|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Capturing mail from a specific sending IP?
From: Allen (postfix
rfnj.org)
Date: Mon Dec 25 2006 - 11:48:07 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Quoting Wietse Venema <wietseporcupine.org>:
> Allen:
>> It was all just run of the mill spam as I suspected, but I wanted to be
>> sure it wasn't something more nefarious. I captured about 2100
>> messages in a minute or so of capture before putting the firewall rule
>> back in and getting on with the business of finding the suspect
>> software.
>>
>> I had no luck at all tracing it with netstat or any other network tool,
>> I'm wondering if it was acting as a sniffer and using raw IP access to
>> avoid showing up in the stack.
>
> My guess: it comes in via HTTP, and enters Postfix via the
> local mail pickup daemon.
>
> $ grep pickup /var/log/maillog
>
> will tell you the UNIX uid.
No, I know where the mail was getting to postfix from -- from the
compromised windows machine. What I'm not sure of is how the windows
machine was picking it up to send it, etc.
It was only making it to postfix because I told it to go there so I
could capture a sample.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]