Exactly: why?

[Miss Betsy]

Ellen did answer in this thread.

No one on the web forum can answer for what only the deputies can see.

This is the very first time that I have seen anyone complain that they have not gotten a timely answer from a deputy.

So either they are very busy today or they think he should be able to find it himself.

In the past there have been admins who have had trouble finding the problem who have posted information here and those who are also admins have helped them find the problem.

You can list what you have done and ask if anyone has any more suggestions. I haven't seen any knowlegable people lately so it might not work. But that is all you can do: wait for an answer from the deputies or ask for suggestions on what else you could do to find out what is wrong (besides seeing samples of the spam).

Miss Betsy

[StevenUnderwood]

admin[at]logix.ru:

Is the IP listed only used for that server or is it also hiding your network behind it (NAT)? Looking at the dns name 213.208.178.242 is logix-gw.naukanet.ru, it looks like it might be a NAT address hiding your entire network. In that case, you would need to check your firewall logs for any transactions using port 25 (SMTP), not necessarily from your mail server logs.

Just trying to get the conversation going in a positive direction.

[admin@logix.ru]

Well , someone in my situation shall try everything...

So, my mail server keeps blacklisted for 3 days already. However , there are no footprints of any kind of spam sent through my server in logs. Moreover, I have already received the long-waited answer from deputy, which says that the letters are sent through my server by a trusted user, infected by a worm of Mimail kind.

But . Any trusted user activity is logged. There is nothing similar there to addres pointed as "from" in the sample of offending letter received by trap server and sent to me by deputy. In the same time it contains this line:

----------------------------------

Received: from logix-gw.naukanet.ru (logix-gw.naukanet.ru [213.208.178.242]

(may be forged))

----------------------------------

NB - "May be forged" ...

Is it really possible my mail server had been exposed some way?

Or does anybody know example of cracking a sendmail box this way? To start sending letters containing viruses?

BTW, there is no mentionable or raised outgoing traffic - everything looks just the very usual way.

[admin@logix.ru]

To StevenUnderwood: It's a good hint... It must have happen this way. Blocking all them assholes

Thanks.

[Miss Betsy]

I am very happy that someone came along who could suggest a technical solution to this guy's problem.

However, I do not think it was rude to suggest that if he wasn't getting help from this forum, that he could ask someone else, even if he had to pay for it.

Not all forum users are able to monitor the forum all the time (though if Julian wants to use volunteers, it might be a good idea to have a sign up sheet for times that they will monitor the forum so that there is always someone knowledgeable around).

Miss Betsy

[Ellen]

logix.ru,Mar 19 2004, 10:09 AM] I have already had. And awaiting for the answer impatiently.

I do not see any mail from admin[at]logix.ru or mentioning your IP

[Wazoo]

I am very happy that someone came along who could suggest a technical solution to this guy's problem

Actually, my post time-stamped at 03:55 AM included the suggestion of going to the firewall logs ... almost 12 hours prior to the one he noticed from Steven <g> .... all I could see that he hadn't yet done that. Did note that the DNS issue was resolved, so actually did figure that there were other issues being worked .. but ...

[WB8TYW]

It appears that the original poster does not have english as their primary language, and that can impair communcations.

The original poster seemed to originally think that an open relay was the only way that their system could be used to spam, and gave no indication that that they had even read the PINNED topics that could have explained things better for them.

This is indicated by the repeated postings by the original poster, none of them referencing any of the content in the pinned topics.

Had the original poster read those topics, they may have been able to solve their problem themselves, or asked more useful questions.

For the original poster, while spammers will exploit an open relay, their prefered mode of operation is something known as an open proxy.

For about the last year, the main purposes of many of the viruses on the Internet appears to be to install such open proxies on vulnerable computers.

Spammers will take advantage of any vulnerability that they find, and sometimes the only way that you will find out how they are sending spam through your network is with a packet monitor.

If you have a proxy server or a firewall, and it has a remote control method. The default passwords for these are well known, and for some of them, they are set differently than the local passwods. I know of at least one person that found this out the hard way.

A network operator needs to make sure that no one other than authorized mail servers can send on port 25 coming out of your network, cause an alert to their support people if anything else tries. It will mean that something is misconfigured, or they have a security breach.

Passing an open relay test just means that only one of several methods that spammers use is blocked.

Not being in the mail server logs does not mean that the server did not relay spam, it just means that the mail server software was not used to do it.

-John

Personal Opinion Only

[admin@logix.ru]

logix.ru,Mar 19 2004, 10:09 AM] I have already had. And awaiting for the answer impatiently.

I do not see any mail from admin[at]logix.ru or mentioning your IP

I donno why. Somebody from your stuff did. I have been communicating with him since 19 of march 2004 22:21 MSK.