[Gllug] Need spam tracking advice - possible rootkit
Branden Faulls
bfaulls at omphe.com
Sun Dec 18 12:43:04 UTC 2005
In the last 2 days I've been getting bulk message bounces from an
Irish domain that are rejecting mail purported to be coming from my
domain. Normally I disregard these, figuring that they are purely
phishing attacks.
This particular bounce message, however, contains a list of recipients
that match my wife's address book, or email sending habits. I'm
trying to track where the weak spot may be in the network/email setup.
Can anyone suggest a possible cause of this.
Here are the clues so far:
* My wife's address is the common link between all the recipients
* The outbound sender is an Admin at mydomain address, but my wife does
not have an address on this domain, nor does she send mail through
this SMTP server
* The machine that she normally sends mail from is on the offending
domain.
* All machines on the network are Debian (only relevant insofar as
they are not windows)
* My network only accepts inbound connections via SSH and logs show
only my own traffic in and out.
* None of the bounce email addresses are on my own addressbook, which
sits on the same box as my wife's but on a different login account.
I'm not sure how to track this. Could I be rootkit-ed? Any ideas ?
Any help/tips would be appreciated.
--
Branden Faulls
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list