Kathy,
Look at process id 7e6d072c00ce8796. It shows your mail server sending a
message from [EMAIL PROTECTED] to [EMAIL PROTECTED] Your server is been used to
relay spam (at least that is what it looks like) You need to find out why
people are able to relay through your server. Make sure your relay setting(on
the SMTP service page) is set to no relay. ( There are other possible settings,
but they are all less secure than no relay, and should be avoided unless there
is no other options) If your SMTP setting is already no relay, search the log
file for 7e6d072c00ce8796. Find where this first connects. One of the lines
will say "authenticated [EMAIL PROTECTED]" or something of the sort. If so that
users password has been compromised and should be immediately changed.(See
annotations below)
-----Original Message-----
From: "Kathy Lees" <[EMAIL PROTECTED]>
Sent 6/25/2007 6:18:33 PM
To: [email protected]
Subject: [IMail Forum] Reading logsThis has shown up in our logs alot today.
can someone tell me what it all means? Yellow highlite is a single process id
all part of the same SMTP connection
As you will see, ther are multiple recipients.06:25 01:41
SMTP-(7e6d072c00ce8796) [x] Connecting socket to service <SMTP> on host
<obu.edu> using protocol <tcp>
06:25 01:41 SMTP-(7e6d072c00ce8796) [x] using source IP for LTCConnection.com
[64.7.202.212]
06:25 01:41 SMTPD(7faa05bd00ca8834) [58.235.235.3] RCPT TO: <[EMAIL PROTECTED]>
06:25 01:41 SMTP-(7e6d072c00ce8796) Info - DNS Cache full, deleting last item
(paltek.co.jp)
06:25 01:41 SMTP-(7e6d072c00ce8796) Info - Adding obu.edu to DNS cache - TTL =
86130 Find obu.edu's mail server and cache its IP address06:25 01:41
SMTP-(7f5d000013b07595) [x] looking up paypal.com in HOSTS and MX
06:25 01:41 SMTP-(7f5d000013b07595) Info - Found paypal.com in DNS Cache
06:25 01:41 SMTP-(7f5d000013b07595) Trying paypal.com (0)
06:25 01:41 SMTP-(7f5d000013b07595) [x] Connecting socket to service <SMTP> on
host <paypal.com> using protocol <tcp>
06:25 01:41 SMTP-(7f5d000013b07595) [x] using source IP for LTCConnection.com
[64.7.202.212]
06:25 01:41 SMTP-(7f5d000013b07595) Info - Found paypal.com in DNS Cache
06:25 01:41 SMTP-(7e6d072c00ce8796) Connect obu.edu [65.70.16.4:25] (1)
06:25 01:41 SMTP-(7f5d000013b07595) Connect paypal.com [66.135.195.180:25] (1)
06:25 01:41 SMTP-(7f1f05b300ca8802) [x] looking up 8ah3sskwa.org by stack
06:25 01:41 SMTP-(7e6d072c00ce8796) 220 athena.obu.edu Microsoft ESMTP MAIL
Service, Version: 6.0.3790.1830 ready at Mon, 25 Jun 2007 03:41:18 -0500You
are connecting to their mail server (Exchange server 2003 looks like)06:25
01:41 SMTP-(7e6d072c00ce8796) >EHLO LTCConnection.com Your server says
hello06:25 01:41 SMTP-(7e6d072c00ce8796) 250-athena.obu.edu Hello
[64.7.202.212] They say hello back
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-TURN
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-SIZE
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-ETRN
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-DSN
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-ENHANCEDSTATUSCODES
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-8bitmime
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-BINARYMIME
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-CHUNKING
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-VRFY
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-X-EXPS GSSAPI NTLM LOGIN
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-X-EXPS=LOGIN
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-AUTH GSSAPI NTLM LOGIN
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-AUTH=LOGIN
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-X-LINK2STATE
06:25 01:41 SMTP-(7e6d072c00ce8796) 250-XEXCH50
06:25 01:41 SMTP-(7e6d072c00ce8796) 250 OKThey tell you all the stuff they
support
06:25 01:41 SMTP-(7e6d072c00ce8796) >MAIL FROM:<[EMAIL PROTECTED]> You say here
is mail from [EMAIL PROTECTED]:25 01:41 SMTP-(7e6d072c00ce8796) 250 2.1.0
[EMAIL PROTECTED] OK They say OK
06:25 01:41 SMTP-(7e6d072c00ce8796) >RCPT To:<[EMAIL PROTECTED]> You who it is
for06:25 01:41 SMTP-(7e6d072c00ce8796) 250 2.1.5 [EMAIL PROTECTED] say ok user
verified06:25 01:41 SMTP-(7e6d072c00ce8796) >DATA You say here is the
message06:25 01:41 SMTP-(7e6d072c00ce8796) 354 Start mail input; end with
<CRLF>.<CRLF> They say ok send the message06:25 01:41 SMTP-(7e6d072c00ce8796)
>.You send the message
06:25 01:41 SMTP-(7e6d072c00ce8796) 554 5.7.1 This message has been blocked
because its checksum is in FortiGuard - AntiSpam checksum
blacklist.(ffcfd6f12dc99a405fd30669d41c3342;239;1;0) Their Antispam service
says your message looks like spam to us
06:25 01:41 SMTP-(7e6d072c00ce8796) ERR undeliverable 554 5.7.1 This message
has been blocked because its checksum is in FortiGuard - AntiSpam checksum
blacklist.(ffcfd6f12dc99a405fd30669d41c3342;239;1;0) They say we don't accept
your message06:25 01:41 SMTP-(7e6d072c00ce8796) SMTP_DELIV_FAILED IMail says it
could not deliver the message06:25 01:41 SMTP-(7e6d072c00ce8796) >QUIT You say
ok I am done06:25 01:41 SMTP-(7e6d072c00ce8796)
06:25 01:41 SMTP-(7e6d072c00ce8796) [u] closing socket (u) End of this
recipient06:25 01:41 SMTP-(7e6d072c00ce8796) Trying oakmail.peru.edu (0) Now on
to the next recipient06:25 01:41 SMTP-(7e6d072c00ce8796) [x] Connecting socket
to service <SMTP> on host <oakmail.peru.edu> using protocol <tcp>
06:25 01:41 SMTP-(7e6d072c00ce8796) [x] using source IP for LTCConnection.com
[64.7.202.212]
06:25 01:41 SMTP-(7e6d072c00ce8796) Info - DNS Cache full, deleting last item
(sums.ac.ir)
06:25 01:41 SMTP-(7e6d072c00ce8796) Info - Adding oakmail.peru.edu to DNS cache
- TTL = 3329
06:25 01:41 SMTP-(7e6d072c00ce8796) Connect oakmail.peru.edu [198.180.0.15:25]
(1) Connecting to the next recipient
06:25 01:41 SMTP-(7f5a000012cc67ab) 220 sjciport03.sjc.ebay.com ESMTP
06:25 01:41 SMTP-(7f5a000012cc67ab) >EHLO LTCConnection.com
