[NTLUG:Discuss] alert from sendmail
Tom McDonald
tom at compuclaim.com
Sun Apr 25 23:23:40 CDT 2004
On Sun, 25 Apr 2004 21:40:58 -0500
Greg Edwards <greg at nas-inet.com> wrote:
> Tom McDonald wrote:
> > On Sun, 25 Apr 2004 11:04:12 -0500
> > Greg Edwards <greg at nas-inet.com> wrote:
> >
> >
> >>Anyone know what this means? Found it in my log report.
> >>
> >>Active System Attack Alerts
> >>=-=-=-=-=-=-=-=-=-=-=-=-=-=
> >>Apr 24 20:00:32 mrytle sendmail[11148]: i3P10STn011148:
> >>from=<mcKeell at attack.ru>, size=651, class=0, nrcpts=1,
> >>msgid=<834a01c42a54$5dee0a3a$bea840ad at stagnum.fr>, proto=SMTP,
> >>daemon=MTA, relay=[211.190.91.79]
> >>
> >>TIA,
> >>--
> >>Greg Edwards
>
> >
> >
> > Greg,
> >
> > It looks like an attack alert from portsentry or maybe snort...
<snip>
> Tom,
>
> This was in my daily log report. It came from mail/info and is was
> the only entry related to this mail message. From everything I can
> find it looks like sendmail generated the message. The log/messages,
> auth, etc log files don't show any other activity near the same time
> that could be related.
>
> --
> Greg Edwards
Greg,
The message header has an ID# 834a01c42a54$5dee0a3a$bea840ad at stagnum.fr
which is where the message originated. It looks like a consulting house
in Paris. Even though I have done some French things, I can't read
it... :')
I know a lot of the spammers are operating out of Russia now because of
laws like in California, and theres a ton of open relays in the orient.
They solicit email ad campaigns, then if a business signs up they send
the info to Russia, and they do the spamming from there, of course they
use the open relays to bounce the spam around a little so you can't
trace it back...
I think it's an attempt to get your MTA to relay the message that
originated in France, then was relayed at least in Korea, with a phony
>From line from Russia, and your MX took it as an attack... Without
knowing your MTA and config it would be hard to say.
Tom
----
Tom McDonald <tom at compuclaim.com>
Compuclaim Inc.
I remember the Big Bang! (It wasn't so big!!)
More information about the Discuss
mailing list