I was using "tcpdump" for capture the packets,
The packets are directed to public ip (I use NAT) of my server
hitting  port 25 and the server is relaying  to the world.
20:58:38.506904 eth1 < > R 2038520947:2038520947(0) ack 0 win 0 (ttl 64, id 10702)
          4500 0028 29ce 0000 4006 4d8c 3d6b 0af9
          ac11 0f01 73fa 0019 7981 5c73 0000 0000
          5014 0000 6252 0000 0101 080a 1011
21:11:53.155613 eth1 < > S 2930107565:2930107565(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl 106, id 47801)
          4500 0030 bab9 4000 6a06 5298 3d6b 0af9
          ac11 0f01 923f 0019 aea5 e4ad 0000 0000
          7002 faf0 5f0c 0000 0204 05b4 0101 0402
21:11:53.155689 eth1 > > S 563912423:563912423(0) ack 2930107566 win 32767 <mss 1460,nop,nop,sackOK> (DF) (ttl 64, id 24905)
>From my other logs is visible that was never existing in the "open-smtp"
and was never trying access port 110 or 143.

My /etc/tcp.smtp:

My problems is, that I don't know how stop
the spam, the server shouldn't  relay without
first auth with POP3 .
Maybe my configuration is wrong but I didn't
have any problems in almost 2 years.


Hi ast1200,

On Tue, 10 Jun 2003 09:54:12 -0600 ast1200 wrote:

For 2 days I was logging network traffic on this server (huge files!)
and I know the spam is coming direct from Internet to port 25,

Well OK. But where is the spam directed to? Domains on your system?
If not: how could the sender gain relay priviledges? The network dump
should make this visible. POP3-before-SMTP? SMTP-AUTH?

The problem started just a few weeks ago. Did somebody found a method   
how hack qmail/vpopmail ???

Not I'm aware of.
Unless yo have weak patches applied there's no way known to me how
'RELAY' flag can be set for qmail-smtpd, except the intended methods:
environment variable (used by POP3-before-SMTP way) or SMTP-AUTH.

Any advice welcome.

Formulate your question clearly. What _exactly_ is your problem?
You wrote something about spam and something different about mail coming
in from the internet.
The former is unsatisfying, the latter is intentional.

1.) Where does the spam come from
2.) Where is it directed to
    a.) If you system is the target: there's nothing you can do, except
    installing something like SpamAssassin
    b.) If you're an relay: what does the traffic-dump say about the
    SMTP-sessions; how where RELAY priviledges gained?

Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with [EMAIL PROTECTED] http://shopnow.netscape.com/

Reply via email to