I have asked the support folks to give me a reading on what is up here, but I thought I would there the forum to see if anyone has run into this kind of thing before.
We are running iMail version 6.06 (I think).
We have the option "relay for local users only" set. We also have the option "Auto-deny possible hack attacks". All other options under SMTP Security is turned off. I wonder if you can suggest what might have happened and what we can do to prevent it in the future.
One thing I noticed is that one of our sites is somehow duplicated in the imail definitions. We have an entry that we can not get rid of which is the servername as follows:
machinename.domainname.com which has attached itself to the same IP address as the first domain in our set of IP addresses) duplicating the users and ID (Official Host Name) of the real virtual host domain at that address. The Local host identifies itself as this but is duplicated as a virtual host.??
In the past I have tried to dump this and it took out the associated domain service, so I have left it alone.
It appears this spam actually came in on the ip address and was able to sling shot itself out to a variety of targets.
There is a log entry below of some of the related activity information. They were not always successful. Note the ip address of 127.0.0.1 which, of course, is the default IP address set up on a new system. It also is the address contained in the "Log Server" field of the Imail "GENERAL" screen for the root host server (the machinename.domainname.com above). Should this be changed? I could not find information on it so I have left it alone.
Below the log information is a partial copy of one of the messages sent out as received from "Spam Disposal Unit". Any advice you can lend would be most appreciated.
Oh yes, always asking for trouble I took the opportunity to update our server for ColdFusion 5.0 today. After I finished and rebooted, the server no longer can connect to the network. Unfortuately, our ISP where we have the server colocated was unreachable to find out if the alleged packets being sent from the server are ever reaching the router. We can ping the gateway from outside, but we can not ping the gateway from the server. In all a very nasty day. I am now wondering if there is some sort of virus, worm or trojan that has grabbed us and caused still more havoc. We are running NetShield with the latest DAT and it picked up nothing.
====================================
Return-Path: <[EMAIL PROTECTED]>
Received: (qmail 10647 invoked from network); 30 Dec 2001 17:45:01 -0000
Received: from arodal-wa.com (HELO gtmo.net) (206.159.55.2) <<<This is our server!!!
by mx00.comstar.net with SMTP; 30 Dec 2001 17:45:01 -0000
From: Nicole Kinmand <[EMAIL PROTECTED]>
Date: Sun, 30 Dec 2001 9:45:02 AM -0800
X-Mailer: The Bat! (v1.54)
Reply-To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: CRAIG, OPEN IT AND GET A TISSUE ;-)
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 1
X-MSMail-Priority: High
X-Unsent: 1
X-Mimeole: Produced By Microsoft MimeOLE V5.50.4807.1700
(message text omitted for obvious reasons)
From one of the anti-spam sites the following was included:
Possibilities include:
1) 206.159.55.2 is an open SMTP relay.
2) 206.159.55.2 the smarthost for an open SMTP relay.
3) 206.159.55.2 is relaying correctly for a spamming customer.
4) 206.159.55.2 is the spammer's host.
5) 206.159.55.2 has a broken mailing list with bad envelope sender.
6) 206.159.55.2 will not accept bounces, violates RFC-2505.
7) 206.159.55.2 might be infected by an email virus or trojan.
8) 206.159.55.2 is a mail forwarder; let us know if this is the case.
=================================== From the Log:
12:30 08:25 SMTPD(0B5100D6) [127.0.0.1] connect 127.0.0.1 port 1210
12:30 08:25 SMTPD(0B5100D6) [127.0.0.1] HELO 2222.com
12:30 08:25 SMTPD(0B5100D6) [127.0.0.1] MAIL FROM:<[EMAIL PROTECTED]>
12:30 08:25 SMTPD(0B5100D6) [127.0.0.1] RCPT TO:<[EMAIL PROTECTED]>
