Hello All,
I am querying the list to help me find my security hole in my server.
This is after I had placed this ip in the spamdyke blacklist_ip file
I even added the email addy to the blacklist_senders list
Maybe I was impatient and the system was playing catchup.
Let me also add I do not allow any such relay accept for the ips on my
network.
This ip is the bad ip: 41.217.65.3
here is what I was seeing in the smtp logs
*...@400000004b96d74820897d9c tcpserver: pid 18168 from 41.217.65.3
@400000004b96d74820898954 tcpserver: ok 18168
ns2.wletc.com:63.147.8.8:25 :41.21
7.65.3::39621
@400000004b96d74d10f01134 CHKUSER accepted sender: from
<capt.gar...@yahoo.com:d
milho...@wletc.com:> remote <User:unknown:41.217.65.3> rcpt <> : sender
accepted
@400000004b96d74d3044412c CHKUSER relaying rcpt: from
<capt.gar...@yahoo.com:dmi
lho...@wletc.com:> remote <User:unknown:41.217.65.3> rcpt
<ashley...@live.com> :
client allowed to relay
@400000004b96d74d304ad8ac spamdyke[18168]: ALLOWED from:
capt.gar...@yahoo.com t
o: ashley...@live.com origin_ip: 41.217.65.3 origin_rdns: (unknown)
auth: dmilho
l...@wletc.com
@400000004b96d74e14abaa04 CHKUSER relaying rcpt: from
<capt.gar...@yahoo.com:dmi
lho...@wletc.com:> remote <User:unknown:41.217.65.3> rcpt
<capt.g...@live.com> :
client allowed to relay*
I did a netstat and saw what seemed like a thousand or more of these
tcp 0 0 ns2.wletc.com: ns2.wletc.com:domain TIME_WAIT
and some of these
tcp 0 0 ns2.wletc.com: 41.217.65.3 TIME_WAIT
I finally put a stop to it by adding the ip to the drop list in my main
gateway.
I am trying to figure out why spamdyke did not stop it.
--dave