[Gllug] Need spam tracking advice - possible rootkit

Branden Faulls bfaulls at omphe.com
Sun Dec 18 15:33:40 UTC 2005


On Sun, Dec 18, 2005 at 01:13:36PM +0000, John Winters wrote:
> On Sun, 2005-12-18 at 12:43 +0000, Branden Faulls wrote:
> > In the last 2 days I've been getting bulk message bounces from an
> > Irish domain that are rejecting  mail purported to be coming from my
> > domain.  Normally I disregard these, figuring that they are purely
> > phishing attacks. 
> > 
> > This particular bounce message, however, contains a list of recipients
> > that match my wife's address book, or email sending habits.  I'm
> > trying to track where the weak spot may be in the  network/email setup.
> > 
> > Can anyone suggest a possible cause of this.
> 
> Has your wife ever sent any bulk messages to all her friends and put all
> the recipients in the "To:" field of the e-mail (instead of where she
> should have put them, in the "Bcc:" field?  If so it only takes one of
> the recipients to be using ShitHouse Express and you're FUBARed.
> 
> John
> 

I've been through all of the emails that are in her SENT folders (with
her permission of course, I'm not suicidal!).  There isn't a single
email that has all of these addresses.  I did find that the headers of
the bounced messages all point to the same IP address and that this
address might be the ISP of one of my in-laws.  (Proof that in-laws
are evil, your honor!)

Only explanation I can think of, is that I booted into an ancient
Win98 partition Friday to watch a DVD because Debian is not playing
nice with Batman, and perhaps an infected Netscape on the partition
sent out some "holiday cheer".  

For now it looks like my own mailservers here are not compromised. But
are there any other ideas? Anything else I should be checking?
Chkrootkit turns nothing up.


-- 
Branden Faulls

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list