OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Christian Cryder (christiancgranitepeaks.com)
Date: Fri May 03 2002 - 09:27:32 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi folks,

    I noticed something interesting today when I checked my email...I received a
    "test" message last night, from myself, to myself and "undisclosed
    recipients", and it was sent at a time that I wasn't logged on. Hmm, I
    thought...that doesn't seem right. So I started poking around in my postfix
    logs and I was able to trace the message in question to the following lines:

    May 2 22:51:25 beartooth postfix/smtpd[2900]: connect from
    c-24-98-172-83.atl.client2.attbi.com[24.98.172.83]
    May 2 22:51:25 beartooth postfix/smtpd[2900]: 4AC613BFD2:
    client=c-24-98-172-83.atl.client2.attbi.com[24.98.172.83]
    May 2 22:51:25 beartooth postfix/cleanup[2902]: 4AC613BFD2:
    message-id=<20020503045125.4AC613BFD2beartooth.granitepeaks.com>
    May 2 22:51:25 beartooth postfix/qmgr[30124]: 4AC613BFD2:
    from=<christiancgranitepeaks.com>, size=407, nrcpt=1 (queue active)
    May 2 22:51:25 beartooth postfix/local[2904]: 4AC613BFD2:
    to=<christiancgranitepeaks.com>, relay=local, delay=0, status=sent
    ("|/usr/bin/procmail -Y -a $DOMAIN")
    May 2 22:51:25 beartooth postfix/smtpd[2900]: disconnect from
    c-24-98-172-83.atl.client2.attbi.com[24.98.172.83]

    This appears to me to be someone connecting from outside my network
    (24.98.172.83), sending an email to me using my "from" address. Now, I'm not
    allowing relaying, so I don't think this person could have successfully used
    my box to send email to others, but I thought I'd better ask to see if
    others find this suspicious. Is this someone trying to exploit my mail
    server? Or am I overreacting? Do the above lines indicate my postfix
    installation might be at risk? Any insight or suggestions would be
    appreciated...

    tia,
    Christian

    ----------------------------------------------
    Christian Cryder [christiancatmreports.com]
    Internet Architect, ATMReports.com
    Barracuda - http://barracuda.enhydra.org
    ----------------------------------------------
    "Coffee? I could quit anytime, just not today"

    -
    To unsubscribe, send mail to majordomopostfix.org with content
    (not subject): unsubscribe postfix-users