>However, something to note is that, as you said, the two messages
>show the same pid, and one of them references an outside system as
>being the source of the connection. I'm starting to think that perhaps
>my security *isn't* as swiss-cheesed as I thought. My guess is that
>someone was trying to exploit a hole in sendmail that doesn't quite
>work any more, with the new sendmail, anyway. I don't know enough
>about sendmail to prove that, though.

i don't know nothing about any new holes...

>> so...you're not even using sendmail?  perhaps you want to turn it off?
>> or, like me, add a line like this to your cf file:
>> 
>>     O DaemonPortOptions=Addr=127.0.0.1
>
>Hm. I *am* using sendmail, a couple ways. First, it checks its queue
>every minute, as uucp dumps mail into sendmail's queue, rather than
>invoking sendmail directly. Second, machines on my local network
>use the sendmail when they send mail out. However, it looks like
>DaemonPortOptions is just what I need. Thanks for pointing it out
>to me! (I don't have the Bat Book, but I *do* have the Baby Bat Book,
>and I was able to find that in there.)

you could build libwrap.a into your sendmail and deny connections to
anyone not on your network...or perhaps use aliases from 10.0.0.0 for
internal networking and have sendmail listen on that interface (so
that no one outside can connect)...

>> could be...that's certainly something i might do to someone i met on
>> irc or a mud.  :)
>
>Well, I can understand looking, but trying to grab root isn't exactly
>sociable. :/ On the other hand, this is a wonderful excuse to stop
>procrastinating over some security stuff I've been pondering.

i wouldn't grab root...i'd just poke a bit out of curiosity.  but
making yourself more secure is always a good thing.  comsat (imho)
should never listen on the network interface, just on localhost, or at
least be configurable to know what network connections should be
considered local and drop all other requests.  the same for syslogd...

>> how much of a network do you have anyway?
>
>It's not much, but I service a few Macs. I use ipnat, so it looks
>like it'll be easy enough to use DaemonPortOptions to only allow
>connections from inside, or connections from outside that have
>been properly spoofed.

ah...well then.  you're all set!

>Thanks for the help!

not a prob!  :)

-- 
|-----< "CODE WARRIOR" >-----|
andrew@echonyc.com (TheMan)        * "ah!  i see you have the internet
codewarrior@daemon.org                               that goes *ping*!"
warfare@graffiti.com      * "information is power -- share the wealth."