Re: [qmailtoaster] Help, I'm an open relay!!
Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 @4000533d5214285cb1ec CHKUSER relaying rcpt: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt pavel_ma...@tut.by : client allowed to relay @4000533d5214285cb9bc policy_check: local bi...@vipercrazy.com - remote pavel_ma...@tut.by (AUTHENTICATED SENDER) @4000533d5214285cbda4 policy_check: policy allows transmission @4000533d5214317e9204 tcpserver: end 13764 status 0 @4000533d5214317e95ec tcpserver: status: 1/100 @4000533d521513228964 tcpserver: status: 2/100 @4000533d521513228d4c tcpserver: pid 13811 from 91.235.7.37 @4000533d521513229134 tcpserver: ok 13811 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::65030 @4000533d52152188a204
RE: [qmailtoaster] Help, I'm an open relay!!
I would shut down bi...@vipercrazy.com for now and see if the relaying stops. Do you know if that was an easily hacked password? From: Sebastian Grewe [mailto:sebast...@grewe.ca] Sent: Thursday, April 03, 2014 8:42 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Help, I'm an open relay!! Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 @4000533d5214285cb1ec CHKUSER relaying rcpt: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt pavel_ma...@tut.by : client allowed to relay @4000533d5214285cb9bc policy_check: local bi...@vipercrazy.com - remote pavel_ma...@tut.by (AUTHENTICATED SENDER) @4000533d5214285cbda4 policy_check: policy allows transmission @4000533d5214317e9204 tcpserver: end 13764 status 0 @4000533d5214317e95ec tcpserver: status: 1/100 @4000533d521513228964
Re: [qmailtoaster] Help, I'm an open relay!!
Auth line is: kcob...@vipercrazy.com I'd guess that's the account? Cheers, Sebastian On 03.04.2014, at 18:46, Helmut Fritz hel...@fritz.us.com wrote: I would shut down bi...@vipercrazy.com for now and see if the relaying stops. Do you know if that was an easily hacked password? From: Sebastian Grewe [mailto:sebast...@grewe.ca] Sent: Thursday, April 03, 2014 8:42 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Help, I'm an open relay!! Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 @4000533d5214285cb1ec CHKUSER relaying rcpt: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt pavel_ma...@tut.by : client allowed to relay @4000533d5214285cb9bc policy_check: local bi...@vipercrazy.com - remote
Re: [qmailtoaster] Help, I'm an open relay!!
Hey Sebastian, I thought leaked password as well at first, but there are at least two accounts I see under auth: mine and one other. I suppose it's possible that they were guessed/leaked, but it's awfully coincidental that it's two accounts in the same domain on a server running at least 6 domains. I only saw two IP addresses doing all this spamming, so I put those in iptables and things seem quiet for now. I'll change the passwords on those two accounts as well. I'm really glad spamcop has an easy way to delist a server once an issue is fixed. Thanks. Kelly On 04/03/2014 11:42, Sebastian Grewe wrote: Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru [2] @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 @4000533d5214285cb1ec CHKUSER relaying rcpt: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt pavel_ma...@tut.by : client allowed to relay
Re: [qmailtoaster] Help, I'm an open relay!!
Ok, I'm gonna ask a real dumb question. When I ran squirrel mail and the old QmailRocks distro (yep, LONG time ago), I had a squirrelmail plugin to allow people to change passwords via the squirrel. Now I'm running QTP and Roundcube. I still have squirrelmail running, bu the password change results in a connection refused error. How the heck do users change their passwords in QTP? Do I have to do it for them using qmailadmin? Thanks. Kelly On 04/03/2014 11:42, Sebastian Grewe wrote: Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru [2] @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 @4000533d5214285cb1ec CHKUSER relaying rcpt: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt pavel_ma...@tut.by : client allowed to relay @4000533d5214285cb9bc policy_check: local bi...@vipercrazy.com - remote pavel_ma...@tut.by (AUTHENTICATED SENDER)
RE: [qmailtoaster] Help, I'm an open relay!!
