>Obviously, I can't have users upset like this. However, it seems that
>patching port 25 is more trouble than it's worth. If anyone can point me
>to a good piece of tracing software, please let me know. I'd like nothing
>more than to nail these weasels to the wall. It gets kinda depressing to
>deal with a user who comes into the office in tears.
Hmm not good. I can think of two immediate ways of getting some form of
who is at the other end, one is to install identd on your hosts, as many as
you can. and then put a tcpd wrapper on your sendmail so it records connections
but does no filtering. You can compile tcpd to record usernames and syslog them
for future examination. That will let you know what is happening.
Another way is to get the srcs for telnet, there are many pub domain ones around,
and put in a check to see if the user is going to port 25 and if so to syslog
the event. If the user is smart then they might write custom tcp connect code,
but if you dont go around letting peopel know what is happening then you will get
at least a few of them.
Get tcpd and identd from cert.org, and telnet clients from ftp.uu.net.