Thank you! ----- Original Message ----- From: Ted Nichols To: [email protected] Sent: Monday, June 25, 2007 8:31 PM Subject: Re: [IMail Forum] Reading logs
Kathy, Look at process id 7e6d072c00ce8796. It shows your mail server sending a message from [EMAIL PROTECTED] to [EMAIL PROTECTED] Your server is been used to relay spam (at least that is what it looks like) You need to find out why people are able to relay through your server. Make sure your relay setting(on the SMTP service page) is set to no relay. ( There are other possible settings, but they are all less secure than no relay, and should be avoided unless there is no other options) If your SMTP setting is already no relay, search the log file for 7e6d072c00ce8796. Find where this first connects. One of the lines will say "authenticated [EMAIL PROTECTED]" or something of the sort. If so that users password has been compromised and should be immediately changed.(See annotations below) -----Original Message----- From: "Kathy Lees" <[EMAIL PROTECTED]> Sent 6/25/2007 6:18:33 PM To: [email protected] Subject: [IMail Forum] Reading logs This has shown up in our logs alot today. can someone tell me what it all means? Yellow highlite is a single process id all part of the same SMTP connection As you will see, ther are multiple recipients. 06:25 01:41 SMTP-(7e6d072c00ce8796) [x] Connecting socket to service <SMTP> on host <obu.edu> using protocol <tcp> 06:25 01:41 SMTP-(7e6d072c00ce8796) [x] using source IP for LTCConnection.com [64.7.202.212] 06:25 01:41 SMTPD(7faa05bd00ca8834) [58.235.235.3] RCPT TO: <[EMAIL PROTECTED]> 06:25 01:41 SMTP-(7e6d072c00ce8796) Info - DNS Cache full, deleting last item (paltek.co.jp) 06:25 01:41 SMTP-(7e6d072c00ce8796) Info - Adding obu.edu to DNS cache - TTL = 86130 Find obu.edu's mail server and cache its IP address 06:25 01:41 SMTP-(7f5d000013b07595) [x] looking up paypal.com in HOSTS and MX 06:25 01:41 SMTP-(7f5d000013b07595) Info - Found paypal.com in DNS Cache 06:25 01:41 SMTP-(7f5d000013b07595) Trying paypal.com (0) 06:25 01:41 SMTP-(7f5d000013b07595) [x] Connecting socket to service <SMTP> on host <paypal.com> using protocol <tcp> 06:25 01:41 SMTP-(7f5d000013b07595) [x] using source IP for LTCConnection.com [64.7.202.212] 06:25 01:41 SMTP-(7f5d000013b07595) Info - Found paypal.com in DNS Cache 06:25 01:41 SMTP-(7e6d072c00ce8796) Connect obu.edu [65.70.16.4:25] (1) 06:25 01:41 SMTP-(7f5d000013b07595) Connect paypal.com [66.135.195.180:25] (1) 06:25 01:41 SMTP-(7f1f05b300ca8802) [x] looking up 8ah3sskwa.org by stack 06:25 01:41 SMTP-(7e6d072c00ce8796) 220 athena.obu.edu Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Mon, 25 Jun 2007 03:41:18 -0500 You are connecting to their mail server (Exchange server 2003 looks like) 06:25 01:41 SMTP-(7e6d072c00ce8796) >EHLO LTCConnection.com Your server says hello 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-athena.obu.edu Hello [64.7.202.212] They say hello back 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-TURN 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-SIZE 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-ETRN 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-DSN 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-ENHANCEDSTATUSCODES 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-8bitmime 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-BINARYMIME 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-CHUNKING 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-VRFY 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-X-EXPS GSSAPI NTLM LOGIN 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-X-EXPS=LOGIN 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-AUTH GSSAPI NTLM LOGIN 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-AUTH=LOGIN 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-X-LINK2STATE 06:25 01:41 SMTP-(7e6d072c00ce8796) 250-XEXCH50 06:25 01:41 SMTP-(7e6d072c00ce8796) 250 OK They tell you all the stuff they support 06:25 01:41 SMTP-(7e6d072c00ce8796) >MAIL FROM:<[EMAIL PROTECTED]> You say here is mail from [EMAIL PROTECTED] 06:25 01:41 SMTP-(7e6d072c00ce8796) 250 2.1.0 [EMAIL PROTECTED] OK They say OK 06:25 01:41 SMTP-(7e6d072c00ce8796) >RCPT To:<[EMAIL PROTECTED]> You who it is for 06:25 01:41 SMTP-(7e6d072c00ce8796) 250 2.1.5 [EMAIL PROTECTED] They say ok user verified 06:25 01:41 SMTP-(7e6d072c00ce8796) >DATA You say here is the message 06:25 01:41 SMTP-(7e6d072c00ce8796) 354 Start mail input; end with <CRLF>.<CRLF> They say ok send the message 06:25 01:41 SMTP-(7e6d072c00ce8796) >.You send the message 06:25 01:41 SMTP-(7e6d072c00ce8796) 554 5.7.1 This message has been blocked because its checksum is in FortiGuard - AntiSpam checksum blacklist.(ffcfd6f12dc99a405fd30669d41c3342;239;1;0) Their Antispam service says your message looks like spam to us 06:25 01:41 SMTP-(7e6d072c00ce8796) ERR undeliverable 554 5.7.1 This message has been blocked because its checksum is in FortiGuard - AntiSpam checksum blacklist.(ffcfd6f12dc99a405fd30669d41c3342;239;1;0) They say we don't accept your message 06:25 01:41 SMTP-(7e6d072c00ce8796) SMTP_DELIV_FAILED IMail says it could not deliver the message 06:25 01:41 SMTP-(7e6d072c00ce8796) >QUIT You say ok I am done 06:25 01:41 SMTP-(7e6d072c00ce8796) 06:25 01:41 SMTP-(7e6d072c00ce8796) [u] closing socket (u) End of this recipient 06:25 01:41 SMTP-(7e6d072c00ce8796) Trying oakmail.peru.edu (0) Now on to the next recipient 06:25 01:41 SMTP-(7e6d072c00ce8796) [x] Connecting socket to service <SMTP> on host <oakmail.peru.edu> using protocol <tcp> 06:25 01:41 SMTP-(7e6d072c00ce8796) [x] using source IP for LTCConnection.com [64.7.202.212] 06:25 01:41 SMTP-(7e6d072c00ce8796) Info - DNS Cache full, deleting last item (sums.ac.ir) 06:25 01:41 SMTP-(7e6d072c00ce8796) Info - Adding oakmail.peru.edu to DNS cache - TTL = 3329 06:25 01:41 SMTP-(7e6d072c00ce8796) Connect oakmail.peru.edu [198.180.0.15:25] (1) Connecting to the next recipient 06:25 01:41 SMTP-(7f5a000012cc67ab) 220 sjciport03.sjc.ebay.com ESMTP 06:25 01:41 SMTP-(7f5a000012cc67ab) >EHLO LTCConnection.com
