Dan Kriwitsky wrote:
>
>> Also look for directories with CHMOD 777. On my previous comment I wondered why the access_log didn't show the same time stamp as the maillog. It just occured to me that with a large spam run the mail would be in mailq so the timestamp would be different. You might grep for that domain with /*.cgi or just look for .cgi or .pl scripts owned by that user. Or any executable file owned by that user.
>>
>>
I deleted the user jenns and created another but gave the same email
address to (jessie (at mark) nomealaska.org). Still having the same problem,
rather immediately after making the change. It looks like the user is
still trying to send maybe spam to hedgerowsrvrk83 (at mark) lexoria.com and the
actual user is on vacation, inactive, and her computer is off. Still
getting the Authentication-Warning (at the bottom) for this account only
(out of about 25).
Here's some maillog with grep the user (I've changed names to protect
the innocent):
Jul 1 10:27:12 srv1 sendmail[11442]: n61IR2gO011442:
to=hedgerowsrvrk83 (at mark) lexoria.com, ctladdr=jessie (at mark) nomealaska.org (523/100),
delay=00:00:09, xdelay=00:00:05, mailer=relay, pri=210338,
relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (n61IR7XG011552
Message accepted for delivery)
Jul 1 10:27:12 srv1 sendmail[11406]: n61IQgih011392: to="|
/home/nuonce/openwebmail/cgi-bin/openwebmail/owvacation.pl -t60s -a
jessie.led (at mark) nomealaska.org -a jessie_led (at mark) nomealaska.org -a
jessie (at mark) nomealaska.org jessie", ctladdr=<jessie (at mark) nomealaska.org>
(523/100), delay=00:00:19, xdelay=00:00:11, mailer=prog, pri=121642,
dsn=2.0.0, stat=Sent
Jul 1 10:27:12 srv1 spamd[7347]: spamd: setuid to jessie succeeded
Jul 1 10:27:12 srv1 spamd[7347]: spamd: processing message
<OAEHWK5184.IPE7X43P2649 (at mark) 165.132.250.253.lexoria.com> for jessie:523
Jul 1 10:27:15 srv1 spamd[7347]: spamd: clean message (3.6/10.0) for
jessie:523 in 3.5 seconds, 2282 bytes.
Jul 1 10:27:15 srv1 spamd[7347]: spamd: result: . 3 -
AWL,DIET_1,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_WEB,RCVD_IN_XBL,RDNS_NONE,TVD_RCVD_SINGLE
scantime=3.5,size=2282,user=jessie,uid=523,required_score=10.0,rhost=localhost,raddr=127.0.0.1,rport=51579,mid=<OAEHWK5184.IPE7X43P2649 (at mark) 165.132.250.253.lexoria.com>,autolearn=disabled
Jul 1 10:27:15 srv1 sendmail[11406]: n61IQgih011392: to=\\jessie,
delay=00:00:22, xdelay=00:00:03, mailer=local, pri=121642, dsn=2.0.0,
stat=Sent
Jul 1 10:27:39 srv1 sendmail[11565]: n61IR7XG011552:
to=<hedgerowsrvrk83 (at mark) lexoria.com>, ctladdr=<jessie (at mark) nomealaska.org>
(523/100), delay=00:00:28, xdelay=00:00:25, mailer=esmtp, pri=300700,
relay=fltr-in2.mail.dreamhost.com. [208.97.132.72], dsn=5.7.1, stat=User
unknown
Jul 1 10:27:42 srv1 spamd[7347]: spamd: setuid to jessie succeeded
Jul 1 10:27:42 srv1 spamd[7347]: spamd: processing message
<200907011827.n61IRCZi011565 (at mark) srv1.nomecity.org> for jessie:523
Jul 1 10:27:45 srv1 spamd[7347]: spamd: clean message (0.1/10.0) for
jessie:523 in 2.6 seconds, 3004 bytes.
Jul 1 10:27:45 srv1 spamd[7347]: spamd: result: . 0 - AWL,NO_RELAYS
scantime=2.6,size=3004,user=jessie,uid=523,required_score=10.0,rhost=localhost,raddr=127.0.0.1,rport=51584,mid=<200907011827.n61IRCZi011565 (at mark) srv1.nomecity.org>,autolearn=disabled
Jul 1 10:27:45 srv1 sendmail[11565]: n61IRCZi011565: to=\\jessie,
delay=00:00:04, xdelay=00:00:03, mailer=local, pri=90000, dsn=2.0.0,
stat=Sent
Jul 1 10:27:47 srv1 sendmail[11605]: n61IRkLQ011605:
Authentication-Warning: srv1.nomecity.org: jessie set sender to
jessie (at mark) nomealaska.org using -f
Jim Dory
Engineering
City of Nome
PO Box 281
102 Division St.
Nome, AK 99762
907.443.6604
http://www.nomealaska.org
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.