DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th January 2009
c0mrade's Avatar
c0mrade c0mrade is offline
Port Guard
 
Join Date: May 2008
Posts: 41
Default possible/certain spam problem?

Hello,

Can anyone identify what is going on with my server .. I can see its some kind of spam problem .. but no idea who is sending it .. what should I do, here are some logs .. :

Quote:
2009-01-18 15:39:28 [20205] SMTP connection from [127.0.0.1]:33959 I=[127.0.0.1]:25 (TCP/IP connection count = 7)
2009-01-18 15:39:29 [12446] list matching forced to fail: failed to find host name for 127.0.0.1
2009-01-18 15:39:29 [12446] H=(medina.green.ba) [127.0.0.1]:33374 I=[127.0.0.1]:25 Warning: Sender rate 831.5 / 1h
2009-01-18 15:39:29 [12446] 1LOYoD-0003Ek-MT <= marisha@allu.com
2009-01-18 15:39:29 [12446] SMTP connection from (medina.green.ba) [127.0.0.1]:33374 I=[127.0.0.1]:25 closed by QUIT
2009-01-18 15:39:30 [20205] SMTP connection from [127.0.0.1]:34013 I=[127.0.0.1]:25 (TCP/IP connection count = 7)
2009-01-18 15:39:30 [20205] SMTP connection from [127.0.0.1]:34024 I=[127.0.0.1]:25 (TCP/IP connection count = 8)
2009-01-18 15:39:32 [12451] list matching forced to fail: failed to find host name for 127.0.0.1
<marisha@homexam.com> for wauja10@school.edu.ru
2009-01-18 15:39:32 [12476] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoG-0003Ep-OU
2009-01-18 15:39:32 [12451] SMTP connection from (medina.green.ba) [127.0.0.1]:33476 I=[127.0.0.1]:25 closed by QUIT
2009-01-18 15:39:32 [12476] 1LOYoG-0003Ep-OU ** wauja10@school.edu.ru F=<marisha@homexam.com> R=fail_remote_domains: The mail server could not deliver mail to wauja10@school.edu.ru. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
2009-01-18 15:39:32 [12477] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1LOYoG-0003Ep-OU
2009-01-18 15:39:32 [12477] 1LOYoG-0003FF-UQ <= <> R=1LOYoG-0003Ep-OU U=mailnull P=local S=2282 T="Mail delivery failed: returning message to sender" from <> for marisha@homexam.com
2009-01-18 15:39:32 [12478] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoG-0003FF-UQ
2009-01-18 15:39:32 [12476] 1LOYoG-0003Ep-OU Completed QT=0s
2009-01-18 15:39:33 [12467] 1LOYoB-0003Ej-TQ ** faliwo@school.edu.ru F=<marisha@locl.net> R=fail_remote_domains: The mail server could not deliver mail to faliwo@school.edu.ru. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
2009-01-18 15:39:33 [12480] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1LOYoB-0003Ej-TQ
2009-01-18 15:39:33 [12478] 1LOYoG-0003FF-UQ == marisha@homexam.com R=dk_lookuphost T=dk_remote_smtp defer (-53): retry time not reached for any host
2009-01-18 15:39:33 [12480] 1LOYoH-0003FI-30 <= <> R=1LOYoB-0003Ej-TQ U=mailnull P=local S=2308 T="Mail delivery failed: returning message to sender" from <> for marisha@locl.net
2009-01-18 15:39:33 [12481] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoH-0003FI-30
2009-01-18 15:39:33 [12467] 1LOYoB-0003Ej-TQ Completed QT=6s
2009-01-18 15:39:33 [12460] H=localhost (medina.green.ba) [127.0.0.1]:33651 I=[127.0.0.1]:25 Warning: Sender rate 832.7 / 1h
2009-01-18 15:39:33 [12468] H=localhost (medina.green.ba) [127.0.0.1]:33959 I=[127.0.0.1]:25 Warning: Sender rate 833.7 / 1h
2009-01-18 15:39:33 [12460] 1LOYoH-0003Ey-Au <= marisha@pimpernel.com H=localhost (medina.green.ba) [127.0.0.1]:33651 I=[127.0.0.1]:25 P=smtp S=1385 id=01C9797A.60AE2E3B@medina.green.ba T="\312\360\340\361\356\362\352\350" from <marisha@pimpernel.com> for zixmqo2@school.edu.ru
2009-01-18 15:39:33 [12483] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoH-0003Ey-Au
2009-01-18 15:39:33 [12468] 1LOYoH-0003F6-BQ <= marisha@unitelco.com H=localhost (medina.green.ba) [127.0.0.1]:33959 I=[127.0.0.1]:25 P=smtp S=1334 id=01C9797A.603757D0@medina.green.ba T="\317\356\360\355\356\347\342\345\347\344\373" from <marisha@unitelco.com> for kiw1@school.edu.ru
2009-01-18 15:39:33 [12484] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoH-0003F6-BQ
2009-01-18 15:39:33 [12460] SMTP connection from localhost (medina.green.ba) [127.0.0.1]:33651 I=[127.0.0.1]:25 closed by QUIT
2009-01-18 15:39:33 [12468] SMTP connection from localhost (medina.green.ba) [127.0.0.1]:33959 I=[127.0.0.1]:25 closed by QUIT
2009-01-18 15:39:33 [12484] 1LOYoH-0003F6-BQ ** kiw1@school.edu.ru F=<marisha@unitelco.com> R=fail_remote_domains: The mail server could not deliver mail to kiw1@school.edu.ru. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
2009-01-18 15:39:33 [12485] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1LOYoH-0003F6-BQ
2009-01-18 15:39:33 [12483] 1LOYoH-0003Ey-Au ** zixmqo2@school.edu.ru F=<marisha@pimpernel.com> R=fail_remote_domains: The mail server could not deliver mail to zixmqo2@school.edu.ru. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
2009-01-18 15:39:33 [12486] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1LOYoH-0003Ey-Au
2009-01-18 15:39:33 [12485] 1LOYoH-0003FN-I7 <= <> R=1LOYoH-0003F6-BQ U=mailnull P=local S=2284 T="Mail delivery failed: returning message to sender" from <> for marisha@unitelco.com
2009-01-18 15:39:33 [12487] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoH-0003FN-I7
2009-01-18 15:39:33 [12484] 1LOYoH-0003F6-BQ Completed QT=0s
2009-01-18 15:39:33 [12486] 1LOYoH-0003FO-K3 <= <> R=1LOYoH-0003Ey-Au U=mailnull P=local S=2347 T="Mail delivery failed: returning message to sender" from <> for marisha@pimpernel.com
2009-01-18 15:39:33 [12483] 1LOYoH-0003Ey-Au Completed QT=0s
2009-01-18 15:39:33 [12488] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoH-0003FO-K3
2009-01-18 15:39:33 [12487] 1LOYoH-0003FN-I7 == marisha@unitelco.com R=dk_lookuphost T=dk_remote_smtp defer (-53): retry time not reached for any host
2009-01-18 15:39:33 [20205] SMTP connection from [58.247.27.91]:3076 I=[209.250.234.194]:25 (TCP/IP connection count = 6)
2009-01-18 15:39:34 [20205] SMTP connection from [94.178.252.84]:12631 I=[209.250.234.194]:25 (TCP/IP connection count = 7)
2009-01-18 15:39:34 [20205] SMTP connection from [94.178.252.84]:12633 I=[209.250.234.194]:25 (TCP/IP connection count = 8)
2009-01-18 15:39:34 [12465] H=localhost (medina.green.ba) [127.0.0.1]:33836 I=[127.0.0.1]:25 Warning: Sender rate 834.4 / 1h
2009-01-18 15:39:34 [12452] list matching forced to fail: failed to find host name for 127.0.0.1
