Re: [FRIAM] weird malware
Mystery solved! It was all a bit more innocuous than it first appeared. There were two messages stuck in the inbox of my POP server, which because they had malformed return address could not be downloaded nor deleted from the pop server, so there they stayed, unread by anyone. Postfix was writing a message to the log complaining about the malformed address. I was able to web mail into the pop server directly, and after a bit of fiddling with the unfamiliar interface, managed to delete them They were just the usual run-of-the-mill Nigerian-style scam letters, nothing to be too worried about. Cheers On Fri, Jul 29, 2016 at 03:06:20PM +1000, Russell Standish wrote: > Thanks - I'll try that suggestion... > > On Thu, Jul 28, 2016 at 07:23:37PM -0700, glen wrote: > > This may help: > > http://security.stackexchange.com/questions/11558/how-can-i-find-the-process-that-is-trying-to-use-smtp-to-send-email > > > > The postfix option debug_peer_level may help, though the man page says it's > > for remote clients. > > > > > > > > On July 28, 2016 6:05:35 PM PDT, Russell Standish > > wrote: > > >On Thu, Jul 28, 2016 at 04:15:21PM -0700, glen ☣ wrote: > > >> > > >> If you search on ninus.ocn.ne.jp, you get lots of spam warnings. If > > >coerced, I'd guess that you have a program on your machine or in your > > >network that's trying to send out those spam emails. Perhaps you're > > >part of a botnet? > > >> > > > > > >That's what bothers me. But I can't seem to find anything about > > >it. > > > > > >BTW - this is an openSUSE linux system. > > > > > >Cheers > > > > > >-- > > > > > > > > >Dr Russell StandishPhone 0425 253119 (mobile) > > >Principal, High Performance Coders > > >Visiting Senior Research Fellowhpco...@hpcoders.com.au > > >Economics, Kingston University http://www.hpcoders.com.au > > > > > > > > > > > >FRIAM Applied Complexity Group listserv > > >Meets Fridays 9a-11:30 at cafe at St. John's College > > >to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com > > > > -- > > glen ⛧ > > > > > > FRIAM Applied Complexity Group listserv > > Meets Fridays 9a-11:30 at cafe at St. John's College > > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com > > -- > > > Dr Russell StandishPhone 0425 253119 (mobile) > Principal, High Performance Coders > Visiting Senior Research Fellowhpco...@hpcoders.com.au > Economics, Kingston University http://www.hpcoders.com.au > > > > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com -- Dr Russell StandishPhone 0425 253119 (mobile) Principal, High Performance Coders Visiting Senior Research Fellowhpco...@hpcoders.com.au Economics, Kingston University http://www.hpcoders.com.au FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] weird malware
Thanks - I'll try that suggestion... On Thu, Jul 28, 2016 at 07:23:37PM -0700, glen wrote: > This may help: > http://security.stackexchange.com/questions/11558/how-can-i-find-the-process-that-is-trying-to-use-smtp-to-send-email > > The postfix option debug_peer_level may help, though the man page says it's > for remote clients. > > > > On July 28, 2016 6:05:35 PM PDT, Russell Standish > wrote: > >On Thu, Jul 28, 2016 at 04:15:21PM -0700, glen ☣ wrote: > >> > >> If you search on ninus.ocn.ne.jp, you get lots of spam warnings. If > >coerced, I'd guess that you have a program on your machine or in your > >network that's trying to send out those spam emails. Perhaps you're > >part of a botnet? > >> > > > >That's what bothers me. But I can't seem to find anything about > >it. > > > >BTW - this is an openSUSE linux system. > > > >Cheers > > > >-- > > > > > >Dr Russell StandishPhone 0425 253119 (mobile) > >Principal, High Performance Coders > >Visiting Senior Research Fellowhpco...@hpcoders.com.au > >Economics, Kingston University http://www.hpcoders.com.au > > > > > > > >FRIAM Applied Complexity Group listserv > >Meets Fridays 9a-11:30 at cafe at St. John's College > >to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com > > -- > glen ⛧ > > > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com -- Dr Russell StandishPhone 0425 253119 (mobile) Principal, High Performance Coders Visiting Senior Research Fellowhpco...@hpcoders.com.au Economics, Kingston University http://www.hpcoders.com.au FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] weird malware
