spoofed or not?

[croakingtoad]

I have a server that I think is being spoofed, but my NOC seems to think the spammer is on my box. Is there a way I can scan outgoing messages for specific keywords related to the content of the email body? This guy sends the same email every time, so one or two keywords should do it.

If anyone knows of a better way, I crave the knowledge.

Thanks!

[Info Tech Geek]

what mail client are you using?

[croakingtoad]

Exim

[Info Tech Geek]

Have you looked at MailScanner?

[croakingtoad]

no i hadn't, i was considering ethereal but wasn't sure..

[ss2chef]

If using Exim, I presume some sort of *NIX as your NOS.
Why not use procmail to copy outgoing messages to a temp file or mailbox for a while to see.
If your mail server is busy you will need to keep disk space in mind as the file can grow quickly.
Make sure your policies allow you to redirect a copy of outgoing messages for review.

SGS

[croakingtoad]

Do you know a good tutorial for procmail to do what I need? I've searched google and the procmail site, but since i'm not much of a programmer i'm not really sure what I need it to do other than search for keywords in outgoing mail...

[SirDice]

Originally posted here by croakingtoad
I have a server that I think is being spoofed, but my NOC seems to think the spammer is on my box.

Ask them for proof. That way you too can verify it.

Is there a way I can scan outgoing messages for specific keywords related to the content of the email body? This guy sends the same email every time, so one or two keywords should do it.

You're running Exim as an MTA? So your port 25 is open to the world?
Are you sure you're not an open relay? Check and double check to make sure you aren't.

[croakingtoad]

No, according to the NOC Exim is setup not to open relay. I had run an open relay check a while back as well, and it returned negative results so I don't think that's it..