On Mon, Feb 13, 2012 at 5:09 PM, Eric Shubert <[email protected]> wrote:
> On 02/13/2012 03:47 PM, Robert Van Dresar wrote: > >> You are right, all of our users have to authenticate to send email, I >> believe that's the default behavior of a stock QMT, so does that mean I >> can add our domains to the blacklist-senders file?? >> > > Yes, by all means. Records in that file should look like: > @mydomain.com > > > I've tested for open relay, and that test returns OK. The failure >> notices I receive in the postmaster account point to one of our users, >> but it says the offending email is from >> "[email protected]@**some-random-ip-address", and bounces back >> to about 50 other email addresses. >> > > I'm not quite sure what you mean here. A specific example with headers > would help. Try to leave as much data intact as you can, but user and > domain names can be substituted consistently if you want to. > > > Her computer was off all weekend, >> and we virus scanned it this morning and nothing. I really didn't think >> of her password being compromised that's easy enough to change. I guess >> I'll try that, especially since we're listed on five block lists now. >> > > Sounds as though that's the culprit then. You should attempt to find out > how her password was compromised. > > It can (and does occasionally) happen by network traffic sniffing if her > configuration sends a password in clear text anywhere (I've seen it happen, > once). This could be via webmail w/out https (the stock QMT unfortunately > allows this), or via a client program that's not using TLS, such as a > remote Outlook03 client. If you have remote clients using Outlook03, you > should set up QMT to handle smtps (port 465), and configure those clients > to use SSL accordingly. > > If possible, all clients should use TLS for their smtp submissions, > whether on port 25 or 587. Unfortunately, QMT cannot yet enforce use of > TLS. Such a feature has been requested to be added to spamdyke, and may (if > we're lucky) be included in the next spamdyke release. > > Please keep us posted. > > -- > -Eric 'shubes' > > > Here's the "evidence" from one of the block lists: Return-Path: <[email protected]> X-Original-To: [email protected] Received: from mail.airplexus.com (mail.airplexus.com [65.245.57.15]) by mail.ixlab.de (Spamtrap) with ESMTP for [email protected]; Mon, 13 Feb 2012 21:38:50 +0100 (CET) Received: (qmail 9460 invoked by uid 89); 13 Feb 2012 18:16:22 -0000 Received: by simscan 1.4.0 ppid: 8048, pid: 9438, t: 0.7778s scanners: attach: 1.4.0 clamav: 0.97.3 /m:54/d:14401 Received: from 184-82-61-166.static.hostnoc.net (HELO User) ("email address removed"@[email protected]) by mail.airplexus.com with ESMTPA; 13 Feb 2012 18:16:22 -0000 Reply-To: <[email protected]> From: "Rose Brown"<[email protected]> Subject: Offers : Marks & Spencer Date: Mon, 13 Feb 2012 19:16:18 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-NiX-Spam-Hash2: d36eed170eb389bf1a5ab832cf972a4b X-NiX-Spam-Source-IP: 65.245.57.15 X-NiX-Spam-MX: mail.ixlab.de X-NiX-Spam-Listed: yes I've left our mail server stuff intact, but removed her email address > > --------------------------------------------------------------------------------- > Qmailtoaster is sponsored by Vickers Consulting Group ( > www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > ------------------------------**------------------------------** > --------------------- > Please visit qmailtoaster.com for the latest news, updates, and > packages. > To unsubscribe, e-mail: qmailtoaster-list-unsubscribe@** > qmailtoaster.com <[email protected]> > For additional commands, e-mail: qmailtoaster-list-help@** > qmailtoaster.com <[email protected]> > > >
