[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Huge number of entries in /var/log/maillog

To: Bruno Saverio Delbono <bdelbono@leviathan.lucifer.at>
Subject: Re: Huge number of entries in /var/log/maillog
From: Paul Greene <pauljgreene@comcast.net>
Date: Thu, 07 Aug 2003 22:46:06 -0400
Cc: misc@openbsd.org
References: <3F2B432E.6030103@comcast.net> <20030802051703.GA8730@leviathan.lucifer.at>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0

I came across something today that might indicate something somewhat 
less than "nefarious".

My /etc/hosts file contained the following entries:

::1 localhost localhost
127.0.0.1 localhost.home.net localhost
192.168.1.2 webserver.home.net webserver

Just for grins I pinged "localhost.home.net" and it immediately went to 
"domainspa.com".

I also tried entering the URL "www.home.net" in a webbrowser, and it 
went to a page hosted by domainspa.com (these guys are a domain parking 
service).

So, I think the likely problem was using a domain name ("home.net") in 
/etc/hosts file that I did not own.

Before removing references to "home.net" in /etc/hosts, these were the 
messages I was getting in /var/log/maillog:

Aug  7 18:01:18 <isp.assigned.hostname> sm-msp-queue[30602]: 
h73AU1EQ012645: to=postmaster, delay=4+12:30:01, xdelay=00:00:00, 
mailer=relay, pri=19565956, relay=localhost.home.net., dsn=4.0.0, 
stat=Deferred: Connection timed out with localhost.home.net

/etc/hosts was changed to the following (192.168.0.1 and 192.168.1.1 are 
interfaces on the firewall but facing internal subnets; 192.168.1.2 is 
the webserver on a separate machine):

::1 localhost localhost
127.0.0.1 localhost localhost
192.168.0.1 localhost localhost
192.168.1.1 localhost localhost
192.168.1.2 webserver webserver

And then the messages in /var/log/maillog changed to the following:

Aug  7 21:01:19 <isp.assigned.hostname> sm-msp-queue[29707]: 
h736U1eg022769: to=postmaster, delay=4+19:29:57, xdelay=00:00:00, 
mailer=relay, pri=20828960, relay=localhost.domainspa.com., dsn=4.0.0, 
stat=Deferred: Connection timed out with localhost.domainspa.com

I'm not sure where sendmail is getting the information to try to relay 
messages to "domainspa.com", since there is no reference to it in 
"sendmail.cf".

So I guess the information I'm trying to decipher is, is the current 
configuration of /etc/hosts I now have correct?

And, how can I get these error messages in /var/log/maillog to stop (at 
the current rate of about 15-20 messages every half hour)?

Paul

Bruno Saverio Delbono wrote:

>Moin Paul! 
> Paul Greene schrieb am Samstag, den 02. August 2003:
>
>  
>
>>I've recently started noticing a huge amount of mail log files being
>>generated on my home system. I'm not sure if I just have some network
>>parameters set incorrectly and sendmail is freaking out, or if someone has
>>managed to muck into my system for some nefarious purpose.
>>    
>>
>
>Most likely.
>
>  
>
>>Aug  1 23:01:27 webserver sm-msp-queue[1026]: h6S6U2hW010919: 
>>to=postmaster, delay=4+21:30:04, xdelay=00:00:00, mailer=relay, 
>>pri=21186892, relay=ds1.domainspa.com., dsn=4.0.0, stat=Deferred: 
>>Connection timed out with ds1.domainspa.com.
>>    
>>
>
>You might have an exploitable web script. A faulty formail.pl perhaps.

Follow-Ups:
- Re: Huge number of entries in /var/log/maillog
  - From: Claus Assmann <ca+OpenBSD_misc@zardoc.endmail.org>

References:
- Huge number of entries in /var/log/maillog
  - From: Paul Greene <pauljgreene@comcast.net>
- Re: Huge number of entries in /var/log/maillog
  - From: Bruno Saverio Delbono <bdelbono@leviathan.lucifer.at>

Prev by Date: booting OpenBSD 3.3 with GRUB 0.93
Next by Date: how i can desavilit ICMP Request ?
Prev by thread: Re: Huge number of entries in /var/log/maillog
Next by thread: Re: Huge number of entries in /var/log/maillog
Index(es):
- Date
- Thread