[Gllug] Need spam tracking advice - possible rootkit

Jack Richards jack.richards at gnu-solutions.com
Sun Dec 18 10:12:15 UTC 2005


Are you running postfix ?  Sounds like a possible backscatter attack ( google for it )

Jack

On Dec 18, 2005 12:43 PM, Branden Faulls <bfaulls at omphe.com> wrote:

> In the last 2 days I've been getting bulk message bounces from an
> Irish domain that are rejecting  mail purported to be coming from my
> domain.  Normally I disregard these, figuring that they are purely
> phishing attacks. 
> 
> This particular bounce message, however, contains a list of recipients
> that match my wife's address book, or email sending habits.  I'm
> trying to track where the weak spot may be in the  network/email setup.
> 
> Can anyone suggest a possible cause of this.
> 
> 
> Here are the clues so far:
> * My wife's  address is the common link between all the recipients
> * The outbound sender is an Admin at mydomain address, but my wife does
>  not have an address on this domain, nor does she send mail through
>  this SMTP server
> * The machine that she normally sends mail from is on the offending
> domain.
> * All machines on the network are Debian (only relevant insofar as
> they are not windows)
> * My network only accepts inbound connections via SSH and logs show
> only my own traffic in and out.
> * None of the bounce email addresses are on my own addressbook, which
> sits on the same box as my wife's but on a different login account.
> 
> 
> I'm not sure how to track this. Could I be rootkit-ed?   Any ideas ?
> 
> 
> Any help/tips would be appreciated.
> 
> 
> -- 
> Branden Faulls
> -- 
> Gllug mailing list  -  Gllug at gllug.org.uk
> http://lists.gllug.org.uk/mailman/listinfo/gllug
> 

THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL OR ENTITY TO WHICH IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE. 
    
If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering the message to the intended  recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. 

If you have received this communication in error, please accept our apology. We should be obliged if you would email info at gnu-solutions.com by return and inform us. 
    
Thank you. 

GNU Solutions Ltd and the GNU Solutions Device are registered tradmarks of GNU Solutions Ltd.Gazelle Retail Hardened Linux, UpStart and the devices are registered trademarks of GNU Solutions Ltd.


-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list