This may help: http://security.stackexchange.com/questions/11558/how-can-i-find-the-process-that-is-trying-to-use-smtp-to-send-email The postfix option debug_peer_level may help, though the man page says it's for remote clients. On July 28, 2016 6:05:35 PM PDT, Russell Standish wrote: >On Thu, Jul 28, 2016 at 04:15:21PM -0700, glen ☣ wrote: >> >> If you search on ninus.ocn.ne.jp, you get lots of spam warnings. If >coerced, I'd guess that you have a program on your machine or in your >network that's trying to send out those spam emails. Perhaps you're >part of a botnet? >> > >That's what bothers me. But I can't seem to find anything about >it. > >BTW - this is an openSUSE linux system. > >Cheers > >-- > > >Dr Russell StandishPhone 0425 253119 (mobile) >Principal, High Performance Coders >Visiting Senior Research Fellowhpco...@hpcoders.com.au >Economics, Kingston University http://www.hpcoders.com.au > > > >FRIAM Applied Complexity Group listserv >Meets Fridays 9a-11:30 at cafe at St. John's College >to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com -- glen ⛧ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] weird malware
Russ, if it's a browser thing Chrome has a known issue where even on linux extensions (try to) hijack put in malware etc. Quite a few threads about this issue. I don't know what kind of malware and addware gets to linux Did you forums to see if it's (relatively)normal, or how your log files get formated etc? On Thu, Jul 28, 2016 at 7:05 PM, Russell Standish wrote: > On Thu, Jul 28, 2016 at 04:15:21PM -0700, glen ☣ wrote: > > > > If you search on ninus.ocn.ne.jp, you get lots of spam warnings. If > coerced, I'd guess that you have a program on your machine or in your > network that's trying to send out those spam emails. Perhaps you're part > of a botnet? > > > > That's what bothers me. But I can't seem to find anything about > it. > > BTW - this is an openSUSE linux system. > > Cheers > > -- > > > > Dr Russell StandishPhone 0425 253119 (mobile) > Principal, High Performance Coders > Visiting Senior Research Fellowhpco...@hpcoders.com.au > Economics, Kingston University http://www.hpcoders.com.au > > > > > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com > FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] weird malware
On Thu, Jul 28, 2016 at 04:15:21PM -0700, glen ☣ wrote: > > If you search on ninus.ocn.ne.jp, you get lots of spam warnings. If coerced, > I'd guess that you have a program on your machine or in your network that's > trying to send out those spam emails. Perhaps you're part of a botnet? > That's what bothers me. But I can't seem to find anything about it. BTW - this is an openSUSE linux system. Cheers -- Dr Russell StandishPhone 0425 253119 (mobile) Principal, High Performance Coders Visiting Senior Research Fellowhpco...@hpcoders.com.au Economics, Kingston University http://www.hpcoders.com.au FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] weird malware
For the analogy to work, we'd have to use corewars or tierra or somesuch. The ben-ware, in competing for the available resources, prevent the mal-ware population from exploding. And we'd have some who had to take regular ben-ware supplements in order to mitigate irritable-output-syndrome and cpu-overgrowth-syndrome. Personally, I use the analog of frequent, broad-spectrum, antibiotic treatments ... on my phone, at least. Nothing beats a ROM wipe every week or two to keep your system clean! On 07/28/2016 04:45 PM, Steven A Smith wrote: Frankly I can't wait until our systems all are as fluxed with symbiotic-ware (what is the benign form of malware) as our own personal biomes... maybe we are already on our way down that road? Does anyone track Stephanie Forrest's computer immune systems? I'm betting we have some evolutionary biologists here as well? -- ☣ glen FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] weird malware
