If remote user is sending using an authenticated SMTP session, you would find his name within chkuser logging.

Probably, as Ken is saying, are simply some viruses trying to guess recipients on your MX hosted domains.


At 19.24 13/04/2005, you wrote:

Thanks for your help.

You probably are receiving a dictionary scan from infected PC's.
Be sure to use rblsmtpd against one or more of the good rbl sites.

I have tried this before write here. So maybe too much rbl's, look:


QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`

MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`

exec /usr/local/bin/softlimit -m 10000000 \
/usr/local/bin/tcpserver \
        -v -H -R -l 0 \
        -x /etc/tcprules/tcp.smtp.cdb -c "$MAXSMTPD" \
        -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/usr/local/bin/rblsmtpd -b -C \
        -r "list.dsbl.org:Your mail server is listed in DSBL list." \
        -r "bl.spamcop.net:Your mail server is listed in Spamcop
blocklist." \
        -r "relays.ordb.org:Your mail server is an OPEN RELAY (ORDB
list)." \
        -r "sbl.spamhaus.org:Your mail server is listed in SBL-Spamhaus." \
        -r "blackholes.mail-abuse.org: See
<http://www.mail-abuse.com/enduserinfo.html>" \
        -r "dialups.mail-abuse.org: See
<http://www.mail-abuse.com/enduserinfo.html>" \
        -t 5 \
/var/qmail/bin/qmail-smtpd \
/var/vpopmail/bin/vchkpw /bin/true 2>&1

Another thing you can do is scan for frequent IP's to bad users
in the smtp log files and build new tcp.smtp deny lines.

Yes. That what I'm doing:

and so on...

But there is a way to determine if the spammer are using an account on my
server, with password, to do that? So I can change the password and block


Reply via email to