[nylug-talk] Am I Spamming?

[Chris Knadle]

On Thursday 07 June 2007, Judd Maltin wrote:
> I woke up this morning to a LOT of bounced email messages in my inbox.  All
> spam.  The headers included in the bounce indicate that the original
> message came from my IP address, yet I don't see anything matching in my
> postfix logs.  My postfix is NOT a relay.

   If this really is the case, that's certainly disturbing and cause for 
investigation, just like you're trying to do.

> So I figure there's some other application, likely a PHP app or something,
> that's been hijacked to send out spam.  I'd like to monitor the situation
> before doing anything.  I'm going about it by using iptraf to monitor
> connections from my only external interface to 0.0.0.0:25.
>
> However, iptraf does not correlate connections to processes.  What other
> tools would you folks use to find out what processes are using which ports
> for the short period of time required to send an email?  That is, other
> than leaving tcpdump on and culling through the results.

   'netstat -tapc' will give you a continuous output of all tcp connections 
and the application that has them open.  I'd like to think that with this you 
can "match on port 25", "remove matches for postfix", and then you'll have a 
list of the offending application[s] that made connections output to port 25.
   Please note that this is off-the-cuff -- I've never actually used this.

   tcpdump is another good idea as long as you limit the matches to the small 
subset of what you're specifically looking for.  However I haven't found a 
way [off the top of my head] to have tcpdump list the program name that 
opened a connection -- so that's not going to give you quite the granularity 
you're looking for.  [And thus why my next thought was 'netstat'.]

   -- Chris

-- 

Chris Knadle
Chris.Knadle at coredump.us