AJ Bourg wrote:
Anybody? I have more messages in the queue because of this and I'm
getting rather frustrated because I'm not sure what is going on.
Thanks.
On 3/8/09 10:13 PM, AJ Bourg wrote:
Hi Folks,
I have been having a persistent issue the last few days with a bot using
my server as a relay to send spam. The other day I had 24,000 spam
messages stuck in my qmail queue. I used qmail-remove to remove all
these messages, and this spammer is using a consistent (fake) from
address on my server and is using a consistent netblock in China so I
used iptables to just block the whole network. But I would like to
figure out why the the messages are being accepted.
Here's an example from the log:
@4000000049b3f675121b5e4c tcpserver: pid 32237 from 121.206.74.211
@4000000049b3f675121b6234 tcpserver: ok 32237 0:65.98.207.151:25
:121.206.74.211::2...@4000000049b3f67a155cba24 CHKUSER accepted sender:
from <ty...@bella2.srihosting.com:anonymous:> remote
<F35D3CCB236648E:unknown:121.206.74.211> rcpt <> : sender
accep...@4000000049b3f67a155cc5dc CHKUSER relaying rcpt: from
<ty...@bella2.srihosting.com:anonymous:> remote
<F35D3CCB236648E:unknown:121.206.74.211> rcpt <yt...@yaho.cn> : client
allowed to relay
@4000000049b3f68a372996f4
simscan:[32237]:RELAYCLIENT:16.5675s:-:121.206.74.211:ty...@bella2.srihosting.com:yt...@yaho.cn:
Sounds like some spammer has figured out the password of one of your
users and is using SMTP Auth to send the emails.
Check your logs for vchkpw-smtp and see what user name is doing it. One
my system the log file is /var/log/maillog
Regards,
Rick
