you really need to look at the mail log to see where the mail is coming from regardless of your firewall settings. It can actually come from inside you see.
On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <n...@tritonlimited.com> wrote: > I am seeing more spam in my mail queue. I have iptables installed, and > here are my rules: > > Chain INPUT (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain RH-Firewall-1-INPUT (2 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT icmp -- anywhere anywhere icmp any > ACCEPT esp -- anywhere anywhere > ACCEPT ah -- anywhere anywhere > ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns > ACCEPT udp -- anywhere anywhere udp dpt:ipp > ACCEPT tcp -- anywhere anywhere tcp dpt:ipp > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:pcsync-https > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:http > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:xmpp-client > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:5223 > ACCEPT all -- 192.168.0.0/16 anywhere > ACCEPT udp -- anywhere anywhere state NEW udp > dpt:sip > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:sip > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:sip-tls > ACCEPT udp -- sip02.gafachi.com anywhere state NEW > udp dpts:sip:5080 > ACCEPT udp -- 204.11.192.0/22 anywhere state NEW > udp dpts:sip:5080 > REJECT all -- anywhere anywhere reject-with > icmp-host-prohibited > > As far as I can tell, no one should be able to use port 25 from the world. > Also, sendmail is only configured to allow relay from localhost: > > [root@sipx1 ~]# cat /etc/mail/access > # Check the /usr/share/doc/sendmail/README.cf file for a description > # of the format of this file. (search for access_db in that file) > # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc > # package. > # > # by default we allow relaying from localhost... > Connect:localhost.localdomain RELAY > Connect:localhost RELAY > Connect:127.0.0.1 RELAY > > Can someone please help me figure out where this spam is coming from? > Thanks. > > ~Noah > > On Oct 13, 2012, at 10:17 AM, Noah Mehl <n...@tritonlimited.com> wrote: > > > I did not change the configuration of anything related to the PlcmSpIp > user. It does however make me feel better that it is related to the vsftpd > service and the polycom phones. > > > >> From /etc/passwd: > > > > > PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin > > > > So, that user cannot ssh to a shell. So I don't think it was that. > > > > ~Noah > > > > On Oct 12, 2012, at 9:05 AM, Tony Graziano <tgrazi...@myitdepartment.net> > wrote: > > > >> ... more -- its a user that does not have login to the OS itself, just > >> vsftpd, which is restricted to certain commands and must present a > >> request for its mac address in order to get a configuration file. It > >> is not logging into linux unless someone changed the rights of the > >> user. > >> > >> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <geo...@ezuce.com> > wrote: > >>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano > >>> <tgrazi...@myitdepartment.net> wrote: > >>>> this is not a valid system user unless you have manually added it to > the > >>>> system. I do think the logs would show more if access was granted. > Why are > >>>> you exposing sshd to the outside world with an acl or by protecting > it at > >>>> your firewall? > >>>> > >>> > >>> PlcmSpIp is the user used by polycom phones for fetching config from > server > >>> > >>> George > >>> _______________________________________________ > >>> sipx-users mailing list > >>> sipx-users@list.sipfoundry.org > >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ > >> > >> > >> > >> -- > >> ~~~~~~~~~~~~~~~~~~ > >> Tony Graziano, Manager > >> Telephone: 434.984.8430 > >> sip: tgrazi...@voice.myitdepartment.net > >> Fax: 434.465.6833 > >> ~~~~~~~~~~~~~~~~~~ > >> Linked-In Profile: > >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > >> Ask about our Internet Fax services! > >> ~~~~~~~~~~~~~~~~~~ > >> > >> Using or developing for sipXecs from SIPFoundry? Ask me about > sipX-CoLab 2013! > >> > >> -- > >> LAN/Telephony/Security and Control Systems Helpdesk: > >> Telephone: 434.984.8426 > >> sip: helpd...@voice.myitdepartment.net > >> > >> Helpdesk Customers: http://myhelp.myitdepartment.net > >> Blog: http://blog.myitdepartment.net > >> _______________________________________________ > >> sipx-users mailing list > >> sipx-users@list.sipfoundry.org > >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > > > Scanned for viruses and content by the Tranet Spam Sentinel service. > > _______________________________________________ > > sipx-users mailing list > > sipx-users@list.sipfoundry.org > > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > _______________________________________________ > sipx-users mailing list > sipx-users@list.sipfoundry.org > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- ~~~~~~~~~~~~~~~~~~ Tony Graziano, Manager Telephone: 434.984.8430 sip: tgrazi...@voice.myitdepartment.net Fax: 434.465.6833 ~~~~~~~~~~~~~~~~~~ Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 Ask about our Internet Fax services! ~~~~~~~~~~~~~~~~~~ Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! <http://sipxcolab2013.eventbrite.com/?discount=tony2013> -- LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: helpd...@voice.myitdepartment.net Helpdesk Customers: http://myhelp.myitdepartment.net Blog: http://blog.myitdepartment.net
_______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users/