You are missing a line. What does connect line show, which is the line before the MAIL FROM?
John Tolmachoff Engineer/Consultant/Owner eServices For You > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of serge > Sent: Friday, September 03, 2004 4:36 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] HELP, I'm beiing hijacked > > Hi all > > I have 100's of lines like: > 20040903 104526 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] MAIL FROM: > <[EMAIL PROTECTED]> > 20040903 104529 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] RCPT > TO:<[EMAIL PROTECTED]> > 20040903 104532 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] > F:\Imail\spool\D4b4611af01909a4c.SMD 952 > > All from same IP [61.144.136.193], and all with same "SMTPD (11AF0190)", > also the spool file name is different > I have smtp set to "relay for addresses", and they do not include > 61.144.136.193 > > i can see no auth from 61.144.136.193 in the logs > > i added 61.144.136.193 to smtp "control access", but how can i prevent this > from happening, and how can i find how/why they gained access to my server? > > TIA > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
