From owner-freebsd-questions@FreeBSD.ORG Wed Jun 25 20:40:52 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8BEF4635 for ; Wed, 25 Jun 2014 20:40:52 +0000 (UTC) Received: from mail-in6.apple.com (mail-out6.apple.com [17.151.62.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6345A2316 for ; Wed, 25 Jun 2014 20:40:51 +0000 (UTC) Received: from mail-out.apple.com (mail-out.apple.com [17.151.62.50]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id AD.25.27911.2D33BA35; Wed, 25 Jun 2014 13:40:50 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from relay2.apple.com ([17.128.113.67]) by local.mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTP id <0N7Q00JARS3ULR31@local.mail-out.apple.com> for freebsd-questions@freebsd.org; Wed, 25 Jun 2014 13:40:50 -0700 (PDT) X-AuditID: 11973e15-f79cf6d000006d07-04-53ab33d24b29 Received: from [17.149.224.119] (Unknown_Domain [17.149.224.119]) (using TLS with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by relay2.apple.com (Apple SCV relay) with SMTP id 07.77.19003.2D33BA35; Wed, 25 Jun 2014 13:40:50 -0700 (PDT) Subject: Re: Strange Mailer Activity From: Charles Swiger In-reply-to: Date: Wed, 25 Jun 2014 13:40:49 -0700 Message-id: <1856A7B3-9C66-4441-AC01-F0C4DCFC04B0@mac.com> References: To: Chris Maness X-Mailer: Apple Mail (2.1510) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrPLMWRmVeSWpSXmKPExsUiON3OSPeS8epgg22LBSxeft3E4sDoMePT fJYAxigum5TUnMyy1CJ9uwSujBl77rAVrOCqeLtmG0sDYyNHFyMnh4SAicTmz4dYIGwxiQv3 1rN1MXJxCAnMYpLov7GGDSTBKyAo8WPyPaAiDg5mAXmJg+dlQcLMAloS3x+1skDUL2GSON1z lRWkBmTo37lqEPF+Jok5rw4zgjQIC6hInFvewwhSwyagJjFhIg9ImFMgWKKpv5UJxGYRUJWY tHgiM8R8Z4kv/96xQpxgJfFv0Sx2EFtIIEDizYx2MFtEQEPi2M897BD3y0qcPvcc7B4Jge+s Eju//2ScwCg8C8kLsxBemIXkhQWMzKsYhXITM3N0M/PM9BILCnJS9ZLzczcxQkJYdAfjmVVW hxgFOBiVeHg9nq0KFmJNLCuuzD3EKM3BoiTO63gPKCSQnliSmp2aWpBaFF9UmpNafIiRiYNT qoGxLUXuJtdeHY6PMhOcJyz71u9xv2nlvIycko9/5ac8rNwVLpsf0XO3tT1go27oWdZZ8z79 Pz+5kPe/iKPspP+tG//9uXujQ7HoeVvsqUccEo+vfNWb/dDO0nNlXtUz88AFHWc3/1Taw3BN qy7Qo+jf2YlxAqfz6nb/XSu2tWHDSoZ02cCnz/z5lFiKMxINtZiLihMB8VPscUICAAA= X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprHLMWRmVeSWpSXmKPExsUiOPVBue4l49XBBitb5SzOT77HbPHy6yYW ByaPlx9fsHvM+DSfJYApissmJTUnsyy1SN8ugSvjz5RXTAWnuSpu3j7F3sA4jaOLkYNDQsBE 4u9ctS5GTiBTTOLCvfVsXYxcHEIC/UwSP3Z8ZwdJMAtoSdz495IJpJ5XQE9i+y85kLCwgIrE ueU9jCBhNgE1iQkTeUDCnAKBEkt/TmcCsVkEVCUmLZ7IDDHFWeLLv3esELa2xLKFr5khJlpJ 3DilChIWEgiQeDOjHWypiICGxLGfe9ghLpOVOH3uOcsERv5ZSO6ZhXDPLCRDFzAyr2IUKErN Saw00kssKMhJ1UvOz93ECAq1hkLnHYzHllkdYhTgYFTi4f3weFWwEGtiWXFl7iFGCQ5mJRHe 93+BQrwpiZVVqUX58UWlOanFhxilOViUxHlPRywOFhJITyxJzU5NLUgtgskycXBKNTDyO8c6 R21c3MQ/W02jM/iZ+W6uKz5e1dX9U77sWPfX8ZxY9RLJGfX7xWWErZRvnFW6tVSoQqn5V4CD q9g6jfCWgwu9J1u07JHJXNL6hfNAz71si4mmN8Re73MSVFNoMP9y6meq+ov07w72VRtTLha4 Rm6ban6C/++spTtVQp3EGK4VC1xdZabEUpyRaKjFXFScCAC1nQqXMQIAAA== Cc: "freebsd-questions@freebsd.org" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2014 20:40:52 -0000 On Jun 25, 2014, at 1:29 PM, Chris Maness wrote: > I am getting a lot of strange bounces in my inbox. I checked to make sure > that my mailer wasn't running as an open relay. > > Running #ps aux | less > > I see some possibilities of processes running sendmail. Is > ./s5N5AsEo003358 the file that is calling sendmail? > > root 6961 0.0 0.3 12864 5540 - I 12:24PM 0:00.18 sendmail: > ./s5N5AsEo003358 zb169.net.: user open (sendmail) Approximately. It's a sendmail queue ID; run mailq or look under /var/spool/mqueue/ if the mail is being queued locally. > There are also a lot of "to" entries in my maillog that don't look like > they are being sent from any of my users. Also, I no longer use my server > as a relay of any sort. Everyone is now using gmail to send, and my > friends have custom email domains that I host incoming mail for. This mail > is no longer spooled on my server. It is just redirected to their (and > my) google accounts. If the mail is from a single source, it's probably a spam run against a dictionary of common usernames @ your domain. If it consists of DSN failures coming from popular mail domains, then it's probably a spammer forging your domain and you're getting the bounces.... Regards, -- -Chuck