2009-01-18 15:39:34 [12465] 1LOYoI-0003F3-EC <= marisha@artaccess.com H=localhost (medina.green.ba) [127.0.0.1]:33836 I=[127.0.0.1]:25 P=smtp S=1391 id=01C9797A.220B1A69@medina.green.ba T="\322\350\355\345\351\344\346\345\360\373" from <marisha@artaccess.com> for doox-jehi@school.edu.ru
2009-01-18 15:39:34 [12494] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoI-0003F3-EC
2009-01-18 15:39:34 [12465] SMTP connection from localhost (medina.green.ba) [127.0.0.1]:33836 I=[127.0.0.1]:25 closed by QUIT
2009-01-18 15:39:34 [12452] H=(medina.green.ba) [127.0.0.1]:33539 I=[127.0.0.1]:25 Warning: Sender rate 835.4 / 1h
2009-01-18 15:39:34 [12494] 1LOYoI-0003F3-EC ** doox-jehi@school.edu.ru F=<marisha@artaccess.com> R=fail_remote_domains: The mail server could not deliver mail to doox-jehi@school.edu.ru. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
2009-01-18 15:39:34 [12452] 1LOYoI-0003Eq-IO <= marisha@locl.net H=(medina.green.ba) [127.0.0.1]:33539 I=[127.0.0.1]:25 P=smtp S=1428 id=01C9797A.218F7A85@medina.green.ba T="\312\360\363\357\355\373\345 \357\353\340\355\373" from <marisha@locl.net> for jh7qnhquyf7@school.edu.ru
2009-01-18 15:39:34 [12495] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoI-0003Eq-IO
2009-01-18 15:39:34 [12496] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1LOYoI-0003F3-EC
2009-01-18 15:39:34 [12452] SMTP connection from (medina.green.ba) [127.0.0.1]:33539 I=[127.0.0.1]:25 closed by QUIT
2009-01-18 15:39:34 [12488] 1LOYoH-0003FO-K3 ** marisha@pimpernel.com F=<> P=<> R=dk_lookuphost T=dk_remote_smtp: SMTP error from remote mail server after RCPT TO:<marisha@pimpernel.com>: host mail.pimpernel.com [212.206.65.9]: 550 5.7.0 <marisha@pimpernel.com>... No such user here
2009-01-18 15:39:34 [12488] 1LOYoH-0003FO-K3 Frozen (delivery error message)
2009-01-18 15:39:34 [12495] 1LOYoI-0003Eq-IO ** jh7qnhquyf7@school.edu.ru F=<marisha@locl.net> R=fail_remote_domains: The mail server could not deliver mail to jh7qnhquyf7@school.edu.ru. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
2009-01-18 15:39:34 [12497] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1LOYoI-0003Eq-IO
2009-01-18 15:39:34 [12496] 1LOYoI-0003FY-KM <= <> R=1LOYoI-0003F3-EC U=mailnull P=local S=2359 T="Mail delivery failed: returning message to sender" from <> for marisha@artaccess.com
2009-01-18 15:39:34 [12497] 1LOYoI-0003FZ-Nv <= <> R=1LOYoI-0003Eq-IO U=mailnull P=local S=2387 T="Mail delivery failed: returning message to sender" from <> for marisha@locl.net
2009-01-18 15:39:34 [12499] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoI-0003FZ-Nv
2009-01-18 15:39:34 [12495] 1LOYoI-0003Eq-IO Completed QT=0s
2009-01-18 15:39:34 [12498] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoI-0003FY-KM
2009-01-18 15:39:34 [12494] 1LOYoI-0003F3-EC Completed QT=0s
2009-01-18 15:39:35 [12472] 1LOYoD-0003Ek-MT ** jurmqo@school.edu.ru F=<marisha@allu.com> R=fail_remote_domains: The mail server could not deliver mail to jurmqo@school.edu.ru. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
2009-01-18 15:39:35 [12502] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1LOYoD-0003Ek-MT
2009-01-18 15:39:35 [12502] 1LOYoJ-0003Fe-1D <= <> R=1LOYoD-0003Ek-MT U=mailnull P=local S=2284 T="Mail delivery failed: returning message to sender" from <> for marisha@allu.com
