> Sounds like you have a web based email form or a > compromised user or > machine that is feeding the spam into your machine. > > I'd check the messages themselves to see where the > headers said they > came from. > > Rick
Yes, Your doubt is right. This is output from -bash-2.05b# tail -f /var/spool/qmailscan/qmail-queue.log " Fri, 31 Mar 2006 03:16:10 BDT:22486: ------ Process 22486 finished. Total of 7.66887 secs Fri, 31 Mar 2006 03:16:13 BDT:22492: w_c: elapsed time from start 4.618193 secs Fri, 31 Mar 2006 03:16:13 BDT:22492: return-path='[EMAIL PROTECTED]', recips='[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]' Fri, 31 Mar 2006 03:16:13 BDT:22492: from='"§K¶O¡B§K¶O¡B§K¶O¡B§K¶O" <[EMAIL PROTECTED]>', subj='·Q¤F¸Ñ°Ó«~ªº¦æ¾PÁͶնܡH^^Åý±M®a§K¶O¬°±z¿Ô¸ß¡I^^navigable', via SMTP from 192.168.0.1 Fri, 31 Mar 2006 03:16:14 BDT:22492: clamdscan: finished scan of dir "/var/spool/qmailscan/tmp/ns1.infobd.net114375336862022492" in 1.038585 secs Fri, 31 Mar 2006 03:16:14 BDT:22492: SA: don't scan as RELAYCLIENT implies this was sent by a local user Fri, 31 Mar 2006 03:16:14 BDT:22492: p_s: finished scan in 0.003957 secs Fri, 31 Mar 2006 03:16:14 BDT:22492: ini_sc: finished scan of "/var/spool/qmailscan/tmp/ns1.infobd.net114375336862022492"... Fri, 31 Mar 2006 03:16:14 BDT:22492: ini_sc: elapsed time from start 5.667414 secs Fri, 31 Mar 2006 03:16:14 BDT:22492: ------ Process 22492 finished. Total of 5.68355 secs Fri, 31 Mar 2006 03:16:14 BDT:22487: w_c: elapsed time from start 12.394417 secs Fri, 31 Mar 2006 03:16:14 BDT:22487: return-path='[EMAIL PROTECTED]', recips='[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]' Fri, 31 Mar 2006 03:16:14 BDT:22487: from='"¡®¤£¥Î§A¦hªá¿ú¡A¥i¥H¬Ù¿ú¤S¥i¥HÁÈ¿ú(§Þ¥©¡B¤èªk°Ý§Ú)http:\¤£¥Î§A¦hªá¿ú¡A¥i¥H¬Ù¿ú¤S¥i¥HÁÈ¿ú(§Þ¥©¡B¤èªk°Ý§Ú)vv" <[EMAIL PROTECTED]>', subj='¢ð¨C¤ë¦æ°Ê¹q¸Ü¶O¶W¹L1,000¤¸ªº¤H¡A½Ðª`·N!!!([EMAIL PROTECTED])¡¦¡¦', via SMTP from 192.168.0.1 Fri, 31 Mar 2006 03:16:15 BDT:22487: clamdscan: finished scan of dir "/var/spool/qmailscan/tmp/ns1.infobd.net114375336262022487" in 1.03333 secs Fri, 31 Mar 2006 03:16:15 BDT:22487: SA: don't scan as RELAYCLIENT implies this was sent by a local user Fri, 31 Mar 2006 03:16:15 BDT:22487: p_s: finished scan in 0.003948 secs Fri, 31 Mar 2006 03:16:15 BDT:22487: ini_sc: finished scan of "/var/spool/qmailscan/tmp/ns1.infobd.net114375336262022487"... Fri, 31 Mar 2006 03:16:15 BDT:22487: ini_sc: elapsed time from start 13.438296 secs Fri, 31 Mar 2006 03:16:16 BDT:22487: ------ Process 22487 finished. Total of 13.460671 secs Fri, 31 Mar 2006 03:16:17 BDT:22514: +++ starting debugging for process 22514 by uid=89 Fri, 31 Mar 2006 03:16:21 BDT:22516: +++ starting debugging for process 22516 by uid=89 Fri, 31 Mar 2006 03:16:23 BDT:22518: +++ starting debugging for process 22518 by uid=89 Fri, 31 Mar 2006 03:16:23 BDT:22520: +++ starting debugging for process 22520 by uid=89" And also output from: -bash-2.05b# tail -f /var/log/qmail/smtpd/current @40000000442c4d421a03c464 tcpserver: end 24467 status 256 @40000000442c4d421a03d7ec tcpserver: status: 19/20 @40000000442c4d421a03eb74 tcpserver: status: 20/20 @40000000442c4d421a03fefc tcpserver: pid 24468 from 192.168.0.1 @40000000442c4d421a041284 tcpserver: ok 24468 0:202.174.137.19:25 :192.168.0.1::3393 @40000000442c4d421a0429f4 tcpserver: end 24468 status 256 @40000000442c4d421a0458d4 tcpserver: status: 19/20 @40000000442c4d421a046c5c tcpserver: status: 20/20 @40000000442c4d421a047fe4 tcpserver: pid 24469 from 192.168.0.1 @40000000442c4d421a04936c tcpserver: ok 24469 0:202.174.137.19:25 :192.168.0.1::2435 @40000000442c4d452cc0a464 tcpserver: end 23417 status 256 @40000000442c4d452cc0bfbc tcpserver: status: 19/20 @40000000442c4d452cc0d344 tcpserver: status: 20/20 @40000000442c4d452cc0e6cc tcpserver: pid 24484 from 192.168.0.1 @40000000442c4d452cc0fa54 tcpserver: ok 24484 0:202.174.137.19:25 :192.168.0.1::1671 Above local ip is my local gateway IP. And moreover there is no valid user name or valid local IP from my subnet. So now how could I stop it? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
