From owner-freebsd-questions@FreeBSD.ORG  Mon Aug 16 17:28:16 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2157510656A3
	for <freebsd-questions@freebsd.org>;
	Mon, 16 Aug 2010 17:28:16 +0000 (UTC)
	(envelope-from prvs=083704a8a9=johnl@iecc.com)
Received: from gal.iecc.com (gal.iecc.com [64.57.183.53])
	by mx1.freebsd.org (Postfix) with ESMTP id 9DFC48FC19
	for <freebsd-questions@freebsd.org>;
	Mon, 16 Aug 2010 17:28:14 +0000 (UTC)
Received: (qmail 72235 invoked from network); 16 Aug 2010 17:01:34 -0000
Received: from mail1.iecc.com (64.57.183.56)
	by mail1.iecc.com with QMQP; 16 Aug 2010 17:01:34 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com;
	h=date:message-id:from:to:subject:in-reply-to:cc:mime-version:content-type:content-transfer-encoding;
	s=k1008; olt=johnl@user.iecc.com;
	bh=VbMBlNKlzVwj8vFpKMMu0fa5rgFetjkFkr7ED9ilOqU=;
	b=t8O7hJB8Klt3nlJJQrQSEoVEzbWMaZF7COVRspyBgadTecbzZvtiuJG4ycO0ZFDck9Si+C611ekZSwlXfvLnGDlLUj1j9Gvd8BSpgXZh8a9jQtse0PjK+1MgVntgSWEaBKz6OgHeSKY2qopbaOtfE0727WUii3DGcwyytE6OrS8=
Date: 16 Aug 2010 17:01:34 -0000
Message-ID: <20100816170134.39340.qmail@joyce.lan>
From: John Levine <johnl@iecc.com>
To: freebsd-questions@freebsd.org
In-Reply-To: <BCC7F601-8B85-4506-81A5-39A6D7809538@cwis.biz>
Organization: 
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7bit
Cc: ryan.coleman@cwis.biz
Subject: Re: Open Mail Relay
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2010 17:28:16 -0000

>> Assume, as Mr. Bonomi suggests, that some bad guy has installed some
>type of additional mailer on the machine or another machine that's
>allowed to relay mail.  How would I go about locating that other mailer?

Another popular hack is uploading a PHP script using bugs in a CMS or wiki.

Once you have a message with accurate timestamps in the headers, check the
web logs at those times, too.

R's,
John