Yes, very easily hacked. I'm glad vqadmin will show clear text passwords. I've changed the password and notified the user. Thanks. Kelly On 04/03/2014 12:46, Helmut Fritz wrote: I would shut down bi...@vipercrazy.com for now and see if the relaying stops. Do you know if that was an easily hacked password? FROM: Sebastian Grewe [mailto:sebast...@grewe.ca] SENT: Thursday, April 03, 2014 8:42 AM TO: qmailtoaster-list@qmailtoaster.com SUBJECT: Re: [qmailtoaster] Help, I'm an open relay!! Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru [2] @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 @4000533d5214285cb1ec CHKUSER relaying rcpt: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt pavel_ma...@tut.by : client allowed to relay @4000533d5214285cb9bc policy_check: local bi...@vipercrazy.com - remote pavel_ma...@tut.by (AUTHENTICATED
Re: [qmailtoaster] Help, I'm an open relay!!
Hi Kelly. Are You using the password plugin in Roundcube that allows users to change password ? Regards, Finn Den 03-04-2014 18:47, Kelly Cobean skrev: Ok, I'm gonna ask a real dumb question. When I ran squirrel mail and the old QmailRocks distro (yep, LONG time ago), I had a squirrelmail plugin to allow people to change passwords via the squirrel. Now I'm running QTP and Roundcube. I still have squirrelmail running, bu the password change results in a connection refused error. How the heck do users change their passwords in QTP? Do I have to do it for them using qmailadmin? Thanks. Kelly On 04/03/2014 11:42, Sebastian Grewe wrote: Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com http://vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com mailto:e...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com mailto:e...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru mailto:inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com mailto:bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru mailto:inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru mailto:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru mailto:fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru http://dvugadn.kht.ru @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru mailto:i...@3vlodke.ru to: inf...@dvugadn.kht.ru mailto:inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com mailto:bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com http://www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com http://www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com http://vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com http://vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru mailto:4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru mailto:4-1696808-19797-20060901154637-v...@subscribe.ru
Re: [qmailtoaster] Help, I'm an open relay!!
Make sure you clear your qmail cue after you shut the account(s) down. Been bitten by that one more than once. From: Kelly Cobean kcob...@vipercrazy.com To: qmailtoaster-list@qmailtoaster.com Sent: Thursday, April 3, 2014 11:13 AM Subject: Re: [qmailtoaster] Help, I'm an open relay!! Hey Sebastian, I thought leaked password as well at first, but there are at least two accounts I see under auth: mine and one other. I suppose it's possible that they were guessed/leaked, but it's awfully coincidental that it's two accounts in the same domain on a server running at least 6 domains. I only saw two IP addresses doing all this spamming, so I put those in iptables and things seem quiet for now. I'll change the passwords on those two accounts as well. I'm really glad spamcop has an easy way to delist a server once an issue is fixed. Thanks. Kelly On 04/03/2014 11:42, Sebastian Grewe wrote: Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip
Re: [qmailtoaster] Help, I'm an open relay!!
Wow...good call! That sucker was FULL. Thanks! Kelly On 04/03/2014 15:10, LHTek wrote: Make sure you clear your qmail cue after you shut the account(s) down. Been bitten by that one more than once. - FROM: Kelly Cobean kcob...@vipercrazy.com TO: qmailtoaster-list@qmailtoaster.com SENT: Thursday, April 3, 2014 11:13 AM SUBJECT: Re: [qmailtoaster] Help, I'm an open relay!! Hey Sebastian, I thought leaked password as well at first, but there are at least two accounts I see under auth: mine and one other. I suppose it's possible that they were guessed/leaked, but it's awfully coincidental that it's two accounts in the same domain on a server running at least 6 domains. I only saw two IP addresses doing all this spamming, so I put those in iptables and things seem quiet for now. I'll change the passwords on those two accounts as well. I'm really glad spamcop has an easy way to delist a server once an issue is fixed. Thanks. Kelly On 04/03/2014 11:42, Sebastian Grewe wrote: Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru [2] @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru