Off Topic - Can someone help?

Thu Jan 3 04:22:52 GMT 2008

-

I am sending this for 2 reasons:

(1) To let people know there might be something that they need to look out for...

(2) I am hoping someone might tell me what I have got wrong with my system.

I think I have a safe-ish system... (ie) not an open relay and so on... but TONIGHT all of a sudden something/someone is "suposably" able to relay.

Hack example one is:  Sending from: dwkscy at yahoo.com to a2234455 at tomail.com.tw

Hack example two is:  Sending from: okorfhzoaiadke at yahoo.com to zillions of people !!

I tried telneting from a remote IP... and doing:  mail from: <a at yahoo.com>  and  rcpt to: <b at tomail.com.tw> .  And my system says that Relaying is denied...

As a temporary stop... I have had to put this in my /etc/mail/access file

/etc/mail/access
================
To:tomail.com.tw     REJECT

###########
#### Does anyone have a clue how I might be getting hacked???
###########

[root at www log]# host -t mx tomail.com.tw
========================================
tomail.com.tw mail is handled by 10 localhost.

[root at www log]# grep -i 005955 maillog
======================================
Jan  3 01:28:50 www sendmail[5955]: m031SgPv005955: from=<dwkscy at yahoo.com>, size=1658, class=0, nrcpts=1, msgid=<MESUDDUFSUEWDFVOVABXGNCN at yahoo.com>, bodytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jan  3 01:28:50 www sendmail[5955]: m031SgPv005955: to=<a2234455 at tomail.com.tw>, delay=00:00:02, mailer=esmtp, pri=31658, stat=queued
Jan  3 01:28:53 www sendmail[5963]: m031SgPv005955: SYSERR(root): MX list for tomail.com.tw. points back to www.tbshs.herts.sch.uk
Jan  3 01:28:53 www sendmail[5963]: m031SgPv005955: to=<a2234455 at tomail.com.tw>, delay=00:00:05, xdelay=00:00:00, mailer=esmtp, pri=121658, relay=tomail.com.tw., dsn=5.3.5, stat=Local configuration error
Jan  3 01:28:53 www sendmail[5963]: m031SgPv005955: m031SrMj005963: DSN: Local configuration error
Jan  3 01:29:03 www MailScanner[26370]: Logging message m031SgPv005955 to SQL 
Jan  3 01:29:03 www MailScanner[5971]: m031SgPv005955: Logged to MailWatch SQL 

[root at www log]# grep -i 008581 maillog
======================================
Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: from=<okorfhzoaiadke at yahoo.com>, size=6253, class=0, nrcpts=51, msgid=<CYSGRANINJSFZUJCWXBWXXN at yahoo.com>, bodytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<s6721 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<siask at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<yuan0312 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<acut at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<dzj at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<a45211 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<yshs at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<jt10 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<gl66 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued

==
=====================================================================
=
= "I should have listened to myself earlier..."
=
=====================================================================
=  Need help with: Parking Tickets, Bailiffs, Capita or HertsGrid???
=  Call...    +44 8457 90 90 90    http://www.samaritans.org/
=====================================================================