How about the sending IP address -- does that match on any of the 'treated as local' lines?
On Sat, 4 Sep 2004 03:53:54 -0000, serge <[EMAIL PROTECTED]> wrote: > Problem is that "treated as local" lines have different session ids then the > smtp lines > it would have been so nice to have the same session id numbers, but that is > not the case > i wonder why > > > > > ----- Original Message ----- > From: "Scot Desort" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, September 04, 2004 3:11 AM > Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked > > > search for "treated as local" in your IMAIL log. Try to find a line > > with that text, that also contains the same SMTPD session ID of > > 11AF0190 > > > > -- > > Scot > > > > > > On Sat, 4 Sep 2004 02:21:10 -0000, serge <[EMAIL PROTECTED]> wrote: > >> very possible > >> but i am trying to find a way to find which account is beiing used > >> is there a way to find the account that authorized the session ? > >> > >> Also, is there a log analyzer that can show the messages where the both > >> the > >> sender and the recipient are not local ? > >> > >> TIA > >> > >> > >> > >> > >> ----- Original Message ----- > >> From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> > >> To: <[EMAIL PROTECTED]> > >> Sent: Saturday, September 04, 2004 1:33 AM > >> Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked > >> > >> > Is it possible they guessed a users account/password and are using SMTP > >> > Auth > >> > to relay through your system? > >> > > >> > Darrell > >> > > >> > ---------------------------------------------------------------------------- > >> > ------------------------------------ > >> > Check out http://www.invariantsystems.com for utilities for Declude And > >> > Imail. > >> > IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log > >> > Parsers. > >> > > >> > ----- Original Message ----- > >> > From: "serge" <[EMAIL PROTECTED]> > >> > To: <[EMAIL PROTECTED]> > >> > Sent: Friday, September 03, 2004 8:26 PM > >> > Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked > >> > > >> > > >> >> 20040903 104237 127.0.0.1 SMTPD (11AF0190) [208.154.200.6] > >> >> connect > >> >> 61.144.136.193 port 4124 > >> >> 20040903 104238 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] EHLO > >> >> sapling > >> >> > >> >> these are the only other lines "(11AF0190)" > >> >> [208.154.200.6] is my server ip > >> >> > >> >> > >> >> ----- Original Message ----- > >> >> From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > >> >> To: <[EMAIL PROTECTED]> > >> >> Sent: Friday, September 03, 2004 11:47 PM > >> >> Subject: RE: [Declude.JunkMail] HELP, I'm beiing hijacked > >> >> > >> >> > >> >> > You are missing a line. What does connect line show, which is the > >> >> > line > >> >> > before the MAIL FROM? > >> >> > > >> >> > John Tolmachoff > >> >> > Engineer/Consultant/Owner > >> >> > eServices For You > >> >> > > >> >> > > >> >> >> -----Original Message----- > >> >> >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > >> >> >> [EMAIL PROTECTED] On Behalf Of serge > >> >> >> Sent: Friday, September 03, 2004 4:36 PM > >> >> >> To: [EMAIL PROTECTED] > >> >> >> Cc: [EMAIL PROTECTED] > >> >> >> Subject: [Declude.JunkMail] HELP, I'm beiing hijacked > >> >> >> > >> >> >> Hi all > >> >> >> > >> >> >> I have 100's of lines like: > >> >> >> 20040903 104526 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] > >> >> >> MAIL > >> >> > FROM: > >> >> >> <[EMAIL PROTECTED]> > >> >> >> 20040903 104529 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] > >> >> >> RCPT > >> >> >> TO:<[EMAIL PROTECTED]> > >> >> >> 20040903 104532 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] > >> >> >> F:\Imail\spool\D4b4611af01909a4c.SMD 952 > >> >> >> > >> >> >> All from same IP [61.144.136.193], and all with same "SMTPD > >> > (11AF0190)", > >> >> >> also the spool file name is different > >> >> >> I have smtp set to "relay for addresses", and they do not include > >> >> >> 61.144.136.193 > >> >> >> > >> >> >> i can see no auth from 61.144.136.193 in the logs > >> >> >> > >> >> >> i added 61.144.136.193 to smtp "control access", but how can i > >> >> >> prevent > >> >> > this > >> >> >> from happening, and how can i find how/why they gained access to my > >> >> > server? > >> >> >> > >> >> >> TIA > >> >> >> > >> >> >> --- > >> >> >> [This E-mail was scanned for viruses by Declude Virus > >> >> > (http://www.declude.com)] > >> >> >> > >> >> >> --- > >> >> >> This E-mail came from the Declude.JunkMail mailing list. To > >> >> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> >> >> type "unsubscribe Declude.JunkMail". The archives can be found > >> >> >> at http://www.mail-archive.com. > >> >> > > >> >> > --- > >> >> > [This E-mail was scanned for viruses by Declude Virus > >> >> > (http://www.declude.com)] > >> >> > > >> >> > --- > >> >> > This E-mail came from the Declude.JunkMail mailing list. To > >> >> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> >> > type "unsubscribe Declude.JunkMail". The archives can be found > >> >> > at http://www.mail-archive.com. > >> >> > > >> >> > >> >> --- > >> >> [This E-mail was scanned for viruses by Declude Virus > >> > (http://www.declude.com)] > >> >> > >> >> --- > >> >> This E-mail came from the Declude.JunkMail mailing list. To > >> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> >> type "unsubscribe Declude.JunkMail". The archives can be found > >> >> at http://www.mail-archive.com. > >> >> > >> > > >> > --- > >> > [This E-mail was scanned for viruses by Declude Virus > >> > (http://www.declude.com)] > >> > > >> > --- > >> > This E-mail came from the Declude.JunkMail mailing list. To > >> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> > type "unsubscribe Declude.JunkMail". The archives can be found > >> > at http://www.mail-archive.com. > >> > > >> > >> --- > >> [This E-mail was scanned for viruses by Declude Virus > >> (http://www.declude.com)] > >> > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.JunkMail". The archives can be found > >> at http://www.mail-archive.com. > >> > > > > > > > > -- > > Scot > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > -- Scot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
