Subj : Re: How to detect WORMS/VIRUS that send spam To : comp.os.linux.networking,comp.os.linux.misc,comp.os.linux,comp.os.linux.help From : Michael Heiming Date : Tue Aug 03 2004 08:58 pm -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message In comp.os.linux.networking Bill Unruh suggested: > nessuno@wigner.berkeley.edu (nessuno) writes: > ]stevephils@yahoo.com (Steve Phils) wrote in message news:... [..] > ]> Currently we noticed that all of our staff members are receiving lot > ]> of spam mails with some attachments(mostly with some *.pif extension) > ]> in their official mail address. I notice that the spamming is > ]> happening only the days our mail server is up(On holidays spam is not > ]> happening). Unfortunately I'm the one who administering the > ]> configuration and all other computer related activities.I'm not an > ]> expert in networking or even in Linux OS internals though :-). > That suggests that the spam is coming from outside. It is not surprising Strong point, but that would mean someone on this 20 PCs is sending the spam, not very likely, to simple detectable. > that spam comes through only when the mail server is up. > Spam is mail. ordinary mail also does not come through I assume when the > mail server is down. Yup. [..] > ]> What are the common ways to find such vulnerabilities in LINUX > ]> configuration? > Who says it is a vulnerability in the Linux configuration. Might be someone near/in the company simply released those email addresses to the internet, that will guarantee a fair share fair of spam. I get about 70-100 in 24h, about 98% is dropped via SA, without intervention right now. Looks like I have to upgrade or/and double-check spamd config, like every few month spam starts to get beyond spamassassin.;( [..] > Anyway, look at the spam emails. Find out where they are coming from (look > at the last Received: line in the email header. It has the first address the > mail came from). Now that would be best idea, the headers will tell the origin of the crap. -- Michael Heiming (GPG-Key ID: 0xEDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBD+5gAkPEju3Se5QRAtDUAJwOTzc0bcqemGAFeEvY5tscjxqzXQCeNeU7 qPzEKFxup3gBDCjN719AeNU= =70R/ -----END PGP SIGNATURE----- .