little off topic: Am I an open relay?

Scott Silva ssilva at SGVWATER.COM
Tue Jun 7 17:01:37 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Jason Williams wrote:
> Steve,
> 
> Thanks for the heads-up, especially since we are testing out Thunderbird
> right now.
> Well, I figured out for the most part what the problem was. It appears
> one of my users computer is loaded with spyware. *sigh*
> I was able to watch my server and catch a piece of the mail. When I
> broke down the headers, the orginating IP address was from my internal
> network. Which completely threw me off as well as piss me off. Once I
> unplugged the persons computer from the network, everything was fine. So
> in essence, that computer turned into a mailserver. Today I will be
> doing some forensic work on the computer to see just what the hell
> happened (can you tell that I am still angry?)
> 
> This is another one of those things that drives me nuts because i've
> been pushing for months (almost a year really) to tighten down what are
> users can do, both browsing the internet and installing software.
> FINALLY! After yesterday, the big wigs said "Wow, that was serious.
> Maybe we should stop it. Lets do it." Ya, a day late and a dollar short.
> 
> Anyway, if anyone is curious as to what I find on the computer, shoot me
> a personal email and i'll give you a full breakdown of what i find.
> 
> Thanks for the heads up Steve.
> 
> Jason
> 
>> Jason,
>>
>> I had a similar situation just last week. It had to do with some kind
>> of setup
>> on a user's Thunderbird. A friend of this user told him how to set up
>> Thunderbird to act as a relay for a different domain than ours, and
>> for some
>> reason, because it was being done from our IPs, sendmail would go
>> merrily along
>> and send it, even though it wasn't supposed to. I never did find out
>> what the
>> user had done to make this happen, and he wasn't savvy enough to be
>> able to tell
>> me. My only option I could think of before I found out what was
>> happening, was
>> to block the domain in MS, and the user finally called and complained.
>>
>>
>>  
>>
> 
Some of that cr#p gets installed through activex vulnerabilities in IE.
The user doesn't have to say yes, as a matter of fact they get no prompt
at all, and some gets in even on locked down PC's. It's making me pull
out my hair! I have had to do the "cat5-ectomy" on several PC's this year.

-- 
   ,---.____________      _        ============   .
 /'                  \   |  \       I_  O  _I_,==.:
| A beer doesn't get  >--|===`-----'I `---' I |  |:
| upset if you come  /  _ \         I       I |  |:'
| home with another /  (   `-,----============:__;:
| beer!            /  (_    O   __)       \_      :
| ,,---.__________/     (______)          (_)
:/

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list