If remote user is sending using an authenticated SMTP session, you would find his name within chkuser logging.
Probably, as Ken is saying, are simply some viruses trying to guess recipients on your MX hosted domains.
At 19.24 13/04/2005, you wrote:
Thanks for your help.
You probably are receiving a dictionary scan from infected PC's. Be sure to use rblsmtpd against one or more of the good rbl sites.
I have tried this before write here. So maybe too much rbl's, look:
QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail`
exec /usr/local/bin/softlimit -m 10000000 \ /usr/local/bin/tcpserver \ -v -H -R -l 0 \ -x /etc/tcprules/tcp.smtp.cdb -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \ /usr/local/bin/rblsmtpd -b -C \ -r "list.dsbl.org:Your mail server is listed in DSBL list." \ -r "bl.spamcop.net:Your mail server is listed in Spamcop blocklist." \ -r "relays.ordb.org:Your mail server is an OPEN RELAY (ORDB list)." \ -r "sbl.spamhaus.org:Your mail server is listed in SBL-Spamhaus." \ -r "blackholes.mail-abuse.org: See <http://www.mail-abuse.com/enduserinfo.html>" \ -r "dialups.mail-abuse.org: See <http://www.mail-abuse.com/enduserinfo.html>" \ -t 5 \ /var/qmail/bin/qmail-smtpd \ /var/vpopmail/bin/vchkpw /bin/true 2>&1
Another thing you can do is scan for frequent IP's to bad users in the smtp log files and build new tcp.smtp deny lines.
Yes. That what I'm doing:
4.:deny 12.:deny 130-159.:deny 80-89.:deny and so on...
But there is a way to determine if the spammer are using an account on my server, with password, to do that? So I can change the password and block him.
Thanks, -- Walter.