>Trying to get my server protected from spammers.
That's a good thing. It's better to protect yourself before they find you, but it's also better to fix your server quickly after they catch you than to let spammers keep using it for free. You can see which spam databases you got listed in by going to http://www.declude.com/tools and using the "ip4r Spam Database Lookup" for 63.225.47.2. >sys*.txt files look suspicious. Here's my current setup. I'd appreciate >any suggestions for improving the system. > >Relay for local users only = yes Bad. That's how the spammers were able to send their mail. That option means "Relay for anyone who is willing to pretend they have an account on your server" (or, "Relay for slightly intelligent spammers"). >11:12 09:56 SMTPD(007301CC) [my.private.ip] connect my.public.ip port 5863 >11:12 09:56 SMTPD(007301CC) [my.public.ip] EHLO legituser >11:12 09:56 SMTPD(007301CC) [my.public.ip MAIL FROM:<[EMAIL PROTECTED]> >11:12 09:56 SMTPD(007301CC) [my.public.ip RCPT TO:<[EMAIL PROTECTED]> >11:12 09:56 SMTPD(007301CC) [my.public.ip] C:\IMail\spool\Dff461cc.SMD 881 >11:12 09:56 SMTP-(000000BB) processing C:\IMail\spool\Qff461cc.SMD >11:12 09:56 SMTP-(000000BB) ldeliver myserver.mydomain.com legituser2-main >(1) <[EMAIL PROTECTED]> 881 >11:12 09:56 SMTP-(000000BB) finished C:\IMail\spool\Qff461cc.SMD status=1 That seems normal. >11:12 09:56 SMTPD(008401CC) [my.private.ip] connect my.public.ip port 4094 >11:12 09:56 SMTPD(008401CC) [my.public.ip] EHLO backpos1 >11:12 09:56 SMTPD(008401CC) [my.public.ip] MAIL FROM:<[EMAIL PROTECTED]> >11:12 09:56 SMTPD(008401CC) [my.public.ip RCPT TO:<unknownuser@unknowndomain> >11:12 09:56 SMTPD(008401CC) [my.public.ip] C:\IMail\spool\Dff551cc.SMD 1168 >11:12 09:56 SMTP-(000000C9) processing C:\IMail\spool\Qff551cc.SMD This could either be a legit user sending outgoing mail, or a spammer. There's no way to know for sure without contacting the user, or checking the E-mail to see the contents. >It's all those C:\Imail\spool\*.smd lines that bother me. Why? That just means that IMail is processing a file in the spool directory. >I used to have a bunch of them in spool directory, but I removed them when >I set relay to 'for local users only.". There are no smd in spool anymore. .SMD files in the spool directory are just incoming/outgoing E-mails. If you deleted them, you deleted possibly legitimate mail. You had lots of .SMD files in the spool directory simply because you had lots of E-mail you were processing for the spammers. >I also suspect I need to uncheck Disable SMTP "VRFY" command, though I'm >unclear what effect that would have on my users, both behind the WAN VPN >and from outside. That shouldn't matter one way or the other; it shouldn't hurt to have it checked, as I don't believe any mail clients verify addresses. -Scott --- Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for IMail. http://www.declude.com Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
