Make sure you clear your qmail cue after you shut the account(s) down. Been bitten by that one more than once.
>________________________________ > From: Kelly Cobean <kcob...@vipercrazy.com> >To: qmailtoaster-list@qmailtoaster.com >Sent: Thursday, April 3, 2014 11:13 AM >Subject: Re: [qmailtoaster] Help, I'm an open relay!! > > > >Hey Sebastian, > I thought leaked password as well at first, but there are at least two >accounts I see under auth: mine and one other. I suppose it's possible that >they were guessed/leaked, but it's awfully coincidental that it's two accounts >in the same domain on a server running at least 6 domains. I only saw two IP >addresses doing all this spamming, so I put those in iptables and things seem >quiet for now. I'll change the passwords on those two accounts as well. I'm >really glad spamcop has an easy way to delist a server once an issue is fixed. > >Thanks. > >Kelly >On 04/03/2014 11:42, Sebastian Grewe wrote: >Have you checked for hijacked accounts? Looks like all mails are sent from a >single account and IP. Most likely a guessed/leaked password. >> >> >>Cheers, >>Sebastian >> >>On 03.04.2014, at 14:30, Kelly Cobean <kcob...@vipercrazy.com> wrote: >> >> >>I don't understand what's going on here, but somehow all of a sudden I am on >>the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of >>emails getting relayed that are all .ru hosts and addresses. >>>I've run every open relay test I could find and all of them say I'm good to >>>go, but spamdyke says I'm accepting over 75000 emails a day and they're not >>>hitting any of my inboxes. >>> >>>Can y'all help me diagnose and solve this? Here's a snippet of the current >>>file: >>> >>>@40000000533d52101655376c CHKUSER relaying rcpt: from >>><fe...@782782.ru:kcob...@vipercrazy.com:> remote >>><91.235.7.37:unknown:91.235.7.37> rcpt <1dawmydgeaa...@prosoft-m.ru> : >>>client allowed to relay >>>@40000000533d521016554324 policy_check: local kcob...@vipercrazy.com -> >>>remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) >>>@40000000533d52101655470c policy_check: policy allows transmission >>>@40000000533d52101703edfc CHKUSER accepted sender: from >>><i...@3vlodke.ru:bi...@vipercrazy.com:> remote >>><91.235.7.37:unknown:91.235.7.37> rcpt <> : sender accepted >>>@40000000533d521108b8a88c CHKUSER relaying rcpt: from >>><i...@3vlodke.ru:bi...@vipercrazy.com:> remote >>><91.235.7.37:unknown:91.235.7.37> rcpt <inf...@dvugadn.kht.ru> : client >>>allowed to relay >>>@40000000533d521108b8b444 policy_check: local bi...@vipercrazy.com -> remote >>>inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) >>>@40000000533d521108b8b444 policy_check: policy allows transmission >>>@40000000533d52112c20499c >>>simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru >>>@40000000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: >>>1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) >>>auth: kcob...@vipercrazy.com encryption: (none) reason: >>>250_ok_1396527623_qp_13732 >>>@40000000533d521139ada1f4 tcpserver: end 13709 status 0 >>>@40000000533d521139ada5dc tcpserver: status: 1/100 >>>@40000000533d5212129d193c >>>simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru >>>@40000000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: >>>inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: >>>bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 >>>@40000000533d52121a62824c tcpserver: status: 2/100 >>>@40000000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 >>>@40000000533d52121a628634 tcpserver: ok 13764 >>>www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 >>>@40000000533d5212201bdb34 tcpserver: end 13717 status 0 >>>@40000000533d5212201bdf1c tcpserver: status: 1/100 >>>@40000000533d521302016b8c tcpserver: status: 2/100 >>>@40000000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 >>>@40000000533d521302017744 tcpserver: ok 13766 >>>www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 >>>@40000000533d52132c0ba474 CHKUSER accepted sender: from >>><pa...@143904.ru:kcob...@vipercrazy.com:> remote >>><91.235.7.37:unknown:91.235.7.37> rcpt <> : sender accepted >>>@40000000533d52133ae2b6f4 CHKUSER relaying rcpt: from >>><pa...@143904.ru:kcob...@vipercrazy.com:> remote >>><91.235.7.37:unknown:91.235.7.37> rcpt >>><4-1696808-19797-20060901154637-v...@subscribe.ru> : client allowed to relay >>>@40000000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com -> >>>remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED >>>SENDER) >>>@40000000533d52133ae2ca7c policy_check: policy allows transmission >>>@40000000533d521413dbfdf4 CHKUSER accepted sender: from >>><o...@7-design.ru:bi...@vipercrazy.com:> remote >>><91.235.7.37:unknown:91.235.7.37> rcpt <> : sender accepted >>>@40000000533d52142423c32c >>>simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru >>>@40000000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: >>>4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 >>>origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) >>>reason: 250_ok_1396527626_qp_13785 >>>@40000000533d5214285cb1ec CHKUSER relaying rcpt: from >>><o...@7-design.ru:bi...@vipercrazy.com:> remote >>><91.235.7.37:unknown:91.235.7.37> rcpt <pavel_ma...@tut.by> : client allowed >>>to relay >>>@40000000533d5214285cb9bc policy_check: local bi...@vipercrazy.com -> remote >>>pavel_ma...@tut.by (AUTHENTICATED SENDER) >>>@40000000533d5214285cbda4 policy_check: policy allows transmission >>>@40000000533d5214317e9204 tcpserver: end 13764 status 0 >>>@40000000533d5214317e95ec tcpserver: status: 1/100 >>>@40000000533d521513228964 tcpserver: status: 2/100 >>>@40000000533d521513228d4c tcpserver: pid 13811 from 91.235.7.37 >>>@40000000533d521513229134 tcpserver: ok 13811 >>>www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::65030 >>>@40000000533d52152188a204 >>>simscan:[13767]:RELAYCLIENT:0.5571s:-:91.235.7.37:o...@7-design.ru:pavel_ma...@tut.by >>>@40000000533d5215223220a4 spamdyke[13766]: ALLOWED from: o...@7-design.ru >>>to: pavel_ma...@tut.by origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: >>>bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527627_qp_13803 >>>@40000000533d52152ef946b4 tcpserver: end 13766 status 0 >>>@40000000533d52152ef94e84 tcpserver: status: 1/100 >>>@40000000533d52160e541164 tcpserver: status: 2/100 >>>@40000000533d52160e54154c tcpserver: pid 13822 from 91.235.7.37 >>>@40000000533d52160e541934 tcpserver: ok 13822 >>>www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::65046 >>>@40000000533d52162335bd94 CHKUSER accepted sender: from >>><bog...@360dpi-nn.ru:kcob...@vipercrazy.com:> remote >>><91.235.7.37:unknown:91.235.7.37> rcpt <> : sender accepted >>>@40000000533d521715db544c CHKUSER relaying rcpt: from >>><bog...@360dpi-nn.ru:kcob...@vipercrazy.com:> remote >>><91.235.7.37:unknown:91.235.7.37> rcpt <mailer-dae...@isp.uralasbest.ru> : >>>client allowed to relay >>>@40000000533d521715db6004 policy_check: local kcob...@vipercrazy.com -> >>>remote mailer-dae...@isp.uralasbest.ru (AUTHENTICATED SENDER) >>>@40000000533d521715db6004 policy_check: policy allows transmission >>> >>> >>> > > >