Subj : Re: How to detect WORMS/VIRUS that send spam To : comp.os.linux.networking,comp.os.linux.misc,comp.os.linux,comp.os.linux.help From : unruh Date : Tue Aug 03 2004 06:02 pm nessuno@wigner.berkeley.edu (nessuno) writes: ]stevephils@yahoo.com (Steve Phils) wrote in message news:... ]> Hi Linux Techies, ]> ]> My firm is using Linux Mandrake configuartion for our mail server and ]> the internal computers connect through LAN technologies like Ethernet ]> which used with DSL/Cablemodems and dialup connections. This mail ]> server act as the proxy or firewall for all sort of internet ]> activities(browsing,chating,file transfers,..).Internal computers are ]> mostly Windows and Linux based(maximum of 20 PCs altogether). ]> Currently we noticed that all of our staff members are receiving lot ]> of spam mails with some attachments(mostly with some *.pif extension) ]> in their official mail address. I notice that the spamming is ]> happening only the days our mail server is up(On holidays spam is not ]> happening). Unfortunately I'm the one who administering the ]> configuration and all other computer related activities.I'm not an ]> expert in networking or even in Linux OS internals though :-). That suggests that the spam is coming from outside. It is not surprising that spam comes through only when the mail server is up. Spam is mail. ordinary mail also does not come through I assume when the mail server is down. ]> ]> I'm digging deep to find any VIRUS/WORMS really reside in our LINUX ]> mailserver. How can I know any vulnerabilities in LINUX machine? ]> Also I like to know whether some outsider can use our LINUX SMTP ]> server to send the spam mail to happen spamming. Is anyway to check ]> this outside intrusion? ]> ]> What are the common ways to find such vulnerabilities in LINUX ]> configuration? Who says it is a vulnerability in the Linux configuration. ]> ]> Thanks! ]Dear Steve, ]What kind of mail server are you using? Sendmail, postfix and qmail ]are common ones. Mandrake probably makes a default choice of one of ]these, assuming that whoever installed the mail server did it the easy ]way, using what is on the Mandrake distribution. Mandrake uses postfix by default, and closes off mail relaying be default. Now the user will have to have edited the main.cf file to make it run. Maybe they altered something. Anyway, look at the spam emails. Find out where they are coming from (look at the last Received: line in the email header. It has the first address the mail came from). ]The most common way spammers use an email server is when the server is ]configured for open relaying. This means that your server will ]forward any email received from anyone to anywhere else in the world. ] For this reason, noboby (Mandrake or anyone else) gives you a default ]configuration with open relaying. You'd have to set that up ]deliberately, by changing the configuration. So it's unlikely that ]you have an open relay. Nor can a virus take over or reside in your ]mail server. ]Current Microsoft worms and viruses these days send out junk or ]infected emails from zombie machines using falsified return addresses, ]which they get from address books on infected machines or from the ]web. I will certainly receive some spam emails at the address above ](nessuno) just for posting this message. (It's a spam trap address, ]however.) So just because you receive an email apparently from ]someone you know doesn't mean that that person is actually sending you ]junk. Your mail server has nothing to do with this, apart from the ]fact that it delivers to your users the infected emails with the false ]return addresses. With some effort, however, you can configure your ]mail server to reject these emails. ]You'll have to learn how to configure your mail server. Sendmail is ]notorious for being hard to configure. I've used postfix, which is ]easier. The postfix web site contains good documentation on its ]configuration. Qmail is also supposed to be easy. If you run into ]troubles, try Google search of the news groups, there are several that ]deal with mail. .