Very Computer

Hi,

I see a lot of traffic going out from our qmail server to a remote SMTP
server.

Jun  6 09:32:45 <firewall> kernel: >> IN= OUT=eth1 SRC=<firewall-IP>
DST=<external mail server> LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=43106
PROTO=TCP SPT=44759 DPT=25 WINDOW=5840 RES=0x00 ACK URGP=0

There are more than 10 of these transmissions per second, for quite a long
time (actually still going on untill I blocked this traffic in the
firewall). This seems to be comming from my smtp server, and I'm a little
bit worried now.
Has anybody seen something like this before? Is it possible that my mail
server is compormised?

E.T.

Sounds like someone is using your qmail to relay, suggest you check your
relay settings in /etc/hosts.allow file. It should read something like this:
tcp-env: 192.168.0.1, 192.168.0.2, 192.168.0.3, 192.168.0.4, 192.168.0.11,
127.0.0.1: setenv = RELAYCLIENT
Of course this is for kernel 2.2.14, may be different for later kernels...

Quote:> Hi,

> I see a lot of traffic going out from our qmail server to a remote SMTP
> server.

> Jun  6 09:32:45 <firewall> kernel: >> IN= OUT=eth1 SRC=<firewall-IP>
> DST=<external mail server> LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=43106
> PROTO=TCP SPT=44759 DPT=25 WINDOW=5840 RES=0x00 ACK URGP=0

> There are more than 10 of these transmissions per second, for quite a long
> time (actually still going on untill I blocked this traffic in the
> firewall). This seems to be comming from my smtp server, and I'm a little
> bit worried now.
> Has anybody seen something like this before? Is it possible that my mail
> server is compormised?

> E.T.