urgrue wrote: > i would deduce from this log snippet that this particular mail was sent by > my own server, would this be a correct deduction? are there alternative > interpretations? because the mail in question was quite obviously loaded > with a trojan or virus. > > Mar 27 09:45:00 mail sendmail[19487]: i2R7j0919487: from=postmaster, > size=6479, class=0, nrcpts=1, > msgid=<200403270745.i2R7j0919487@xxxxxxxxxxxxxxxxx>, relay=root@localhost > Mar 27 09:45:00 mail sendmail[19490]: i2R7j0919487: to="|exec > /usr/bin/procmail", ctladdr=freddie (500/100), delay=00:00:00, > xdelay=00:00:00, mailer=prog, pri=126479, dsn=2.0.0, stat=Sent The format of the first line indicates that the mail originated from a local process rather than an SMTP connection. The relay= indicates a root-owned process. The from=postmaster indicates that it might be a bounce message. One possibility is: 1. The trojan gets a victim address (in this case, yours) from somewhere. 2. It connects to the MX for that address. 3. It sends the affected message with the victim address as the sender and a likely bad address (at the same domain) as the recipient. 4. The message bounces (due to the bad recipient address) back to the apparent sender (in this case, you). A number of recent email-borne viri have used deliberate bounces as part of the delivery strategy. Check for other references to the ID i2R7j0919487 in your mail logs. If sendmail generates a bounce message, it normally adds a log entry indicating this fact, along with the ID of the message to which the bounce refers. -- Glynn Clements <glynn.clements@xxxxxxxxxx> - : send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
