Slightly OT: Postcard Virus/SPAM

Garrod Alwood admin at lorodoes.com
Tue Oct 13 23:18:02 IST 2009 

Possibly one of your users has a compromised machine then if they are
accessing the mailserver through Outlook or Thunderbird or any other email
client program.

> There are no users logged in.  Server is a web server and mail server.
> There are accounts set up for users for the email but they are accessed
> only
> through imap/dovecot.  None of the users have shell access (set to
> /bin/nologin or /bin/false).
>
> I am remote from the machine right now so I will not be able to test the
> "init 1" until the tomorrow morning.
>
> Philip
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Alex
> Neuman
> Sent: Tuesday, October 13, 2009 5:43 PM
> To: MailScanner discussion
> Subject: Re: Slightly OT: Postcard Virus/SPAM
>
> Sure, but there's so much you need to test...
>
> First of all, how many logged in users do you have? Did you run "last"
> to see if anyone's logged in? Does it still run if you "init 1" then
> start networking and the MTA/MailScanner?
>
> On Oct 13, 2009, at 4:35 PM, Philip Zeigler wrote:
>
>> I just noticed that one of my mail servers has been compromised
>> somehow and has begun sending out spam/virus as if it was coming
>> from postcard.org.  The emails seem to be originating from my web
>> server with the apache at mydomain.com address.
>>
>> I have stopped the sendmail out process so that these don't get
>> sent.  This also prevents more of these emails from being
>> generated.  If I flush the mail queue and restart the outbound
>> sendmail process then more of these emails get generated.  Until I
>> get this cleaned up, I'm leaving it off.
>>
>> My problem is that I can't figure out how they are actually getting
>> generated so that I can put a stop to it.  There is no trace in my
>> access_log files of anyone posting through a form, etc.
>>
>> Has anyone else dealt with this and know how to clean up this mess.
>>
>> Philip
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean. --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>

More information about the MailScanner mailing list