[BlueOnyx:14258] Re: Stopping User at localhost.localdomain Spam

David Hahn blueonyx at sb9.com
Mon Jan 13 00:16:54 -05 2014 

That is not a actual User on the system except as admin file owner 
right? and it appears to be coming from outside the server...
  I have no accounts with 'User' as the user name.
I don't believe I have a open relay. They use different IP's so blocking 
is not really a option sine they use it once then use another..
Using localhost.localdomain as a forged header i assume to fool 
spamassassin..

Below is header from me to a test account on the same server.

  Received: from [192.168.0.11] (cpe-666-688-111-203.austin.res.com 
[666.688.111.203])
(authenticated bits=0) by fs.mailserver.com (8.13.8/8.13.8) with ESMTP 
id s0D56s3B013948 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA 
bits=256 verify=NO) for <x at xxx.com>; Sun, 12 Jan 2014 23:06:56 -0600 
Message-ID: <52D37472.5000709 at xxx.com>
  i've never seen localhost.localdomain using local mail...

Thanks to all.. i'll look further..


On 1/12/2014 12:38 PM, Chuck Tetlow wrote:
> It appears that someone has a valid username/password on your server, 
> and is using the SMTP-Auth to relay e-mail.
>
> So, first and easiest thing to do to stop it is firewall out that 
> address.  At the command line, enter:
> iptables -I acctin 1 -s 200.111.101.0/24 -j DROP
> That will stop the scumbag from relaying any e-mail through you, even 
> if he changes his IP to another in his network.
>
> Then you've got to figure out which account on your server is being 
> used.  That's a little harder - and takes time sorting through the 
> logs to find.  Although sometimes you can spot it by going through the 
> management GUI and looking at USAGE reports on which domain/user is 
> sending the most e-mail/using the network the heaviest.
>
> Once you've figured out which account is being used, simply change the 
> password.  That should stop it.  Worse case, delete that account.  I 
> had one just like it two weeks ago, and even suspending the account 
> didn't prevent him from relaying through the server.  So I just 
> deleted the account which put a end to it.
>
>
>
> Chuck
>
>
> *---------- Original Message -----------*
> From: David Hahn <blueonyx at sb9.com>
> To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
> Sent: Sun, 12 Jan 2014 11:51:22 -0600
> Subject: [BlueOnyx:14253]  Stopping User at localhost.localdomain Spam
>
> > I Hi all hope all is well,
> > I can't seem to stop some spam. I have the from address 
> (*@icicibank.com)
> > Blacklisted in the GUI but it always gets through.
> >
> > Here are the headers:
> >
> > Return-Path: <customer.care at icicibank.com>
> > Received: from localhost.localdomain ([200.111.101.6])
> >     by fs.xxx.com (8.13.8/8.13.8) with ESMTP id s0CFCENu001942
> >     (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
> >     for <x at xxx.com>; Sun, 12 Jan 2014 09:12:16 -0600
> > Received: from User (localhost.localdomain [127.0.0.1])
> >     by localhost.localdomain (8.13.8/8.13.8) with SMTP id 
> s07GUSDv031525;
> >     Tue, 7 Jan 2014 13:30:30 -0300
> > Message-Id: <201401071630.s07GUSDv031525 at localhost.localdomain>
> > From: "ICICI Bank"<customer.care at icicibank.com>
> > Subject: ICICI ALERT: Important Security Message
> >
> > Logs:
> > Jan 12 09:12:15 fs sendmail[1942]: STARTTLS=server, 
> relay=[200.111.101.6], version=TLSv1/SSLv3, verify=NO, 
> cipher=DHE-RSA-AES256-SHA, bits=256/256
> > Jan 12 09:12:16 fs milter-greylist: s0CFCENu001942: addr 
> 200.111.101.6 from <customer.care at icicibank.com> rcpt <xt at xxx.com>: 
> autowhitelisted for 72:00:00
> > Jan 12 09:12:19 fs sendmail[1942]: s0CFCENu001942: 
> from=<customer.care at icicibank.com>, size=1195619, class=0, nrcpts=1, 
> msgid=<201401071630.s07GUSDv031525 at localhost.localdomain>, 
> proto=ESMTP, daemon=MTA, relay=[200.111.101.6]
> > Jan 12 09:12:19 fs sendmail[1956]: s0CFCENu001942: to=<x at xxx.com>, 
> delay=00:00:03, xdelay=00:00:00, mailer=local, pri=1226110, dsn=2.0.0, 
> stat=Sent
> >
> > It looks like the 'Received: from User (localhost.localdomain 
> [127.0.0.1])' might be the reason it bypasses the spam a/v and 
> spamassassin.
> >
> > Any suggestions would be helpful.
> >
> > --
> > Thank you
> > David Hahn
> > ----
> > Hey Super Users! - su
> > Get E Mail Alerts when sites or services are up or down.
> > Remotely Monitor Website and/or Service Absolutely Free in seconds.
> > http://mon.pagekeeperservice.com <http://mon.pagekeeperservice.com/>
> >
> > _______________________________________________
> > Blueonyx mailing list
> > Blueonyx at mail.blueonyx.it
> > http://mail.blueonyx.it/mailman/listinfo/blueonyx
> *------- End of Original Message -------*

-- 
Thank you
David Hahn
----
Hey Super Users! - su
Get E Mail Alerts when sites or services are up or down.
Remotely Monitor Website and/or Service Absolutely Free in seconds.
http://mon.pagekeeperservice.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20140112/99c5caef/attachment.html>

More information about the Blueonyx mailing list