it would have been so nice to have the same session id numbers, but that is not the case
i wonder why
----- Original Message ----- From: "Scot Desort" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, September 04, 2004 3:11 AM
Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked
search for "treated as local" in your IMAIL log. Try to find a line with that text, that also contains the same SMTPD session ID of 11AF0190
-- Scot
On Sat, 4 Sep 2004 02:21:10 -0000, serge <[EMAIL PROTECTED]> wrote:very possible but i am trying to find a way to find which account is beiing used is there a way to find the account that authorized the session ?
Also, is there a log analyzer that can show the messages where the both the
sender and the recipient are not local ?
TIA
----- Original Message ----- From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, September 04, 2004 1:33 AM Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked
> Is it possible they guessed a users account/password and are using SMTP
> Auth
> to relay through your system?
>
> Darrell
>
> ----------------------------------------------------------------------------
> ------------------------------------
> Check out http://www.invariantsystems.com for utilities for Declude And
> Imail.
> IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log
> Parsers.
>
> ----- Original Message -----
> From: "serge" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, September 03, 2004 8:26 PM
> Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked
>
>
>> 20040903 104237 127.0.0.1 SMTPD (11AF0190) [208.154.200.6] >> connect
>> 61.144.136.193 port 4124
>> 20040903 104238 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] EHLO
>> sapling
>>
>> these are the only other lines "(11AF0190)"
>> [208.154.200.6] is my server ip
>>
>>
>> ----- Original Message -----
>> From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
>> To: <[EMAIL PROTECTED]>
>> Sent: Friday, September 03, 2004 11:47 PM
>> Subject: RE: [Declude.JunkMail] HELP, I'm beiing hijacked
>>
>>
>> > You are missing a line. What does connect line show, which is the >> > line
>> > before the MAIL FROM?
>> >
>> > John Tolmachoff
>> > Engineer/Consultant/Owner
>> > eServices For You
>> >
>> >
>> >> -----Original Message-----
>> >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
>> >> [EMAIL PROTECTED] On Behalf Of serge
>> >> Sent: Friday, September 03, 2004 4:36 PM
>> >> To: [EMAIL PROTECTED]
>> >> Cc: [EMAIL PROTECTED]
>> >> Subject: [Declude.JunkMail] HELP, I'm beiing hijacked
>> >>
>> >> Hi all
>> >>
>> >> I have 100's of lines like:
>> >> 20040903 104526 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] >> >> MAIL
>> > FROM:
>> >> <[EMAIL PROTECTED]>
>> >> 20040903 104529 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] >> >> RCPT
>> >> TO:<[EMAIL PROTECTED]>
>> >> 20040903 104532 127.0.0.1 SMTPD (11AF0190) [61.144.136.193]
>> >> F:\Imail\spool\D4b4611af01909a4c.SMD 952
>> >>
>> >> All from same IP [61.144.136.193], and all with same "SMTPD
> (11AF0190)",
>> >> also the spool file name is different
>> >> I have smtp set to "relay for addresses", and they do not include
>> >> 61.144.136.193
>> >>
>> >> i can see no auth from 61.144.136.193 in the logs
>> >>
>> >> i added 61.144.136.193 to smtp "control access", but how can i >> >> prevent
>> > this
>> >> from happening, and how can i find how/why they gained access to my
>> > server?
>> >>
>> >> TIA
>> >>
>> >> ---
>> >> [This E-mail was scanned for viruses by Declude Virus
>> > (http://www.declude.com)]
>> >>
>> >> ---
>> >> This E-mail came from the Declude.JunkMail mailing list. To
>> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>> >> type "unsubscribe Declude.JunkMail". The archives can be found
>> >> at http://www.mail-archive.com.
>> >
>> > ---
>> > [This E-mail was scanned for viruses by Declude Virus
>> > (http://www.declude.com)]
>> >
>> > ---
>> > This E-mail came from the Declude.JunkMail mailing list. To
>> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>> > type "unsubscribe Declude.JunkMail". The archives can be found
>> > at http://www.mail-archive.com.
>> >
>>
>> ---
>> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>>
>> ---
>> This E-mail came from the Declude.JunkMail mailing list. To
>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>> type "unsubscribe Declude.JunkMail". The archives can be found
>> at http://www.mail-archive.com.
>>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--
Scot
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
