Re: Strange locally-originating spam messages from sport.qc.ca
On Thu, Mar 30, 2023 at 12:00:01PM +0300, Reco wrote:
> Hi.
>
> On Thu, Mar 30, 2023 at 09:30:49AM +0100, Julian Gilbey wrote:
> > I wonder if anyone has any idea about how to track this down?
>
> I'd check /var/log/exim4/mainlog first, obviously.
> For instance, your mail was sent to my MTA by bendel.d.o, as is
> should be:
>
> $ grep ZmNnhCgr7-N.A.uSE.A2UJkB /var/log/exim4/mainlog
> 2023-03-30 10:51:15 1pho03-0000QZ-9B <= bounce-debian-user=deb=enotuniq.net@lists.debian.org H=bendel.debian.org [82.195.75.100] P=esmtps X=TLS1.3:ECDHE_X25519__ECDSA_SECP384R1_SHA384__AES_256_GCM:256 CV=no S=5087 id=ZmNnhCgr7-N.A.uSE.A2UJkB@bendel
Hi Reco,
Thanks!
The log seems quite unhelpful here, though I may be missing
something. Here is an example:
2023-03-29 00:07:19 1phIPT-0047NQ-0H <= <> H=(LOCALHOSTNAME) [::1] P=smtp S=2878
2023-03-29 00:07:19 1phIPT-0047NQ-0H ** frpjxbkekuek@sport.qc.ca <FRPJXbKeKuek@sport.qc.ca> R=nonlocal: Mailing to remote domains not supported
2023-03-29 00:07:19 1phIPP-0047NT-0V <= <> R=1phIPT-0047NQ-0H U=Debian-exim P=local S=667
2023-03-29 00:07:19 1phIPT-0047NQ-0H Frozen (delivery error message)
2023-03-29 00:13:24 1phIPT-0047NQ-0H Message is frozen
...and lots of repeats of this last message until I manually deleted
the message.
(I've replaced my local machine name with "LOCALHOSTNAME" in the above.)
It seems to have originated locally ([::1]), which is why I wonder
whether I've got a virus of some sort.
On my internet-facing host, these messages appear to originate from a
Canadian ISP, but I don't know whether to believe it, given what's
happening on my other machine.
Best wishes,
Julian
Reply to: