Relay for Local Users = Open Relay. You need to set it to No Mail Relay (and make them auth)or Relay for Addresses. Travis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Walter Sent: Monday, January 28, 2008 9:50 AM To: [email protected] Subject: [IMail Forum] Need some smtp log help - hacked account? My log file was enormous this morning and realized that some spammer was sending email through my server. I am running 2006.022 (whatever the latest is). Being a relative novice to this stuff I was wondering as to how a spammer was able to do this. I was able to block the ip address but not until thousands of messages had been sent. I only allow relaying to local users, and the sender was not a local user ([EMAIL PROTECTED]). So how did this happen. I have been running Imail for 8 years without incident. I upgraded to the newest version of Imail this month. What settings am I missing? Below is a snippet of my log file. I replaced my domain and ip with mymaildomain.com <http://responsiveinc.com/> [11.11.11.11], just so it wouldn't be found in google searches years from now. I would appreciate any insight or comments from anyone willing to offer them. Thanks in advance.
01:28 03:18 SMTP-(9d83018400000da7) [x] doing direct send allstccath.org 01:28 03:18 SMTP-(9d83018400000da7) Trying allstccath.org (0) 01:28 03:18 SMTP-(9d83018400000da7) [x] Connecting socket to service <SMTP> on host <allstccath.org> using protocol <tcp> 01:28 03:18 SMTP-(9d83018400000da7) [x] using source IP for mymaildomain.com <http://responsiveinc.com> [11.11.11.11] 01:28 03:18 SMTP-(9dc6019100000dcc) recip is <[EMAIL PROTECTED]> 01:28 03:18 SMTP-(9dc6019100000dcc) [x] looking up colsd.org in HOSTS and MX 01:28 03:18 SMTP-(9dc6019100000dcc) [x] looking up colsd.org in HOSTS and MX 01:28 03:18 SMTP-(9d9a019100000db2) 250-rly-db01.mx.aol.com 84.fd.1243.static.theplanet.com 01:28 03:18 SMTP-(9d9a019100000db2) 250 HELP 01:28 03:18 SMTP-(9d9a019100000db2) >MAIL FROM:<[EMAIL PROTECTED]> 01:28 03:18 SMTP-(9d9a019100000db2) 250 OK 01:28 03:18 SMTP-(9d9a019100000db2) >RCPT To:<[EMAIL PROTECTED]> 01:28 03:18 SMTP-(9d83018400000da7) 220 mx3.fuse.net ESMTP ecelerity 2.1.1.22 r(17669) Mon, 28 Jan 2008 04:18:24 -0500 01:28 03:18 SMTP-(9d83018400000da7) Connect allstccath.org [216.68.8.213:25] (1) 01:28 03:18 SMTP-(9d83018400000da7) >EHLO responsiveinc.com 01:28 03:18 SMTP-(9d8d01a000000dab) 250 Ok 01:28 03:18 SMTP-(9d8d01a000000dab) >DATA 01:28 03:18 SMTP-(9d83018400000da7) 250-gwin3 says EHLO to 11.11.11.11 <http://67.18.253.132> 01:28 03:18 SMTP-(9d83018400000da7) 250-ENHANCEDSTATUSCODES 01:28 03:18 SMTP-(9d83018400000da7) 250-PIPELINING 01:28 03:18 SMTP-(9d83018400000da7) 250 8BITMIME 01:28 03:18 SMTP-(9d83018400000da7) >MAIL FROM:<[EMAIL PROTECTED]> 01:28 03:18 SMTP-(9d9a019100000db2) 550 MAILBOX NOT FOUND 01:28 03:18 SMTP-(9d9a019100000db2) Unexpected RCPT TO response from the SMTP server on aol.com: 550 MAILBOX NOT FOUND 01:28 03:18 SMTP-(9d9a019100000db2) >QUIT 01:28 03:18 SMTP-(9d8d01a000000dab) 354 Feed me 01:28 03:18 SMTP-(9d8d01a000000dab) >. 01:28 03:18 SMTP-(9d83018400000da7) 250 MAIL FROM accepted 01:28 03:18 SMTP-(9d83018400000da7) >RCPT To:<[EMAIL PROTECTED]> 01:28 03:18 SMTP-(9d9a019100000db2) 221 SERVICE CLOSING CHANNEL 01:28 03:18 SMTP-(9d9a019100000db2) [u] closing socket (u) 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 4 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 4 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 4 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) [x] doing direct send comcast.net 01:28 03:18 SMTP-(9d9a019100000db2) Trying comcast.net (0) 01:28 03:18 SMTP-(9d9a019100000db2) [x] Connecting socket to service <SMTP> on host <comcast.net> using protocol <tcp> 01:28 03:18 SMTP-(9d9a019100000db2) [x] using source IP for mymaildomain.com <http://responsiveinc.com/> [11.11.11.11] 01:28 03:18 SMTP-(9d83018400000da7) 550 Recipient [EMAIL PROTECTED] does not exist here 01:28 03:18 SMTP-(9d83018400000da7) Unexpected RCPT TO response from the SMTP server on allstccath.org: 550 Recipient [EMAIL PROTECTED] does not exist here 01:28 03:18 SMTP-(9d83018400000da7) >QUIT 01:28 03:18 SMTP-(9d83018400000da7) 221 gwin3 closing connection 01:28 03:18 SMTP-(9d83018400000da7) [u] closing socket (u) Thanks, Chad Walter
