re: [IMail Forum] Need some smtp log help - hacked account?

Mon, 28 Jan 2008 11:01:15 -0800


Also, if you have a router that supports it, set up a packet filter that denies outgoing traffic on port 25 from any IP except the one that your server is on.
That way if someone gets compromised, instead of the spam going out, you will see hundreds of errors in the router logs.

>> My log file was enormous this morning and realized that some spammer was
>> sending email through my server. I am running 2006.022 (whatever the
>> latest is). Being a relative novice to this stuff I was wondering as to
>> how a spammer was able to do this. I was able to block the ip address
>> but not until thousands of messages had been sent. I only allow relaying
>> to local users, and the sender was not a local user
>> ([EMAIL PROTECTED]). So how did this happen. I have been running
>> Imail for 8 years without incident. I upgraded to the newest version of
>> Imail this month. What settings am I missing? Below is a snippet of my
>> log file. I replaced my domain and ip with mymaildomain.com
>> [11.11.11.11], just so it wouldnt be found in google searches years from
>> now. I would appreciate any insight or comments from anyone willing to
>> offer them. Thanks in advance.
>>


>> 01:28 03:18 SMTP-(9d83018400000da7) [x] doing direct send allstccath.org
>> 01:28 03:18 SMTP-(9d83018400000da7) Trying allstccath.org (0)
>> 01:28 03:18 SMTP-(9d83018400000da7) [x] Connecting socket to service
>> <SMTP> on host <allstccath.org> using protocol <tcp>
>> 01:28 03:18 SMTP-(9d83018400000da7) [x] using source IP for
>> mymaildomain.com [11.11.11.11]
>> 01:28 03:18 SMTP-(9dc6019100000dcc) recip is <[EMAIL PROTECTED]>
>> 01:28 03:18 SMTP-(9dc6019100000dcc) [x] looking up colsd.org in HOSTS and
>> MX
>> 01:28 03:18 SMTP-(9dc6019100000dcc) [x] looking up colsd.org in HOSTS and
>> MX
>> 01:28 03:18 SMTP-(9d9a019100000db2) 250-rly-db01.mx.aol.com
>> 84.fd.1243.static.theplanet.com
>> 01:28 03:18 SMTP-(9d9a019100000db2) 250 HELP
>> 01:28 03:18 SMTP-(9d9a019100000db2) >MAIL FROM:<[EMAIL PROTECTED]>
>> 01:28 03:18 SMTP-(9d9a019100000db2) 250 OK
>> 01:28 03:18 SMTP-(9d9a019100000db2) >RCPT To:<[EMAIL PROTECTED]>
>> 01:28 03:18 SMTP-(9d83018400000da7) 220 mx3.fuse.net ESMTP ecelerity
>> 2.1.1.22 r(17669) Mon, 28 Jan 2008 04:18:24 -0500
>> 01:28 03:18 SMTP-(9d83018400000da7) Connect allstccath.org
>> [216.68.8.213:25] (1)
>> 01:28 03:18 SMTP-(9d83018400000da7) >EHLO responsiveinc.com
>> 01:28 03:18 SMTP-(9d8d01a000000dab) 250 Ok
>> 01:28 03:18 SMTP-(9d8d01a000000dab) >DATA
>> 01:28 03:18 SMTP-(9d83018400000da7) 250-gwin3 says EHLO to 11.11.11.11
>> 01:28 03:18 SMTP-(9d83018400000da7) 250-ENHANCEDSTATUSCODES
>> 01:28 03:18 SMTP-(9d83018400000da7) 250-PIPELINING
>> 01:28 03:18 SMTP-(9d83018400000da7) 250 8BITMIME
>> 01:28 03:18 SMTP-(9d83018400000da7) >MAIL FROM:<[EMAIL PROTECTED]>
>> 01:28 03:18 SMTP-(9d9a019100000db2) 550 MAILBOX NOT FOUND
>> 01:28 03:18 SMTP-(9d9a019100000db2) Unexpected RCPT TO response from the
>> SMTP server on aol.com: 550 MAILBOX NOT FOUND
>> 01:28 03:18 SMTP-(9d9a019100000db2) >QUIT
>> 01:28 03:18 SMTP-(9d8d01a000000dab) 354 Feed me
>> 01:28 03:18 SMTP-(9d8d01a000000dab) >.
>> 01:28 03:18 SMTP-(9d83018400000da7) 250 MAIL FROM accepted
>> 01:28 03:18 SMTP-(9d83018400000da7) >RCPT To:<[EMAIL PROTECTED]>
>> 01:28 03:18 SMTP-(9d9a019100000db2) 221 SERVICE CLOSING CHANNEL
>> 01:28 03:18 SMTP-(9d9a019100000db2) [u] closing socket (u)
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 4
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 4
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 4
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> -
>> 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
>> 01:28 03:18 SMTP-(9d9a019100000db2) [x] doing direct send comcast.net
>> 01:28 03:18 SMTP-(9d9a019100000db2) Trying comcast.net (0)
>> 01:28 03:18 SMTP-(9d9a019100000db2) [x] Connecting socket to service
>> <SMTP> on host <comcast.net> using protocol <tcp>
>> 01:28 03:18 SMTP-(9d9a019100000db2) [x] using source IP for
>> mymaildomain.com [11.11.11.11]
>> 01:28 03:18 SMTP-(9d83018400000da7) 550 Recipient [EMAIL PROTECTED]
>> does not exist here
>> 01:28 03:18 SMTP-(9d83018400000da7) Unexpected RCPT TO response from the
>> SMTP server on allstccath.org: 550 Recipient [EMAIL PROTECTED] does
>> not exist here
>> 01:28 03:18 SMTP-(9d83018400000da7) >QUIT
>> 01:28 03:18 SMTP-(9d83018400000da7) 221 gwin3 closing connection
>> 01:28 03:18 SMTP-(9d83018400000da7) [u] closing socket (u)

>> Thanks,
>> Chad Walter

 To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/

Reply via email to