Ok, it happened again, and as far as I can tell from the logs there
is no POP log-in by the host sending the spam:
*******
First logged connection:
14:19:13 3 SMTP-522(smtp0000.mail.yahoo.com) Failed to verify. Real
address is [125.82.235.75:2432]
14:19:13 3 SMTP-417([77.123.105.53]) Abort Received, reason=60
14:19:13 3 SMTP-417([77.123.105.53]) Reading Failed. Error
Code=-25010. Read:
14:19:14 3 SMTP-399(wicked.com) Failed to connect to
[208.236.11.161:25]. reason=60
14:19:14 3 SMTP [S.0002952391] dequeueing
14:19:14 3 SMTP-419(sohu.com) Failed to connect to
[61.135.132.110:25]. reason=60
14:19:14 3 SMTP-419(sohu.com) No relay address is accessable. Error
Code=-25010
14:19:14 3 SMTP [S.0002950057] dequeueing
14:19:14 3 SMTP [S.0002950080] dequeueing
14:19:14 3 SMTP [S.0002948942] dequeueing
14:19:14 3 SMTP [S.0002949070] dequeueing
14:19:14 3 SMTP [S.0002950104] dequeueing
14:19:14 3 SMTP-414(gzyp21.net) Failed to connect to
[219.137.167.218:25]. reason=60
14:19:14 3 SMTP-413(gzyp21.net) Failed to connect to
[219.137.167.218:25]. reason=60
14:19:14 3 SMTP [S.0002952427] dequeueing
14:19:14 3 SMTP [S.0002948832] dequeueing
14:19:14 3 SMTP [S.0002950248] dequeueing
14:19:14 3 SMTP [S.0002952376] dequeueing
14:19:14 3 SMTP [S.0002952380] dequeueing
14:19:14 3 SMTP [S.0002952387] dequeueing
Spam relay address identified by router:
14:19:16 5 ROUTER Input: lvlin(chinese.com)
14:19:16 5 ROUTER Parser: [EMAIL PROTECTED] -> lvlin(chinese.com)
14:19:16 3 SMTP [S.0002948989] delayed by sina.com.cn: 450 4.1.8
<[EMAIL PROTECTED]>: Sender address rejected: Domain not found\r
14:19:18 1 SMTP-526([58.65.90.221]) SPAM? Host is blacklisted per RBL
cbl.abuseat.org with result [127.0.0.2]
14:19:20 3 SMTP [S.0002952893] delayed by sina.com.cn: 450 4.1.8
<[EMAIL PROTECTED]>: Sender address rejected: Domain not found\r
14:19:21 2 SMTP-522([125.82.235.75]) {S.0002956215} received, 964 bytes
14:19:21 5 ROUTER Input: lvlin(chinese.com)
14:19:21 5 ROUTER Parser: [EMAIL PROTECTED] -> lvlin(chinese.com)
Another relay address:
14:19:22 5 ROUTER Input: caowhitneyq(mail.china.com)
14:19:22 5 ROUTER Parser: [EMAIL PROTECTED] -> caowhitneyq
(mail.china.com)
14:19:27 3 SMTP-529(18.186.133.219.broad.sz.gd.dynamic.
163data.com.cn) Failed to verify. Real address is [219.133.186.18:3847]
Another relay address from a different host:
14:19:28 5 ROUTER Input: jlbrisbin(163data.com.cn)
14:19:28 5 ROUTER Parser: [EMAIL PROTECTED] -> jlbrisbin
(163data.com.cn)
14:19:32 3 SMTP-528(sanshui.gd.cn) Failed to get IP addresses. Error
Code=-3162
14:19:32 3 SMTP [S.0002952426] dequeueing
********
Checked logs, closest previous POP log-in from different host is five
minutes previously. Relaying allowed from POP hosts for *one* minute
after log-in.
My best guess on this is that some machines on the LAN were logging
into the POP host via the firewall/router (10.10.250.1) with the
external name of the mail server (mail.indx.co.uk), rather than the
LAN name of the server (mail.battersea.indx.co.uk). This caused the
router/firewall itself to become "authenticated", thus any incoming
SMTP was authenticated because it came through the router. ie:
LAN mail client -> router -> mail server
SIMS logs the LAN IP address of the router when these LAN clients log-
in.
I've changed all the LAN mail clients so that they log-in and send to
mail.battersea.indx.co.uk (the LAN host), watching the logs to see
what happens.
My guess on why someone could still relay five minutes after a POP
log-in is that throughout that period SMTP mail was incoming, so kept
the router authenticated.
Any other ideas?
-- Clive
#############################################################
This message is sent to you because you are subscribed to
the mailing list <SIMS@mail.stalker.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