Frankly I can't wait until our systems all are as fluxed with symbiotic-ware (what is the benign form of malware) as our own personal biomes... maybe we are already on our way down that road? Does anyone track Stephanie Forrest's computer immune systems? I'm betting we have some evolutionary biologists here as well? On 7/28/16 5:15 PM, glen ☣ wrote: If you search on ninus.ocn.ne.jp, you get lots of spam warnings. If coerced, I'd guess that you have a program on your machine or in your network that's trying to send out those spam emails. Perhaps you're part of a botnet? On 07/28/2016 03:54 PM, Russell Standish wrote: One for the technorati: For the past few months I've been seeing the following message appear in my logs fairly frequently: Jul 29 08:45:54 SamsungBlue postfix/smtpd[28632]: warning: Illegal address syntax from localhost[::1] in MAIL command: Jul 29 08:45:54 SamsungBlue postfix/smtpd[28632]: warning: Illegal address syntax from localhost[::1] in MAIL command: What is is saying is that something on my localhost (a laptop) is attempting to send email to an invalid email address, the rather bizarre globe.ocn.ne.jp="bello."@hpcoders.com.au I'm guessing this is some sort of attempted mail relay, but I can't see a rogue process on the system, and the SMTP port is blocked externally, so its not coming from outside AFICT. Also, cannot see any suspicious files hanging around in the postfix staging directory /var/spool/postfix. The problem persists through booting. Has anyone seen anything like this before? Nothing turns up on Google. Cheers FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] weird malware
If you search on ninus.ocn.ne.jp, you get lots of spam warnings. If coerced, I'd guess that you have a program on your machine or in your network that's trying to send out those spam emails. Perhaps you're part of a botnet? On 07/28/2016 03:54 PM, Russell Standish wrote: One for the technorati: For the past few months I've been seeing the following message appear in my logs fairly frequently: Jul 29 08:45:54 SamsungBlue postfix/smtpd[28632]: warning: Illegal address syntax from localhost[::1] in MAIL command: Jul 29 08:45:54 SamsungBlue postfix/smtpd[28632]: warning: Illegal address syntax from localhost[::1] in MAIL command: What is is saying is that something on my localhost (a laptop) is attempting to send email to an invalid email address, the rather bizarre globe.ocn.ne.jp="bello."@hpcoders.com.au I'm guessing this is some sort of attempted mail relay, but I can't see a rogue process on the system, and the SMTP port is blocked externally, so its not coming from outside AFICT. Also, cannot see any suspicious files hanging around in the postfix staging directory /var/spool/postfix. The problem persists through booting. Has anyone seen anything like this before? Nothing turns up on Google. Cheers -- ☣ glen FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
[FRIAM] weird malware
One for the technorati: For the past few months I've been seeing the following message appear in my logs fairly frequently: Jul 29 08:45:54 SamsungBlue postfix/smtpd[28632]: warning: Illegal address syntax from localhost[::1] in MAIL command: Jul 29 08:45:54 SamsungBlue postfix/smtpd[28632]: warning: Illegal address syntax from localhost[::1] in MAIL command: What is is saying is that something on my localhost (a laptop) is attempting to send email to an invalid email address, the rather bizarre globe.ocn.ne.jp="bello."@hpcoders.com.au I'm guessing this is some sort of attempted mail relay, but I can't see a rogue process on the system, and the SMTP port is blocked externally, so its not coming from outside AFICT. Also, cannot see any suspicious files hanging around in the postfix staging directory /var/spool/postfix. The problem persists through booting. Has anyone seen anything like this before? Nothing turns up on Google. Cheers -- Dr Russell StandishPhone 0425 253119 (mobile) Principal, High Performance Coders Visiting Senior Research Fellowhpco...@hpcoders.com.au Economics, Kingston University http://www.hpcoders.com.au FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
