Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 15 Aug 2011 14:04:27 -0400
From:      alexus <>
To:        Chuck Swiger <>
Subject:   Re: looking for a spammer/virii/malware .... on my system
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
I personally leaning towards that these headers are being modified and
that there is no spam leaving my box (I may be wrong of couse)

here is what I did to come up with that thought....

I sent myself an email

-bash-3.2# echo $$ | mail

through google headers I see follwoing:

Received: by with SMTP id g1cs121928pbr;
        Mon, 15 Aug 2011 10:52:26 -0700 (PDT)
Received: from ([])
        by with SMTP id t6mr5504300vde.56.1313430746298
(num_hops =3D 1);
        Mon, 15 Aug 2011 10:52:26 -0700 (PDT)
Received: by with SMTP id t6mr3999448vde.56.1313430745493;
        Mon, 15 Aug 2011 10:52:25 -0700 (PDT)
Return-Path: <>
Received: from ([])
        by with ESMTPS id co6si13861841vdc.76.2011.
        (version=3DTLSv1/SSLv3 cipher=3DOTHER);
        Mon, 15 Aug 2011 10:52:24 -0700 (PDT)
Received-SPF: softfail ( domain of transitioning does not designate as permitted sender)
Authentication-Results:; spf=3Dsoftfail (
domain of transitioning does not designate as permitted sender)
Received: from (lama [])
	by (8.14.4/8.14.3) with ESMTP id p7FHqNvO049613
	for <>; Mon, 15 Aug 2011 13:52:23 -0400 (EDT)
Received: (from root@localhost)
	by (8.14.4/8.14.3/Submit) id p7FHqIl1049612
	for; Mon, 15 Aug 2011 13:52:18 -0400 (EDT)
	(envelope-from root)
Date: Mon, 15 Aug 2011 13:52:18 -0400 (EDT)
From: Charlie Root <>
Message-Id: <>


I see that whenever mail leaves my box (assuming it was left my box in
a standard way) I see sendmail involves in the process and I see
remote server tried to resolve my IP

while the "original" email that was provided to me by my ISP doesn't
have any of that... so that makes me think that nothing ever happened
on my box and that my IP in that original email was just manually
added there (without any emails ever leaving my box)

but then again here is scenario #2

a user connects to a remote server not using standard ways but making
a connection to remote directly (bypassing my
in that case my firewall rule should prevent this user from doing so ever a=

then again doing so is not really resolving it (I still dont know
where its origin from, and thats what I want/need to find out)

I'm running apache httpd, so as far as I see it could be pretty much
any site that I host generate that kind of issue

so I'm back to square 1, how do I find it? if it's in php could be
famous base64_decode();/base64_encode();

and then good luck for locating one of that...

any other ideas?

On Mon, Aug 15, 2011 at 1:39 PM, Chuck Swiger <> wrote:
> On Aug 15, 2011, at 10:05 AM, alexus wrote:
>> what else can I do to find it on my system who's trying to connect to
>> remote ?
> Monitor your network for SMTP traffic:
> =C2=A0tcpdump -nA -s 0 port 25
> If malware is sending out spam, you'll see it and can then use lsof or wh=
atever to identify the specific user/process.
> Regards,
> --
> -Chuck


Want to link to this message? Use this URL: <>