[plug] any advice

William Kenworthy billk at iinet.net.au
Sat Aug 7 09:05:05 WST 2010 

MAC addresses - you will have to track back through the network topology.  Even if the IP is spoofed the MAC should be ok.

And your exit ACL's should block all but your real IP's from going out.

billk

-- 
BillK at home
Sent from my Nokia N900
----- Original message -----
> Had a look and there is no ip addr showing. I had read that a lot of the
> time the offending PC does not send the spam through the mail server. 
> What I see is a lot of data trying to go out but with no source IP from
> any internal PC.     Sent via BlackBerry® from Vodafone
> 
> -----Original Message-----
> From: Patrick Coleman <blinken at gmail.com>
> Sender: plug-bounces at plug.org.au
> Date: Fri, 6 Aug 2010 15:04:30 
> To: <plug at plug.org.au>
> Reply-To: plug at plug.org.au, blinken at gmail.com
> Subject: Re: [plug] any advice
> 
> On Fri, Aug 6, 2010 at 2:05 PM, Jon L Miller
> <jlmiller at mmtnetworks.com.au> wrote:
> > I did a capture on the mailserver and this is what one of the streams
> > produced.
> > 220 mmtlnx.mmtnetworks.com.au ESMTP Postfix
> 
> If you're running Postfix, looking at /var/log/mail.log will tell you
> the IP of the machine sending your mailserver the spammy email. Lines
> like:
> 
> Aug   6 14:41:28 shell postfix/smtpd[2692]: A89BF6057:
> client=na3sys009amx258.postini.com[74.125.149.142]
> Aug   6 14:41:31 shell postfix/cleanup[4068]: A89BF6057:
> message-id=<20100806064116.6065C54136 at i4-m3.sendgrid.net>
> Aug   6 14:41:31 shell postfix/qmgr[1130]: A89BF6057:
> from=<fakespamdomain at spamspamspam.com>, size=12473, nrcpt=1 (queue
> active)
> Aug   6 14:41:31 shell deliver(pcoleman at labyrinthdata.net.au):
> msgid=<20100806064116.6065C54136 at i4-m3.sendgrid.net>: saved mail to
> INBOX
> Aug   6 14:41:31 shell postfix/pipe[4069]: A89BF6057:
> to=<pcoleman at labyrinthdata.net.au>, relay=virtual, delay=6.6,
> delays=6.5/0.01/0/0.09, dsn=2.0.0, status=sent (delivered via virtual
> service)
> Aug   6 14:41:31 shell postfix/qmgr[1130]: A89BF6057: removed
> Aug   6 14:41:32 shell postfix/smtpd[2692]: disconnect from
> na3sys009amx258.postini.com[74.125.149.142]
> 
> ...indicate that 74.125.149.142 connected, and gave you a message from
> fakespamdomain at spamspamspam.com, to pcoleman at labyrinthdata.net.au.
> 
> Hope that helps?
> 
> Cheers,
> 
> Patrick
> 
> 
> http://www.labyrinthdata.net.au - WA Backup, Web and VPS Hosting
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au

More information about the plug mailing list