Hey Kevin, Any hints on what you did to fix this or what caused it? Sounds like a mystery issue there and I wonder how you fixed it :-)
Cheers, Sebastian On 26.09.2012, at 21:56, <[email protected]> wrote: > Ron, > > I believed we solved part to the mystery. > > Spamdyke ignores all rules once SMTP auth is completed > so that explains why it was ignoring all the other rules. > > The offender is coming from all different IPs. > > Also, we have a theory that even though we had changed the password > for user "tom" smtp auth and or other processes we > still allowing the old credentials. > > We have seen the relaying reduced down and now its stopped completely > in the last hour. > > Thanks, > K > >> -----Original Message----- >> From: [email protected] [mailto:spamdyke-users- >> [email protected]] On Behalf Of [email protected] >> Sent: Wednesday, September 26, 2012 11:31 AM >> To: [email protected] >> Subject: spamdyke-users Digest, Vol 64, Issue 26 >> >> Send spamdyke-users mailing list submissions to >> [email protected] >> >> To subscribe or unsubscribe via the World Wide Web, visit >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> or, via email, send a message with subject or body 'help' to >> [email protected] >> >> You can reach the person managing the list at >> [email protected] >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of spamdyke-users digest..." >> >> >> Today's Topics: >> >> 1. Re: Need Paid Assistance Referral (Gary Gendel) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Wed, 26 Sep 2012 14:25:55 -0400 >> From: Gary Gendel <[email protected]> >> Subject: Re: [spamdyke-users] Need Paid Assistance Referral >> To: spamdyke users <[email protected]> >> Message-ID: <[email protected]> >> Content-Type: text/plain; charset="iso-8859-1" >> >> Kevin, >> >> Qmail looks for the environment variable RELAYCLIENT, if that is set, >> then qmail will happily relay. >> >> My guess is that something upstream or downstream from spamdyke is doing >> the dirty deed. For example, if you use tcpserver, check it's rules and >> make sure that the correct rules have been compiled. Specifically, look >> for any rule that would match the offender's ip address: 76.186.240.2. >> >> For example, if the following line was in the tcpserver rules file: >> >> 78.168.:allow,RELAYCLIENT="" >> >> It would be allowed to relay. >> >> Gary >> >> >> On 9/26/12 2:10 PM, [email protected] wrote: >>> >>> Can anyone refer a company or individual for help with Qmail? >>> >>> We are fairly experienced admins with email hosting >>> >>> but this one has us stumped. >>> >>> We installed spamdyke and that has helped considerably to >>> >>> inspect what is happening but were not able to stop >>> >>> access to qmail relaying to remote addresses for this >>> >>> one particular user. >>> >>> The user can not even be found in our system, yet, this >>> >>> user "tom" can access our smtp and relay mail through. >>> >>> We are desperate and willing to pay for any assistance. >>> >>> Thanks, Kevin >>> >>> Example log file: >>> >>> 09/25/2012 22:29:43 CURRENT CONFIG >>> >>> config-file=/etc/spamdyke.conf >>> >>> dns-blacklist-entry=sbl-xbl.spamhaus.org >>> >>> dns-blacklist-entry=bl.spamcop.net >>> >>> dns-blacklist-entry=b.barracudacentral.org >>> >>> full-log-dir=/var/www/spamdykelog >>> >>> graylist-dir=/var/www/graylist >>> >>> graylist-level=always-create-dir >>> >>> graylist-max-secs=1814400 >>> >>> graylist-min-secs=300 >>> >>> greeting-delay-secs=3 >>> >>> idle-timeout-secs=300 >>> >>> ip-blacklist-file=/var/www/blacklist_ip/ip-blacklist-file >>> >>> ip-in-rdns-keyword-blacklist-file=/var/www/ip-in-rdns-keyword-blacklist- >> file >>> >>> local-domains-file=/var/qmail/control/rcpthosts >>> >>> log-level=info >>> >>> max-recipients=10 >>> >>> recipient-blacklist-entry*[email protected]* >>> >>> [email protected] >>> >>> [email protected] >>> >>> [email protected] >>> >>> [email protected] >>> >>> [email protected] >>> >>> [email protected] >>> >>> reject-missing-sender-mx=1 >>> >>> sender-blacklist-file=/var/www/blacklist_senders/sender-blacklist-file >>> >>> 09/25/2012 22:29:53 LOG OUTPUT AUTH:*tom* >>> >>> DEBUG(find_username()@spamdyke.c:194): searching for username between >>> positions 9 and 27: RCPT TO:<[email protected]> >>> >>> DEBUG(find_domain()@spamdyke.c:428): searching for domain between >>> positions 20 and 27: RCPT TO:<[email protected]> >>> >>> DEBUG(find_address()@spamdyke.c:793): found username: darkbars666 >>> >>> DEBUG(find_address()@spamdyke.c:810): found domain: mail.ru >>> >>> DEBUG(filter_recipient_relay()@filter.c:2360): checking relaying; >>> relay-level: 0 recipient: [email protected] ip: 76.186.240.2 rdns: >>> cpe-76-186-240-2.tx.res.rr.com local_recipient: false >>> relaying_allowed: false >>> >>> ALLOWEDfrom: [email protected] to: [email protected] origin_ip: >>> 76.186.240.2 origin_rdns: cpe-76-186-240-2.tx.res.rr.com auth: tom >>> encryption: (none) reason: 250_ok_1348637395_qp_22493 >>> >>> ***"Get Your Message Out!"* >>> >>> ** >>> >>> *Kevin Troendle **| *VP Technology >>> >>> FireDrum Internet Marketing >>> >>> Tel: 480.699.1524 | Fax: 480.699.1657 >>> >>> 7898 E. Acoma Dr. Suite 210 >>> >>> Scottsdale, AZ 85260 >>> >>> www.FireDrum.com <http://www.firedrum.com/> | >>> www.firedrummarketing.com <http://www.firedrummarketing.com/> >>> >>> <http://www.firedrum.com/blog> >>> <http://www.facebook.com/FireDrumIntMktg> >>> <http://twitter.com/FireDrumIntMktg> >>> >>> >>> >>> _______________________________________________ >>> spamdyke-users mailing list >>> [email protected] >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: http://www.spamdyke.org/mailman/private/spamdyke- >> users/attachments/20120926/6a12cdb7/attachment.html >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: not available >> Type: image/gif >> Size: 1579 bytes >> Desc: not available >> Url : http://www.spamdyke.org/mailman/private/spamdyke- >> users/attachments/20120926/6a12cdb7/attachment.gif >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: not available >> Type: image/gif >> Size: 1518 bytes >> Desc: not available >> Url : http://www.spamdyke.org/mailman/private/spamdyke- >> users/attachments/20120926/6a12cdb7/attachment-0001.gif >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: not available >> Type: image/gif >> Size: 1503 bytes >> Desc: not available >> Url : http://www.spamdyke.org/mailman/private/spamdyke- >> users/attachments/20120926/6a12cdb7/attachment-0002.gif >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: not available >> Type: image/gif >> Size: 1160 bytes >> Desc: not available >> Url : http://www.spamdyke.org/mailman/private/spamdyke- >> users/attachments/20120926/6a12cdb7/attachment-0003.gif >> >> ------------------------------ >> >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> >> >> End of spamdyke-users Digest, Vol 64, Issue 26 >> ********************************************** > > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
