdelay=00:00:04| mailer=esmtp| pri=33934| relay=root.xyz.com. [216.222.197.178]| dsn=5.1.1| stat=User unknown
 
Dec 20 13:15:48 my_server sendmail[25698]:|lBKIFfvJ025668:|lBKIFmvJ025698:|DSN:|User unknown
 
Dec 20 13:15:49 my_server sendmail[25698]:|lBKIFmvJ025698:|to=<jquiros@def.com>| delay=00:00:01| xdelay=00:00:01| mailer=esmtp| pri=34958| relay=sbcentrale.def.com. [195.55.236.160]| dsn=5.7.1| stat=User unknown
 
Dec 20 13:15:49 my_server sendmail[25698]:|lBKIFmvJ025698:|lBKIFmvK025698:|return to sender:|User unknown
 
Dec 20 13:15:49 my_server sendmail[25698]:|lBKIFmvK025698:|to=root| delay=00:00:00| xdelay=00:00:00| mailer=local| pri=35982| dsn=2.0.0| stat=Sent
 
========================================
tap: the #2 TO record for lBKIEohx024164
Dec 20 13:16:10 my_server sendmail[24373]:|lBKIEohx024164:|to=typ2112@stu.com|fireplug012000@stu.com| delay=00:01:07| xdelay=00:01:00| mailer=esmtp| pri=91146| relay=e.mx.mail.stu.com. [216.39.53.1]| dsn=2.0.0| stat=Sent (ok dirdel 2/0)
========================================
[+][-]12.22.2007 at 08:47AM PST, ID: 20519018

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 7-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]12.23.2007 at 08:06PM PST, ID: 20523467

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: SendMail Email Server, Linux Administration, Miscellaneous Security
Sign Up Now!
Solution Provided By: ssvl
Participating Experts: 2
Solution Grade: A
 
 
[+][-]12.24.2007 at 08:22AM PST, ID: 20525109

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 7-day free trial to view this Assisted Solution or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628