figuring out where mail is coming from

figuring out where mail is coming from

am 27.03.2004 09:57:27 von urgrue

i would deduce from this log snippet that this particular mail was sent by
my own server, would this be a correct deduction? are there alternative
interpretations? because the mail in question was quite obviously loaded
with a trojan or virus.

Mar 27 09:45:00 mail sendmail[19487]: i2R7j0919487: from=postmaster,
size=6479, class=0, nrcpts=1,
msgid=<200403270745.i2R7j0919487@mail.mydomain.com>, relay=root@localhost
Mar 27 09:45:00 mail sendmail[19490]: i2R7j0919487: to="|exec
/usr/bin/procmail", ctladdr=freddie (500/100), delay=00:00:00,
xdelay=00:00:00, mailer=prog, pri=126479, dsn=2.0.0, stat=Sent

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: figuring out where mail is coming from

am 27.03.2004 14:39:35 von Glynn Clements

urgrue wrote:

> i would deduce from this log snippet that this particular mail was sent by
> my own server, would this be a correct deduction? are there alternative
> interpretations? because the mail in question was quite obviously loaded
> with a trojan or virus.
>
> Mar 27 09:45:00 mail sendmail[19487]: i2R7j0919487: from=postmaster,
> size=6479, class=0, nrcpts=1,
> msgid=<200403270745.i2R7j0919487@mail.mydomain.com>, relay=root@localhost
> Mar 27 09:45:00 mail sendmail[19490]: i2R7j0919487: to="|exec
> /usr/bin/procmail", ctladdr=freddie (500/100), delay=00:00:00,
> xdelay=00:00:00, mailer=prog, pri=126479, dsn=2.0.0, stat=Sent

The format of the first line indicates that the mail originated from a
local process rather than an SMTP connection. The relay= indicates a
root-owned process.

The from=postmaster indicates that it might be a bounce message. One
possibility is:

1. The trojan gets a victim address (in this case, yours) from
somewhere.

2. It connects to the MX for that address.

3. It sends the affected message with the victim address as the sender
and a likely bad address (at the same domain) as the recipient.

4. The message bounces (due to the bad recipient address) back to the
apparent sender (in this case, you).

A number of recent email-borne viri have used deliberate bounces as
part of the delivery strategy.

Check for other references to the ID i2R7j0919487 in your mail logs.
If sendmail generates a bounce message, it normally adds a log entry
indicating this fact, along with the ID of the message to which the
bounce refers.

--
Glynn Clements
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html