2009-01-18 15:39:35 [12503] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoJ-0003Fe-1D
2009-01-18 15:39:35 [12472] 1LOYoD-0003Ek-MT Completed QT=6s
2009-01-18 15:39:35 [12503] 1LOYoJ-0003Fe-1D ** marisha@allu.com F=<> P=<> R=dk_lookuphost T=dk_remote_smtp: SMTP error from remote mail server after initial connection: host mail.allu.com [65.254.254.56]: 554 impinc03.yourhostingaccount.com NO UCE error: R6.1: 209.250.234.194 is on the Spamhaus blacklist. Please visit: http://www.spamhaus.org
2009-01-18 15:39:35 [12503] 1LOYoJ-0003Fe-1D Frozen (delivery error message)
2009-01-18 15:39:35 [12474] H=localhost (medina.green.ba) [127.0.0.1]:34013 I=[127.0.0.1]:25 Warning: Sender rate 836.2 / 1h
2009-01-18 15:39:35 [12474] 1LOYoJ-0003FC-7p <= marisha@allu.com H=localhost (medina.green.ba) [127.0.0.1]:34013 I=[127.0.0.1]:25 P=smtp S=1318 id=01C9797A.695934FA@medina.green.ba T="\317\356\360\355\356\347\342\345\347\344\373" from <marisha@allu.com> for qoake-oduvo@school.edu.ru
2009-01-18 15:39:35 [12505] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoJ-0003FC-7p
2009-01-18 15:39:35 [12474] SMTP connection from localhost (medina.green.ba) [127.0.0.1]:34013 I=[127.0.0.1]:25 closed by QUIT
2009-01-18 15:39:35 [12505] 1LOYoJ-0003FC-7p ** qoake-oduvo@school.edu.ru F=<marisha@allu.com> R=fail_remote_domains: The mail server could not deliver mail to qoake-oduvo@school.edu.ru. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
2009-01-18 15:39:35 [12506] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1LOYoJ-0003FC-7p
2009-01-18 15:39:35 [12506] 1LOYoJ-0003Fi-Cz <= <> R=1LOYoJ-0003FC-7p U=mailnull P=local S=2277 T="Mail delivery failed: returning message to sender" from <> for marisha@allu.com
2009-01-18 15:39:35 [12507] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoJ-0003Fi-Cz
2009-01-18 15:39:35 [12505] 1LOYoJ-0003FC-7p Completed QT=0s
2009-01-18 15:39:35 [12475] H=localhost (medina.green.ba) [127.0.0.1]:34024 I=[127.0.0.1]:25 Warning: Sender rate 837.1 / 1h
2009-01-18 15:39:35 [12507] 1LOYoJ-0003Fi-Cz ** marisha@allu.com F=<> P=<> R=dk_lookuphost T=dk_remote_smtp: SMTP error from remote mail server after initial connection: host mail.allu.com [65.254.254.55]: 554 impinc01.yourhostingaccount.com NO UCE error: R6.1: 209.250.234.194 is on the Spamhaus blacklist. Please visit: http://www.spamhaus.org
2009-01-18 15:39:35 [12507] 1LOYoJ-0003Fi-Cz Frozen (delivery error message)
2009-01-18 15:39:35 [12475] 1LOYoJ-0003FD-If <= marisha@resaleworld.com H=localhost (medina.green.ba) [127.0.0.1]:34024 I=[127.0.0.1]:25 P=smtp S=1392 id=01C9797A.3EE66F3E@medina.green.ba T="\315\340 \357\363\341\353\350\352\345" from <marisha@resaleworld.com> for jsege@school.edu.ru
2009-01-18 15:39:35 [12509] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoJ-0003FD-If
2009-01-18 15:39:35 [12475] SMTP connection from localhost (medina.green.ba) [127.0.0.1]:34024 I=[127.0.0.1]:25 closed by QUIT
2009-01-18 15:39:35 [12498] 1LOYoI-0003FY-KM ** marisha@artaccess.com F=<> P=<> R=dk_lookuphost T=dk_remote_smtp: SMTP error from remote mail server after RCPT TO:<marisha@artaccess.com>: host mx01.speakeasy.net [69.17.117.60]: 550 5.1.1 <marisha@artaccess.com>: Recipient address rejected: User unknown in relay recipient table
