From owner-freebsd-questions@FreeBSD.ORG  Mon Aug 15 22:47:57 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 104481065670
	for <freebsd-questions@freebsd.org>;
	Mon, 15 Aug 2011 22:47:57 +0000 (UTC)
	(envelope-from prvs=201aa4ace=pschmehl_lists@tx.rr.com)
Received: from ip-001.utdallas.edu (ip-001.utdallas.edu [129.110.20.107])
	by mx1.freebsd.org (Postfix) with ESMTP id D3E3D8FC1B
	for <freebsd-questions@freebsd.org>;
	Mon, 15 Aug 2011 22:47:56 +0000 (UTC)
X-Group: None
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ak0JADCbSU6BbgogSmdsb2JhbABBqCABARoGAiQlgUABAQQBOAI/BQsLRiEiFAYBEodwu1SFaF8Eh1+VKYcd
X-IronPort-AV: E=Sophos;i="4.67,376,1309755600"; d="scan'208";a="70404080"
Received: from zxtm01.utdallas.edu (HELO utd71538.utdallas.edu)
	([129.110.10.32])
	by ip-001.utdallas.edu with ESMTP/TLS/DHE-RSA-AES256-SHA;
	15 Aug 2011 17:19:20 -0500
Date: Mon, 15 Aug 2011 17:19:20 -0500
From: Paul Schmehl <pschmehl_lists@tx.rr.com>
To: alexus <alexus@gmail.com>, Chuck Swiger <cswiger@mac.com>
Message-ID: <033753EAA5A5EE53C17333A5@utd71538.utdallas.edu>
In-Reply-To: <CAJxePNJ6k=0Na0Zcz7_j4EAs3QNHOSnSENp3AWVdfiirV_h_pA@mail.gmail.com>
References: <CAJxePNKiEmdimqgdtS-jYPOxExL6a489SR5JW2kCd25X6QFuHQ@mail.gmail.com>
	<D49826AA-9FF9-4848-A92A-5FF29A78679B@mac.com>
	<CAJxePNJ6k=0Na0Zcz7_j4EAs3QNHOSnSENp3AWVdfiirV_h_pA@mail.gmail.com>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: freebsd-questions@freebsd.org
Subject: Re: looking for a spammer/virii/malware .... on my system
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Paul Schmehl <pschmehl_lists@tx.rr.com>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2011 22:47:57 -0000

--On August 15, 2011 2:04:27 PM -0400 alexus <alexus@gmail.com> wrote:

> I personally leaning towards that these headers are being modified and
> that there is no spam leaving my box (I may be wrong of couse)
>
> here is what I did to come up with that thought....
>
> I sent myself an email
>

The tcpdump command that Chuck gave you is all you need.  *If* all traffic 
exits your network through your box, you will see anything going to port 25 
*anywhere*.  That should tell you quickly what the problem is, if there is 
one.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell