<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000'>Or just change that user's email password. <br><br>Herb<br><br><br><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Chuck Tetlow" <chuck@tetlow.net><br><b>To: </b>blueonyx@sb9.com, "BlueOnyx General Mailing List" <blueonyx@mail.blueonyx.it><br><b>Sent: </b>Sunday, January 12, 2014 10:38:58 AM<br><b>Subject: </b>[BlueOnyx:14254] Re: Stopping User at localhost.localdomain Spam<br><br>
It appears that someone has a valid username/password on your server, and is using the SMTP-Auth to relay e-mail.
<br>
<br>So, first and easiest thing to do to stop it is firewall out that address. At the command line, enter:
<br>iptables -I acctin 1 -s 200.111.101.0/24 -j DROP
<br>That will stop the scumbag from relaying any e-mail through you, even if he changes his IP to another in his network.
<br>
<br>Then you've got to figure out which account on your server is being used. That's a little harder - and takes time sorting through the logs to find. Although sometimes you can spot it by going through the management GUI and looking at USAGE reports on which domain/user is sending the most e-mail/using the network the heaviest.
<br>
<br>Once you've figured out which account is being used, simply change the password. That should stop it. Worse case, delete that account. I had one just like it two weeks ago, and even suspending the account didn't prevent him from relaying through the server. So I just deleted the account which put a end to it.
<br>
<br>
<br>
<br>Chuck
<br>
<br><font size="2">
<br><b>---------- Original Message
-----------</b>
<br>
From: David Hahn <blueonyx@sb9.com>
<br>
To: BlueOnyx General Mailing List <blueonyx@mail.blueonyx.it>
<br>
Sent: Sun, 12 Jan 2014 11:51:22 -0600
<br>
Subject: [BlueOnyx:14253] Stopping User at localhost.localdomain Spam
<br>
<br>> I Hi all hope all is well,
<br>>
I can't seem to stop some spam. I have the from address (*@icicibank.com)
<br>>
Blacklisted in the GUI but it always gets through.
<br>>
<br>>
Here are the headers:
<br>>
<br>>
Return-Path: <customer.care@icicibank.com>
<br>>
Received: from localhost.localdomain ([200.111.101.6])
<br>>
by fs.xxx.com (8.13.8/8.13.8) with ESMTP id
s0CFCENu001942
<br>>
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
verify=NO)
<br>>
for <x@xxx.com>; Sun, 12 Jan 2014 09:12:16 -0600
<br>>
Received: from User (localhost.localdomain [127.0.0.1])
<br>>
by localhost.localdomain (8.13.8/8.13.8) with SMTP id
s07GUSDv031525;
<br>>
Tue, 7 Jan 2014 13:30:30 -0300
<br>>
Message-Id: <201401071630.s07GUSDv031525@localhost.localdomain>
<br>>
From: "ICICI Bank"<customer.care@icicibank.com>
<br>>
Subject: ICICI ALERT: Important Security Message
<br>>
<br>>
Logs:
<br>>
Jan 12 09:12:15 fs sendmail[1942]: STARTTLS=server, relay=[200.111.101.6],
version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
<br>>
Jan 12 09:12:16 fs milter-greylist: s0CFCENu001942: addr 200.111.101.6 from
<customer.care@icicibank.com> rcpt <xt@xxx.com>: autowhitelisted for
72:00:00
<br>>
Jan 12 09:12:19 fs sendmail[1942]: s0CFCENu001942:
from=<customer.care@icicibank.com>, size=1195619, class=0, nrcpts=1,
msgid=<201401071630.s07GUSDv031525@localhost.localdomain>, proto=ESMTP,
daemon=MTA, relay=[200.111.101.6]
<br>>
Jan 12 09:12:19 fs sendmail[1956]: s0CFCENu001942: to=<x@xxx.com>,
delay=00:00:03, xdelay=00:00:00, mailer=local, pri=1226110, dsn=2.0.0, stat=Sent
<br>>
<br>>
It looks like the 'Received: from User (localhost.localdomain [127.0.0.1])'
might be the reason it bypasses the spam a/v and spamassassin.
<br>>
<br>>
Any suggestions would be helpful.
<br>>
<br>>
--
<br>>
Thank you
<br>>
David Hahn
<br>>
----
<br>>
Hey Super Users! - su
<br>>
Get E Mail Alerts when sites or services are up or down.
<br>>
Remotely Monitor Website and/or Service Absolutely Free in seconds.
<br>>
<a target="_blank" href="http://mon.pagekeeperservice.com/">http://mon.pagekeeperservice.com</a>
<br>>
<br>>
_______________________________________________
<br>>
Blueonyx mailing list
<br>>
Blueonyx@mail.blueonyx.it
<br>>
<a target="_blank" href="http://mail.blueonyx.it/mailman/listinfo/blueonyx">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a>
<br><b>------- End of Original Message
-------</b>
<br>
</font>
<br>_______________________________________________<br>Blueonyx mailing list<br>Blueonyx@mail.blueonyx.it<br>http://mail.blueonyx.it/mailman/listinfo/blueonyx<br></div><br></div></body></html>