search for "treated as local" in your IMAIL log. Try to find a line with that text, that also contains the same SMTPD session ID of 11AF0190
-- Scot On Sat, 4 Sep 2004 02:21:10 -0000, serge <[EMAIL PROTECTED]> wrote: > very possible > but i am trying to find a way to find which account is beiing used > is there a way to find the account that authorized the session ? > > Also, is there a log analyzer that can show the messages where the both the > sender and the recipient are not local ? > > TIA > > > > > ----- Original Message ----- > From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, September 04, 2004 1:33 AM > Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked > > > Is it possible they guessed a users account/password and are using SMTP > > Auth > > to relay through your system? > > > > Darrell > > > > ---------------------------------------------------------------------------- > > ------------------------------------ > > Check out http://www.invariantsystems.com for utilities for Declude And > > Imail. > > IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log > > Parsers. > > > > ----- Original Message ----- > > From: "serge" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, September 03, 2004 8:26 PM > > Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked > > > > > >> 20040903 104237 127.0.0.1 SMTPD (11AF0190) [208.154.200.6] connect > >> 61.144.136.193 port 4124 > >> 20040903 104238 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] EHLO > >> sapling > >> > >> these are the only other lines "(11AF0190)" > >> [208.154.200.6] is my server ip > >> > >> > >> ----- Original Message ----- > >> From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > >> To: <[EMAIL PROTECTED]> > >> Sent: Friday, September 03, 2004 11:47 PM > >> Subject: RE: [Declude.JunkMail] HELP, I'm beiing hijacked > >> > >> > >> > You are missing a line. What does connect line show, which is the line > >> > before the MAIL FROM? > >> > > >> > John Tolmachoff > >> > Engineer/Consultant/Owner > >> > eServices For You > >> > > >> > > >> >> -----Original Message----- > >> >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > >> >> [EMAIL PROTECTED] On Behalf Of serge > >> >> Sent: Friday, September 03, 2004 4:36 PM > >> >> To: [EMAIL PROTECTED] > >> >> Cc: [EMAIL PROTECTED] > >> >> Subject: [Declude.JunkMail] HELP, I'm beiing hijacked > >> >> > >> >> Hi all > >> >> > >> >> I have 100's of lines like: > >> >> 20040903 104526 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] MAIL > >> > FROM: > >> >> <[EMAIL PROTECTED]> > >> >> 20040903 104529 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] RCPT > >> >> TO:<[EMAIL PROTECTED]> > >> >> 20040903 104532 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] > >> >> F:\Imail\spool\D4b4611af01909a4c.SMD 952 > >> >> > >> >> All from same IP [61.144.136.193], and all with same "SMTPD > > (11AF0190)", > >> >> also the spool file name is different > >> >> I have smtp set to "relay for addresses", and they do not include > >> >> 61.144.136.193 > >> >> > >> >> i can see no auth from 61.144.136.193 in the logs > >> >> > >> >> i added 61.144.136.193 to smtp "control access", but how can i prevent > >> > this > >> >> from happening, and how can i find how/why they gained access to my > >> > server? > >> >> > >> >> TIA > >> >> > >> >> --- > >> >> [This E-mail was scanned for viruses by Declude Virus > >> > (http://www.declude.com)] > >> >> > >> >> --- > >> >> This E-mail came from the Declude.JunkMail mailing list. To > >> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> >> type "unsubscribe Declude.JunkMail". The archives can be found > >> >> at http://www.mail-archive.com. > >> > > >> > --- > >> > [This E-mail was scanned for viruses by Declude Virus > >> > (http://www.declude.com)] > >> > > >> > --- > >> > This E-mail came from the Declude.JunkMail mailing list. To > >> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> > type "unsubscribe Declude.JunkMail". The archives can be found > >> > at http://www.mail-archive.com. > >> > > >> > >> --- > >> [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > >> > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.JunkMail". The archives can be found > >> at http://www.mail-archive.com. > >> > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > -- Scot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