2009-01-18 15:39:35 [12498] 1LOYoI-0003FY-KM Frozen (delivery error message)
2009-01-18 15:39:35 [12509] 1LOYoJ-0003FD-If ** jsege@school.edu.ru F=<marisha@resaleworld.com> R=fail_remote_domains: The mail server could not deliver mail to jsege@school.edu.ru. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
2009-01-18 15:39:35 [12510] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1LOYoJ-0003FD-If
2009-01-18 15:39:35 [12510] 1LOYoJ-0003Fm-Of <= <> R=1LOYoJ-0003FD-If U=mailnull P=local S=2354 T="Mail delivery failed: returning message to sender" from <> for marisha@resaleworld.com
2009-01-18 15:39:35 [12511] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoJ-0003Fm-Of
2009-01-18 15:39:35 [12509] 1LOYoJ-0003FD-If Completed QT=0s
2009-01-18 15:39:35 [12491] ident connection to 58.247.27.91 timed out
2009-01-18 15:39:35 [12491] no host name found for IP address 58.247.27.91
2009-01-18 15:39:35 [12491] list matching forced to fail: failed to find host name for 58.247.27.91
2009-01-18 15:39:35 [12491] list matching forced to fail: failed to find host name for 58.247.27.91
2009-01-18 15:39:35 [12491] list matching forced to fail: failed to find host name for 58.247.27.91
2009-01-18 15:39:36 [12492] ident connection to 94.178.252.84 timed out
2009-01-18 15:39:36 [12493] ident connection to 94.178.252.84 timed out
2009-01-18 15:39:36 [12511] 1LOYoJ-0003Fm-Of ** marisha@resaleworld.com F=<> P=<> R=dk_lookuphost T=dk_remote_smtp: SMTP error from remote mail server after RCPT TO:<marisha@resaleworld.com>: host ASPMX.L.GOOGLE.com [74.125.47.27]: 550-5.2.1 The user you are trying to contact is receiving mail at a rate\n550-5.2.1 that prevents additional messages from being delivered. For\n550-5.2.1 more information, please visit\n550 5.2.1 http://mail.google.com/support/bin/a...py?answer=6592 7si6849652ywo.40
2009-01-18 15:39:36 [12511] 1LOYoJ-0003Fm-Of Frozen (delivery error message)
2009-01-18 15:39:36 [12492] no IP address found for host 84-252-178-94.pool.ukrtel.net (during SMTP connection from [94.178.252.84]:12631 I=[209.250.234.194]:25)
2009-01-18 15:39:36 [12492] list matching forced to fail: failed to find host name for 94.178.252.84
2009-01-18 15:39:36 [12492] list matching forced to fail: failed to find host name for 94.178.252.84
2009-01-18 15:39:36 [12492] list matching forced to fail: failed to find host name for 94.178.252.84
2009-01-18 15:39:36 [12493] no IP address found for host 84-252-178-94.pool.ukrtel.net (during SMTP connection from [94.178.252.84]:12633 I=[209.250.234.194]:25)
2009-01-18 15:39:36 [12493] list matching forced to fail: failed to find host name for 94.178.252.84
2009-01-18 15:39:36 [12493] list matching forced to fail: failed to find host name for 94.178.252.84
2009-01-18 15:39:36 [12493] list matching forced to fail: failed to find host name for 94.178.252.84
2009-01-18 15:39:36 [12457] list matching forced to fail: failed to find host name for 127.0.0.1
2009-01-18 15:39:36 [12491] H=(ILIQECIHL) [58.247.27.91]:3076 I=[209.250.234.194]:25 rejected MAIL <merrilyb9@johnpost.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-01-18 15:39:36 [12491] SMTP connection from (ILIQECIHL) [58.247.27.91]:3076 I=[209.250.234.194]:25 closed by DROP in ACL
