Turns
out our sendmail binary had been compromised. It was ignoring the access
file and pop-before-relay requirements. A reinstall fixed the symptoms,
but we're still looking to determine what happened.
Plus a
kudos to RaQ Aid who assisted us.
-keith
-----Original Message-----At 03:05 PM 1/14/2004, you wrote:
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Rahill
Sent: Wednesday, January 14, 2004 2:31 PM
To: [EMAIL PROTECTED]
Subject: Re: [cobalt-security] /etc/mail/access file being ignored
One interesting note, when they would connect to our sendmail it would see their IP, but they were identifying themselves with a server name that was our IP address. Still not sure how they were pulling off the relay, as their IP was not in popip.db. Doesn't poprelayd only look at /var/log/maillog?
Do you have any old formmail scripts on the server? Or any scripts based on formmail (such as yform)?
Brian
