Subj : Re: How to detect WORMS/VIRUS that send spam
To   : comp.os.linux.networking,comp.os.linux.misc,comp.os.linux,comp.os.linux.help
From : Patrick  McDonnell
Date : Tue Aug 03 2004 10:32 am

Steve Phils wrote:

> Hi Linux Techies,
> 
> My firm is using Linux Mandrake configuartion for our mail server and
> the internal computers connect through LAN technologies like Ethernet
> which used with DSL/Cablemodems and dialup connections. This mail
> server act as the proxy or firewall for all sort of internet
> activities(browsing,chating,file transfers,..).Internal computers are
> mostly Windows and Linux based(maximum of 20 PCs altogether).
> Currently we noticed that all of our staff members are receiving lot
> of spam mails with some attachments(mostly with some *.pif extension)
> in their official mail address. I notice that the spamming is
> happening only the days our mail server is up(On holidays spam is not
> happening). Unfortunately I'm the one who administering the
> configuration and all other computer related activities.I'm not an
> expert in networking or even in Linux OS internals though :-).
> 
> I'm digging deep to find any VIRUS/WORMS really reside in our LINUX
> mailserver. How can I know any vulnerabilities in LINUX machine?
> Also I like to know whether some outsider can use our LINUX SMTP
> server to send the spam mail to happen spamming. Is anyway to check
> this outside intrusion?
> 
> What are the common ways to find such vulnerabilities in LINUX
> configuration?
> 
> Thanks!

You may want to look into programs like clamav and amavis.  Also, one thing
I find useful on my mail server is pop-before-smtp.  Basically, it means
that you must log in to the IMAP or POP server before that IP address can
use the SMTP server.  IE, if I log in to my IMAP server, I can also send
email using my SMTP server within 20 minutes (or whatever value you
choose).  That should help prevent unauthorized parties from relaying spam
through you, if you set it up right.

.