[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] /etc/mail/access file being ignored
- Subject: RE: [cobalt-security] /etc/mail/access file being ignored
- From: "Keith Ford" <keith@xxxxxxxxxxxxxxxx>
- Date: Fri, 16 Jan 2004 09:55:18 -0600
- Organization: MemberClicks
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Title: Message
Turns
out our sendmail binary had been compromised. It was ignoring the access
file and pop-before-relay requirements. A reinstall fixed the symptoms,
but we're still looking to determine what happened.
Plus a
kudos to RaQ Aid who assisted us.
-keith
At 03:05 PM 1/14/2004,
you wrote:
One
interesting note, when they would connect to our sendmail it would see their
IP, but they were identifying themselves with a server name that was our IP
address. Still not sure how they were pulling off the relay, as their
IP was not in popip.db. Doesn't poprelayd only look at
/var/log/maillog?
Do you have any old formmail scripts
on the server? Or any scripts based on formmail (such as
yform)?
Brian