How Can I Tell if My Sendmail Server is being used for spam by a hacker?

Hi,

I believe that I've configured sendmail so that only certain machines and users are allowed to send mail from my server.

In my logwatch email, I can see that there are unknown users listed in the sendmail begin section.

I have also seen at times relaying denied messages from other users.

Does this mean that I have configured sendmail correctly to deny unauthorized use or does it mean that someone has gotten in somehow but just hasn't cracked the safe yet?

Is there a log file that shows what messages has been sent out and by what users?

Thanks.

You config is running fine. If they get the relaying denied error, it means your server is refusing to send (relay) mail from them to another mail server. They have to be able to connect so that they can send your server mail, so no, they have not 'hacked' in.

thanks a lot.

I will argue with Obi Wonton on this one.

If you 'feel' you've been hacked, then follow your gut young grasshopper.

spend a little time checking the log files in /var/logs. Snoop around a little and see if your server is sending an inordinate amount of emails. Do you have bounce backs from accts not on your system.

I'm not saying your 'hacked', but you may want to spend some time poking around. One is never safe in the wild west of the WWW.

just my 2 cents worth...

Frog

I'd normally agree with that, but this sounds like a newbie post. The 'symtoms' he/she reported sound like completely normal traffic. I really wouldn't worry, but checking your logs regularly is definitely a must.

try hacking it yourself - telnet to your server and try to send mail 'manually' to addresses not in your domain.