2009-01-18 15:39:36 [12457] H=(medina.green.ba) [127.0.0.1]:33603 I=[127.0.0.1]:25 Warning: Sender rate 837.9 / 1h
2009-01-18 15:39:36 [12457] 1LOYoK-0003Ev-Ne <= marisha@formor.net H=(medina.green.ba) [127.0.0.1]:33603 I=[127.0.0.1]:25 P=smtp S=1342 id=01C9797A.5C0729A4@medina.green.ba T="\304\356\354\360\340\341\356\362\355\350\366\37 3" from <marisha@formor.net> for kuqo-kxeza@school.edu.ru
2009-01-18 15:39:36 [12513] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoK-0003Ev-Ne
2009-01-18 15:39:36 [12457] SMTP connection from (medina.green.ba) [127.0.0.1]:33603 I=[127.0.0.1]:25 closed by QUIT
2009-01-18 15:39:36 [12513] 1LOYoK-0003Ev-Ne ** kuqo-kxeza@school.edu.ru F=<marisha@formor.net> R=fail_remote_domains: The mail server could not deliver mail to kuqo-kxeza@school.edu.ru. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
2009-01-18 15:39:36 [12514] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1LOYoK-0003Ev-Ne
2009-01-18 15:39:36 [12514] 1LOYoK-0003Fq-TA <= <> R=1LOYoK-0003Ev-Ne U=mailnull P=local S=2304 T="Mail delivery failed: returning message to sender" from <> for marisha@formor.net
2009-01-18 15:39:36 [12515] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LOYoK-0003Fq-TA
2009-01-18 15:39:36 [12513] 1LOYoK-0003Ev-Ne Completed QT=0s
2009-01-18 15:39:37 [12492] H=(microsof-17e69f) [94.178.252.84]:12631 I=[209.250.234.194]:25 rejected MAIL <f.castillo@gama.es>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-01-18 15:39:37 [12492] SMTP connection from (microsof-17e69f) [94.178.252.84]:12631 I=[209.250.234.194]:25 closed by DROP in ACL
2009-01-18 15:39:37 [12493] H=(microsof-17e69f) [94.178.252.84]:12633 I=[209.250.234.194]:25 rejected MAIL <esra@gamaennis.ie>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-01-18 15:39:37 [12493] SMTP connection from (microsof-17e69f) [94.178.252.84]:12633 I=[209.250.234.194]:25 closed by DROP in ACL
2009-01-18 15:39:37 [12515] 1LOYoK-0003Fq-TA ** marisha@formor.net F=<> P=<> R=dk_lookuphost T=dk_remote_smtp: SMTP error from remote mail server after RCPT TO:<marisha@formor.net>: host mx.formor.com [216.60.12.69]: 550 Denied due to spam list
2009-01-18 15:39:37 [12515] 1LOYoK-0003Fq-TA Frozen (delivery error message)
2009-01-18 15:39:38 [12481] 1LOYoH-0003FI-30 ** marisha@locl.net F=<> P=<> R=dk_lookuphost T=dk_remote_smtp: SMTP error from remote mail server after RCPT TO:<marisha@locl.net>: host hellcat.locl.net [63.170.219.60]: 550 5.7.1 <marisha@locl.net>... Access denied - contact support@locl.net
2009-01-18 15:39:38 [12481] 1LOYoH-0003FI-30 Frozen (delivery error message)
2009-01-18 15:39:40 [12499] 1LOYoI-0003FZ-Nv ** marisha@locl.net F=<> P=<> R=dk_lookuphost T=dk_remote_smtp: SMTP error from remote mail server after RCPT TO:<marisha@locl.net>: host hellcat.locl.net [63.170.219.60]: 550 5.7.1 <marisha@locl.net>... Access denied - contact support@locl.net
2009-01-18 15:39:40 [12499] 1LOYoI-0003FZ-Nv Frozen (delivery error message)
any hints??
Reply With Quote
  #2   (View Single Post)  
Old 18th January 2009
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

