[plug] any advice

Mon Aug 9 20:29:18 WST 2010

Thanks for the info, unfortunately or however one looks at it, I could not
find any of the PC's infected and therefore am at a lost.  What I do know is
the following, I shut down postfix completely and did a sniff on packets
going out the 1 interface I have and still there is packets whose
destination is 25, with various src addresses.  All with various source
addresses, the packet are [SYN] with a return of [RST, ACK], so from the
looks of things nothing is going out.  The source seems that the packets are
coming in through the Cisco router hitting the postfix server and on return
they are reset or drop/blocked.  
My question is there a way to minimize the incoming packets.

Also I'm looking at installing ASSP, has anyone installed this yet?  When I
did I went to run the telnet to see if it was listening on port 25 and it
was not.  So I could use a little help on configuring this.

Thanks

Jon

-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On Behalf
Of William Kenworthy
Sent: Saturday, 7 August 2010 9:05 AM
To: plug at plug.org.au; jlmiller at mmtnetworks.com.au
Subject: Re: [plug] any advice

MAC addresses - you will have to track back through the network topology.
Even if the IP is spoofed the MAC should be ok.

And your exit ACL's should block all but your real IP's from going out.

billk

-- 
BillK at home
Sent from my Nokia N900
----- Original message -----
> Had a look and there is no ip addr showing. I had read that a lot of the
> time the offending PC does not send the spam through the mail server. 
> What I see is a lot of data trying to go out but with no source IP from
> any internal PC.     Sent via BlackBerry® from Vodafone
> 
> -----Original Message-----
> From: Patrick Coleman <blinken at gmail.com>
> Sender: plug-bounces at plug.org.au
> Date: Fri, 6 Aug 2010 15:04:30 
> To: <plug at plug.org.au>
> Reply-To: plug at plug.org.au, blinken at gmail.com
> Subject: Re: [plug] any advice
> 
> On Fri, Aug 6, 2010 at 2:05 PM, Jon L Miller
> <jlmiller at mmtnetworks.com.au> wrote:
> > I did a capture on the mailserver and this is what one of the streams
> > produced.
> > 220 mmtlnx.mmtnetworks.com.au ESMTP Postfix
> 
> If you're running Postfix, looking at /var/log/mail.log will tell you
> the IP of the machine sending your mailserver the spammy email. Lines
> like:
> 
> Aug   6 14:41:28 shell postfix/smtpd[2692]: A89BF6057:
> client=na3sys009amx258.postini.com[74.125.149.142]
> Aug   6 14:41:31 shell postfix/cleanup[4068]: A89BF6057:
> message-id=<20100806064116.6065C54136 at i4-m3.sendgrid.net>
> Aug   6 14:41:31 shell postfix/qmgr[1130]: A89BF6057:
> from=<fakespamdomain at spamspamspam.com>, size=12473, nrcpt=1 (queue
> active)
> Aug   6 14:41:31 shell deliver(pcoleman at labyrinthdata.net.au):
> msgid=<20100806064116.6065C54136 at i4-m3.sendgrid.net>: saved mail to
> INBOX
> Aug   6 14:41:31 shell postfix/pipe[4069]: A89BF6057:
> to=<pcoleman at labyrinthdata.net.au>, relay=virtual, delay=6.6,
> delays=6.5/0.01/0/0.09, dsn=2.0.0, status=sent (delivered via virtual
> service)
> Aug   6 14:41:31 shell postfix/qmgr[1130]: A89BF6057: removed
> Aug   6 14:41:32 shell postfix/smtpd[2692]: disconnect from
> na3sys009amx258.postini.com[74.125.149.142]
> 
> ...indicate that 74.125.149.142 connected, and gave you a message from
> fakespamdomain at spamspamspam.com, to pcoleman at labyrinthdata.net.au.
> 
> Hope that helps?
> 
> Cheers,
> 
> Patrick
> 
> 
> http://www.labyrinthdata.net.au - WA Backup, Web and VPS Hosting
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au

_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au