From owner-freebsd-questions@FreeBSD.ORG Wed Jan 5 15:59:29 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D43E1106564A for ; Wed, 5 Jan 2011 15:59:29 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from ms16-1.1blu.de (ms16-1.1blu.de [89.202.0.34]) by mx1.freebsd.org (Postfix) with ESMTP id 69F028FC0A for ; Wed, 5 Jan 2011 15:59:29 +0000 (UTC) Received: from [193.31.11.193] (helo=current.Sisis.de) by ms16-1.1blu.de with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1PaVll-0004eG-H0; Wed, 05 Jan 2011 16:59:25 +0100 Received: from current.Sisis.de (current [127.0.0.1]) by current.Sisis.de (8.14.3/8.14.3) with ESMTP id p05FxPEw006370; Wed, 5 Jan 2011 16:59:25 +0100 (CET) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by current.Sisis.de (8.14.3/8.14.3/Submit) id p05FxOZp006369; Wed, 5 Jan 2011 16:59:25 +0100 (CET) (envelope-from guru@unixarea.de) X-Authentication-Warning: current.Sisis.de: guru set sender to guru@unixarea.de using -f Date: Wed, 5 Jan 2011 16:59:24 +0100 From: Matthias Apitz To: robert@webtent.com Message-ID: <20110105155924.GA6326@current.Sisis.de> References: <4D249129.6090008@webtent.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4D249129.6090008@webtent.net> X-Operating-System: FreeBSD 8.0-CURRENT (i386) User-Agent: Mutt/1.5.19 (2009-01-05) X-Con-Id: 51246 X-Originating-IP: 193.31.11.193 Cc: FreeBSD Subject: Re: Bot? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Matthias Apitz List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2011 15:59:29 -0000 El día Wednesday, January 05, 2011 a las 10:41:29AM -0500, Robert Fitzpatrick escribió: > Keep getting calls from our provider at one location that our FreeBSD > 8.0-RELEASE server is sending bursts of >1000 spam messages to >70K > recipients. Since the first call a few weeks ago, I have MRTG and Mail > Statistics graphs setup and see no spikes in traffic. Their last > sighting was over the weekend and graphs show a reduction in traffic > during that time as expected, again with no spikes in traffic or > messages sent/received by our Postfix/Amavisd-maia MTA. All services on > that server including SSH, SMTP and mail queue size all monitored by > Nagios and have had no alerts from that server. > > Nonetheless, they claim I must have a bot and the mail is not passing > through my own SMTP. And I suspect little traffic is needed for the > alleged bursts. They have no envelope info. Can someone advise on what > port(s) are available for bot detection and/or prevention? In all my > years of running FreeBSD as mail gateways, this is the first time I've > had this issue. > > --Robert Check with tcpdump (on another host connected by a HUB, no switch, to the box) if you can see that port 25 traffic of the NIC of the host; that would be my 1st check to catch it... If someone has lifted up your FreeBSD into a VM running on that bot, you will not see this inside the FreeBSD, I think. matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e - w http://www.unixarea.de/