12:30 08:25 SMTPD(0B5100D6) [127.0.0.1] C:\IMAIL\spool\D3fe90d6.SMD 4260
12:30 08:25 SMTP-(000008E0) processing C:\IMAIL\spool\Q3fe90d6.SMD
12:30 08:25 SMTP-(000008E0) Trying 2222.com (0)
12:30 08:25 SMTP-(000008E0) Connect 2222.com [64.85.73.36:25] (2)
12:30 08:25 SMTP-(000008E0) 220 **********************
12:30 08:25 SMTP-(000008E0) >EHLO awascow2k.awasco.com
12:30 08:25 SMTP-(000008E0) 502 unimplemented
12:30 08:25 SMTP-(000008E0) >HELO awascow2k.awasco.com
12:30 08:25 SMTP-(000008E0) 250 uf2.dotster.com
12:30 08:25 SMTP-(000008E0) >MAIL FROM:<[EMAIL PROTECTED]>
12:30 08:25 SMTP-(000008E0) 250 ok
12:30 08:25 SMTP-(000008E0) >RCPT To:<[EMAIL PROTECTED]>
12:30 08:25 SMTP-(000008E0) 550 address not deliverable #1
12:30 08:25 SMTP-(000008E0) >QUIT
12:30 08:25 SMTP-(000008E0) 221 ok
12:30 08:25 SMTP-(000008E0) Creating message from Postmaster
12:30 08:25 SMTP-(000008E0) finished C:\IMAIL\spool\Q3fe90d6.SMD status=2
12:30 08:25 SMTPD(0B5200D6) [206.159.55.2] connect 206.159.55.2 port 1388
12:30 08:25 SMTPD(0B5700D6) [206.159.55.2] connect 206.159.55.2 port 1932
12:30 08:25 SMTPD(0B5C00D6) [206.159.55.2] connect 206.159.55.2 port 2392
12:30 08:25 SMTPD(0B6100D6) [206.159.55.2] connect 206.159.55.2 port 2762
12:30 08:26 SMTPD(0B6600D6) [206.159.55.2] connect 206.159.55.2 port 3472
12:30 08:26 SMTPD(0B6B00D6) [206.159.55.2] connect 206.159.55.2 port 4212
12:30 08:26 SMTPD(0B7000D6) [206.159.55.2] connect 206.159.55.2 port 4619
12:30 08:26 SMTPD(0B7500D6) [206.159.55.2] connect 206.159.55.2 port 1084
12:30 08:26 SMTPD(CA0900CC) [206.159.55.2] connect 206.159.55.2 port 1323
12:30 08:27 SMTPD(CA0E00CC) [206.159.55.2] connect 206.159.55.2 port 1501
12:30 08:27 SMTPD(CA1300CC) [206.159.55.2] connect 206.159.55.2 port 2427
12:30 08:27 SMTPD(CA1800CC) [206.159.55.2] connect 206.159.55.2 port 2793
12:30 08:27 SMTPD(CA1D00CC) [206.159.55.2] connect 206.159.55.2 port 3218
12:30 08:27 SMTPD(CA2200CC) [206.159.55.2] connect 206.159.55.2 port 3646
12:30 08:28 SMTPD(CA2700CC) [206.159.55.2] connect 206.159.55.2 port 4103
12:30 08:28 SMTPD(CA2C00CC) [127.0.0.1] connect 127.0.0.1 port 4499
12:30 08:28 SMTPD(CA2C00CC) [127.0.0.1] HELO nightmail.com
12:30 08:28 SMTPD(CA2C00CC) [127.0.0.1] MAIL FROM:<[EMAIL PROTECTED]>
12:30 08:28 SMTPD(CA2C00CC) [127.0.0.1] RCPT TO:<[EMAIL PROTECTED]>
12:30 08:28 SMTPD(CA2C00CC) [127.0.0.1] C:\IMAIL\spool\D409e0cc.SMD 4287
12:30 08:28 SMTP-(000008A4) processing C:\IMAIL\spool\Q409e0cc.SMD
12:30 08:28 SMTP-(000008A4) Trying nightmail.com (0)
12:30 08:28 SMTP-(000008A4) Connect nightmail.com [66.78.7.38:25] (2)
12:30 08:28 SMTPD(CA2D00CC) [206.159.55.2] connect 206.159.55.2 port 4632
12:30 08:28 SMTPD(CA3200CC) [206.159.55.2] connect 206.159.55.2 port 1183
12:30 08:28 SMTP-(000008A4) 220 plus3.hostingplus.com ESMTP Sendmail 8.10.0/8.11.2; Sun, 30 Dec 2001 11:27:49 -0500
12:30 08:28 SMTP-(000008A4) >EHLO awascow2k.awasco.com
12:30 08:28 SMTP-(000008A4) 250-plus3.hostingplus.com Hello arodal-wa.com [206.159.55.2], pleased to meet you
12:30 08:28 SMTP-(000008A4) 250-ENHANCEDSTATUSCODES
12:30 08:28 SMTP-(000008A4) 250-8BITMIME
12:30 08:28 SMTP-(000008A4) 250-SIZE
12:30 08:28 SMTP-(000008A4) 250-DSN
12:30 08:28 SMTP-(000008A4) 250-ONEX
12:30 08:28 SMTP-(000008A4) 250-ETRN
12:30 08:28 SMTP-(000008A4) 250-XUSR
12:30 08:28 SMTP-(000008A4) 250 HELP
12:30 08:28 SMTP-(000008A4) >MAIL FROM:<[EMAIL PROTECTED]>
12:30 08:28 SMTP-(000008A4) 250 2.1.0 <[EMAIL PROTECTED]>... Sender ok
12:30 08:28 SMTP-(000008A4) >RCPT To:<[EMAIL PROTECTED]>
12:30 08:28 SMTP-(000008A4) 550 5.7.1 <[EMAIL PROTECTED]>... Relaying denied
12:30 08:28 SMTP-(000008A4) >QUIT
12:30 08:28 SMTP-(000008A4) 221 2.0.0 plus3.hostingplus.com closing connection
12:30 08:28 SMTP-(000008A4) Creating message from Postmaster
12:30 08:28 SMTP-(000008A4) finished C:\IMAIL\spool\Q409e0cc.SMD status=2
=============================================
Orin R. Wells
25321 126th Ave. SE
Kent, Washington 98031
(253) 630-5296
<[EMAIL PROTECTED]>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
