Yes, somewhere.net is the name I used for my domain.
Sent from Mail for Windows 10 From: Eric Broch Sent: Wednesday, December 11, 2019 4:02 PM To: [email protected] Subject: Re: [qmailtoaster] Got the willys with submission log entries Also, is there a user on your system [email protected]? On 12/11/2019 3:00 PM, Eric Broch wrote: can you search your logs (send, submission, and mailllog) for [email protected] On 12/11/2019 1:39 PM, Boatner Howell wrote: [root@NewMail ~]# rpm -qa |grep qmail qmail-1.03-2.2.1.qt.el7.x86_64 [root@NewMail ~]# cat /var/qmail/supervise/submission/run #!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` SMTPD="/var/qmail/bin/qmail-smtpd" TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" HOSTNAME=`hostname` VCHKPW="/home/vpopmail/bin/vchkpw" export REQUIRE_AUTH=1 exec /usr/bin/softlimit -m 128000000 \ /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \ $SMTPD $VCHKPW /bin/true 2>&1 [root@NewMail ~]# Thanks. Sent from Mail for Windows 10 From: Eric Broch Sent: Wednesday, December 11, 2019 8:07 AM To: [email protected] Subject: Re: [qmailtoaster] Got the willys with submission log entries What version of qmail? # rpm -qa | grep qmail what's in your run file # cat /var/qmail/supervise/submission/run On 12/10/2019 12:24 PM, [email protected] wrote: I have checked out authentication with my submission port 587 and I must authenticate before sending. However, I have entries in the log from a “bad guy IP address” which say “sender accepted” and its giving me heartburn. 2019-12-10 02:43:04.376530500 CHKUSER accepted sender: from <[email protected]::> remote <4vFoWf3:unknown:64.225.41.10> rcpt <> : sender accepted 2019-12-10 03:04:09.269688500 CHKUSER accepted sender: from <[email protected]::> remote <3aJfz4D7:unknown:64.225.41.10> rcpt <> : sender accepted (Note: the IP 64.255.41.10 is the real IP of the bad guy) There are no corresponding lines which say, “client allowed to relay” Note after the from address, there are two colons: <[email protected]::> . On all legitimate entries, there are no such double colons. How did this guy get that entry into my submission logs without authenticating? Is this something I need to worry about? Any input would be really appreciated Boatner Howell Foundaton Technologies, LLC --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Spam Phish/Fraud Not spam Forget previous vote
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
