From owner-freebsd-questions@FreeBSD.ORG  Thu Aug 18 16:36:29 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 62DDC106566B
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Aug 2011 16:36:29 +0000 (UTC)
	(envelope-from alexus@gmail.com)
Received: from mail-pz0-f45.google.com (mail-pz0-f45.google.com
	[209.85.210.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 3C2548FC14
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Aug 2011 16:36:29 +0000 (UTC)
Received: by pzk33 with SMTP id 33so5389384pzk.18
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Aug 2011 09:36:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:content-type:content-transfer-encoding;
	bh=ANKyy7zRfuIu7fpidROBmAAxc5qmY+cq84d9dFofOZo=;
	b=raEGfDVsuxtCsVm001geBZoIrnJ0bmDh7ootH8DuKHze3Ur9lRxqCA9IsQKumLchR4
	kkYyU9ynauZd8AKtD3d13a/13rmpWakGryiKlJ4P/Aby1XTHgMAMPC+3TEh6xhzgjfTt
	q3+vO49NGt7tGKh1fAXJWJkhE5BdJGHxUZiWA=
MIME-Version: 1.0
Received: by 10.143.97.16 with SMTP id z16mr488031wfl.357.1313685387402; Thu,
	18 Aug 2011 09:36:27 -0700 (PDT)
Received: by 10.68.60.164 with HTTP; Thu, 18 Aug 2011 09:36:27 -0700 (PDT)
In-Reply-To: <033753EAA5A5EE53C17333A5@utd71538.utdallas.edu>
References: <CAJxePNKiEmdimqgdtS-jYPOxExL6a489SR5JW2kCd25X6QFuHQ@mail.gmail.com>
	<D49826AA-9FF9-4848-A92A-5FF29A78679B@mac.com>
	<CAJxePNJ6k=0Na0Zcz7_j4EAs3QNHOSnSENp3AWVdfiirV_h_pA@mail.gmail.com>
	<033753EAA5A5EE53C17333A5@utd71538.utdallas.edu>
Date: Thu, 18 Aug 2011 12:36:27 -0400
Message-ID: <CAJxePN+HU3_8_ELie0NPXMNd9OS1=_MuHJnhPNFRScOTb=A+yw@mail.gmail.com>
From: alexus <alexus@gmail.com>
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: looking for a spammer/virii/malware .... on my system
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2011 16:36:29 -0000

ok

su-3.2# tcpdump -nnAvvvw webmail.west.cox.net 'dst host 68.6.19.1 and
(dst port 80 or 443)'
tcpdump: listening on bce0, link-type EN10MB (Ethernet), capture size 96 by=
tes
Got 0

let's see what I capture...

On Mon, Aug 15, 2011 at 6:19 PM, Paul Schmehl <pschmehl_lists@tx.rr.com> wr=
ote:
> --On August 15, 2011 2:04:27 PM -0400 alexus <alexus@gmail.com> wrote:
>
>> I personally leaning towards that these headers are being modified and
>> that there is no spam leaving my box (I may be wrong of couse)
>>
>> here is what I did to come up with that thought....
>>
>> I sent myself an email
>>
>
> The tcpdump command that Chuck gave you is all you need. =C2=A0*If* all t=
raffic
> exits your network through your box, you will see anything going to port =
25
> *anywhere*. =C2=A0That should tell you quickly what the problem is, if th=
ere is
> one.
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
>
>



--=20
http://alexus.org/