Re: [IMail Forum] Need some smtp log help - hacked account?

Thu, 31 Jan 2008 18:57:17 -0800 

Hey, John-

The root account is disabled by default. Does that not disable it for SMTP?

-d
  ----- Original Message ----- 
  From: John T (lists) 
  To: [email protected] 
  Sent: Monday, January 28, 2008 7:55 PM
  Subject: RE: [IMail Forum] Need some smtp log help - hacked account?


  I have seen this attempt on 2 servers and it succeeded on one server when 
some one set up a new domain and did not follow procedures to the T. 

   

  Change the passwords of all ROOT accounts YESTERDAY. That is what is being 
used. The default root password is well known. 

   

  BTW, Declude Hijack stops this spammer cold! Yes!

   

  John T

   

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Walter
  Sent: Monday, January 28, 2008 9:50 AM
  To: [email protected]
  Subject: [IMail Forum] Need some smtp log help - hacked account?

   

  My log file was enormous this morning and realized that some spammer was 
sending email through my server.  I am running 2006.022 (whatever the latest 
is).  Being a relative novice to this stuff I was wondering as to how a spammer 
was able to do this.  I was able to block the ip address but not until 
thousands of messages had been sent.  I only allow relaying to local users, and 
the sender was not a local user ([EMAIL PROTECTED]). So how did this happen.  I 
have been running Imail for 8 years without incident.  I upgraded to the newest 
version of Imail this month.  What settings am I missing?  Below is a snippet 
of my log file.  I replaced my domain and ip with mymaildomain.com 
[11.11.11.11], just so it wouldn't be found in google searches years from now.  
I would appreciate any insight or comments from anyone willing to offer them.  
Thanks in advance.



  01:28 03:18 SMTP-(9d83018400000da7) [x] doing direct send allstccath.org
  01:28 03:18 SMTP-(9d83018400000da7) Trying allstccath.org (0)
  01:28 03:18 SMTP-(9d83018400000da7) [x] Connecting socket to service <SMTP> 
on host <allstccath.org> using protocol <tcp>
  01:28 03:18 SMTP-(9d83018400000da7) [x] using source IP for mymaildomain.com 
[11.11.11.11]
  01:28 03:18 SMTP-(9dc6019100000dcc) recip is <[EMAIL PROTECTED]>
  01:28 03:18 SMTP-(9dc6019100000dcc) [x] looking up colsd.org in HOSTS and MX
  01:28 03:18 SMTP-(9dc6019100000dcc) [x] looking up colsd.org in HOSTS and MX
  01:28 03:18 SMTP-(9d9a019100000db2) 250-rly-db01.mx.aol.com 
84.fd.1243.static.theplanet.com
  01:28 03:18 SMTP-(9d9a019100000db2) 250 HELP
  01:28 03:18 SMTP-(9d9a019100000db2) >MAIL FROM:<[EMAIL PROTECTED]>
  01:28 03:18 SMTP-(9d9a019100000db2) 250 OK
  01:28 03:18 SMTP-(9d9a019100000db2) >RCPT To:<[EMAIL PROTECTED]>
  01:28 03:18 SMTP-(9d83018400000da7) 220 mx3.fuse.net ESMTP ecelerity 2.1.1.22 
r(17669) Mon, 28 Jan 2008 04:18:24 -0500
  01:28 03:18 SMTP-(9d83018400000da7) Connect allstccath.org [216.68.8.213:25] 
(1)
  01:28 03:18 SMTP-(9d83018400000da7) >EHLO responsiveinc.com
  01:28 03:18 SMTP-(9d8d01a000000dab) 250 Ok
  01:28 03:18 SMTP-(9d8d01a000000dab) >DATA
  01:28 03:18 SMTP-(9d83018400000da7) 250-gwin3 says EHLO to 11.11.11.11
  01:28 03:18 SMTP-(9d83018400000da7) 250-ENHANCEDSTATUSCODES
  01:28 03:18 SMTP-(9d83018400000da7) 250-PIPELINING
  01:28 03:18 SMTP-(9d83018400000da7) 250 8BITMIME
  01:28 03:18 SMTP-(9d83018400000da7) >MAIL FROM:<[EMAIL PROTECTED]>
  01:28 03:18 SMTP-(9d9a019100000db2) 550 MAILBOX NOT FOUND
  01:28 03:18 SMTP-(9d9a019100000db2) Unexpected RCPT TO response from the SMTP 
server on aol.com: 550 MAILBOX NOT FOUND
  01:28 03:18 SMTP-(9d9a019100000db2) >QUIT
  01:28 03:18 SMTP-(9d8d01a000000dab) 354 Feed me
  01:28 03:18 SMTP-(9d8d01a000000dab) >.
  01:28 03:18 SMTP-(9d83018400000da7) 250 MAIL FROM accepted
  01:28 03:18 SMTP-(9d83018400000da7) >RCPT To:<[EMAIL PROTECTED]>
  01:28 03:18 SMTP-(9d9a019100000db2) 221 SERVICE CLOSING CHANNEL
  01:28 03:18 SMTP-(9d9a019100000db2) [u] closing socket (u)
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 4
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 4
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 4
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1
  01:28 03:18 SMTP-(9d9a019100000db2) [x] doing direct send comcast.net
  01:28 03:18 SMTP-(9d9a019100000db2) Trying comcast.net (0)
  01:28 03:18 SMTP-(9d9a019100000db2) [x] Connecting socket to service <SMTP> 
on host <comcast.net> using protocol <tcp>
  01:28 03:18 SMTP-(9d9a019100000db2) [x] using source IP for mymaildomain.com 
[11.11.11.11]
  01:28 03:18 SMTP-(9d83018400000da7) 550 Recipient [EMAIL PROTECTED] does not 
exist here
  01:28 03:18 SMTP-(9d83018400000da7) Unexpected RCPT TO response from the SMTP 
server on allstccath.org: 550 Recipient [EMAIL PROTECTED] does not exist here
  01:28 03:18 SMTP-(9d83018400000da7) >QUIT
  01:28 03:18 SMTP-(9d83018400000da7) 221 gwin3 closing connection
  01:28 03:18 SMTP-(9d83018400000da7) [u] closing socket (u)

  Thanks,
  Chad Walter

Reply via email to