[wplug] Re: figuring out where mail sent from your box came from

Christian Holtje docwhat at gerf.org
Fri Nov 18 09:41:56 EST 2005 

Russ Schneider wrote:

>Seems like someone was spamming AOL from one of my boxes.
>
>How can I tell from the logs whether this was a user on my box sending 
>mail from the box, or someone relaying mail from an outside server?
>
>I'm assuming if someone is sending it from an outside server, I can simply 
>block port 25 and be done with it?
>
>I'm running postfix on Mandrake, BTW.
>
>  
>

The best way is to see the Received: headers from the email.  For
example, the email I'm replying to had these headers:

Received: from penguin.wplug.org (PENGUIN.WPLUG.ORG [128.2.194.8])
	by gerf.org (8.13.4/8.13.4/Debian-3) with ESMTP id jAIEC30Z029504
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <list.wplug at docwhat.gerf.org>; Fri, 18 Nov 2005 08:12:05 -0600
Received: from penguin.wplug.org (localhost.localdomain [127.0.0.1])
	by penguin.wplug.org (8.12.11/8.12.11) with ESMTP id jAIE6QPA014552
	for <list.wplug at docwhat.gerf.org>; Fri, 18 Nov 2005 09:12:13 -0500
Received: from localhost.sugapablo.net (ipl-67-0168.pppoe.stargate.net
	[206.210.67.168])
	by penguin.wplug.org (8.12.11/8.12.11) with ESMTP id jAIE6LZW014547
	for <wplug at wplug.org>; Fri, 18 Nov 2005 09:06:25 -0500
Received: by localhost.sugapablo.net (Postfix, from userid 501)
	id 41ACE52A5D; Fri, 18 Nov 2005 09:06:09 -0500 (EST)
Received: from localhost (localhost [127.0.0.1])
	by localhost.sugapablo.net (Postfix) with ESMTP id 0DECC52A5C
	for <wplug at wplug.org>; Fri, 18 Nov 2005 09:06:09 -0500 (EST)


You read from the bottom up.  So this email visited:
Each line is an email going from one mailer to the next.  Things like
localhost.sugapablo.net senting it to itself is because your MUA (pine)
sent it to the MTA (postfix).

Notice that even though it says what the host claimed it was
(penguin.wplug.org in the first line, for example) it still shows the
reverse lookup and the ip address (PENGUIN.WPLUG.ORG [128.2.194.8]).

If it really looks like it came from your system, then look at the
message id line:

Message-ID: <Pine.LNX.4.58.0511180904310.14380 at dell.sugapablo.net>

You can use that to search for log entries on your systems. 
Specifically the part before the @ sign.

I hope that helps.

Ciao!

More information about the wplug mailing list