Please don't tell me those are real email adresses.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #3   (View Single Post)  
Old 18th January 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

These Exim logs give me a headache, but it looks like your server acts as either an open relay or as a smarthost for another compromised server in your network. Your server is trying to deliver mail to some bad addresses on behalf of other addresses that do not appear to be yours, and when that fails, it tries to deliver bounces to those bad addresses, causing a plethora of delivery attempts, bounces, etc.

One quick example:

Code:
2009-01-18 15:39:33 [12484] 1LOYoH-0003F6-BQ ** kiw1@school.edu.ru F=<marisha@unitelco.com> R=fail_remote_domains: The mail server could not deliver mail to kiw1@school.edu.ru.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
Your server is sending mail on behalf of marisha@unitelco.com (I'm assuming that's not one of your users) to kiw1@school.edu.ru (not one of your users either). Since that doesn't succeed, your mailserver tries to inform marisha@unitelco.com (which doesn't succeed), etc. This spammer appears to have a preference for 'marisha'.

Anyway: find out whether your mailserver or any other server in your network acts as an open relay or an injection point for spam.
Reply With Quote
  #4   (View Single Post)  
Old 18th January 2009
c0mrade's Avatar
c0mrade c0mrade is offline
Port Guard
 
Join Date: May 2008
Posts: 41
Default

Thank you for you comments ..
Carpetsmoker: I guess they are ..
Reply With Quote
  #5   (View Single Post)  
Old 18th January 2009
c0mrade's Avatar
c0mrade c0mrade is offline
Port Guard
 
Join Date: May 2008
Posts: 41
Default

DutchDaemon:

Quote:
Anyway: find out whether your mailserver or any other server in your network acts as an open relay or an injection point for spam
can you give me an indication how would I do that .. thank you
Reply With Quote
  #6   (View Single Post)  
Old 18th January 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

Well, I tried to relay mail through your server, and that doesn't work, so your server itself is not an open relay. Does your server act as an outgoing mail server for other servers/desktops in your LAN/network, or is there a web application on your mailserver? I see a lot of connections from localhost, so there may be a web application being abused by external parties (think of webforms, formmail, php forms, guestbooks, etc.). Though usually spam through a webserver has something like www@localhost or wwwrun@your.server.com as the sender address.
Reply With Quote
  #7   (View Single Post)  
Old 18th January 2009
c0mrade's Avatar
c0mrade c0mrade is offline
Port Guard
 
Join Date: May 2008
Posts: 41
Default

DutchDaemon's Avatar
DutchDaemon:
Quote:
Does your server act as an outgoing mail server for other servers/desktops in your LAN/network
no id doesn't .
Quote:
or is there a web application on your mailserver? I see a lot of connections from localhost, so there may be a web application being abused by external parties (think of webforms, formmail, php forms, guestbooks, etc.)
I just erased all of those and users as well to see whats happening .. and nothing keeps spam away .. dammit this is something hard to comprehend ..
Reply With Quote
  #8   (View Single Post)  
Old 18th January 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

P.S.: what you need to do now is to take a good hard look at your maillogs and try to find out where these marisha@ addresses enter your mailserver (correlating with the logged SMTP connections). If they're all coming from localhost, some process on your mailserver (like a webserver) is being abused, if they're all coming from addresses in your network, another server, desktop or workstation is the source of the problems.
Reply With Quote
  #9   (View Single Post)  
Old 18th January 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

Note: your mailserver's spool is probably full of spam trying to get out, so the activity may not stop right away. You may have to empty all of your spooled mail in /var/spool/exim (I think).
Reply With Quote
Old 18th January 2009
c0mrade's Avatar
c0mrade c0mrade is offline
Port Guard
 
Join Date: May 2008
Posts: 41
Default

I'll do that. thank you
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
block spam milo974 OpenBSD Security 1 26th May 2009 11:30 AM
Silencing gconfd spam in syslogd... BSDfan666 Guides 0 12th December 2008 10:01 PM
spam spam spam LateNiteTV Feedback and Suggestions 7 19th July 2008 05:15 PM
MX Anti-Spam measures cajunman4life General software and network 4 13th July 2008 08:00 PM


All times are GMT. The time now is 02:24 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick