i will try the
check the qmail queue
monitor the send log or use tcpdump to check connections to the server.
I am now Off the blacklist so it is not such a Bright red matter ...
I also am going to be vigelant to dlt unused accounts
( personnel changes .... and there ya go unattended account of
[email protected] , password=found_in_dictionary ! opps )
I have dlted those sorts
I ... am reluctant to block all SMTP ( port 110 ?? ) out going.
I have some ...machines on the network that send an email ( via their
own sendmail or other mta )
these have a cronned script that looks how full a local drive is and
sends an email to folks here.... so that they can keep track ...cause
they never actually LOOK..
these are sent from a machine (root) w a gmail account . gmail server
but it STill leaves via my firewall ... so that would stop it yes?
thanks
jshupert
On 1/14/2016 9:44 PM, Eric wrote:
Hi Jim,
You can do several things. First, on your internet firewall block all
outgoing SMTP traffic not originating from your email server. This
will prevent PC's from sending spam directly out the firewall. Two,
check the qmail queue for the possibility of a hacked password.
Usually when someone is using a hacked account the queue fills up
quickly. Looking at the queue it will be obvious which email account
has been hacked. I've had 11 thousand emails in the queue, over the
period of just a few hours, from a hacked password. Three, an email
account on a local PC spurred by a virus could be using your email
server as a relay. You could monitor the send log or use tcpdump to
check connections to the server.
Eric
On 1/14/2016 4:12 PM, Jim Shupert wrote:
it seems that my mail server does appear on a blacklist .
spamcop
If I use mxtoolkit
https://mxtoolbox.com
under "more information" it says
The SpamCop Blocking List lists IP Addresses which have sent
unsolicited email to SpamCop users. This is often an indication of a
Virus or Botnet from a Malware infection contracted inside your network.
So , i am wondering what might be happening
Might I have a bot somewhere
such as
an account has been compromised ? a bad guy has the login & psswd and
is now spamming?
how could/can i tell?
a look at the logs?
where ? how?
would i monitor port 25 on my network?
any wisdom is welcomed.
to be clear. I am not a spammer - just a small bussiness with a
qmailtoster and ... now I have this matter
any wisdom is welcomed.
thanks in advance
