<HTML>
<HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="OPENWEBMAIL" name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff>
It appears that someone has a valid username/password on your server, and is using the SMTP-Auth to relay e-mail.
<br />
<br />So, first and easiest thing to do to stop it is firewall out that address. At the command line, enter:
<br />iptables -I acctin 1 -s 200.111.101.0/24 -j DROP
<br />That will stop the scumbag from relaying any e-mail through you, even if he changes his IP to another in his network.
<br />
<br />Then you've got to figure out which account on your server is being used. That's a little harder - and takes time sorting through the logs to find. Although sometimes you can spot it by going through the management GUI and looking at USAGE reports on which domain/user is sending the most e-mail/using the network the heaviest.
<br />
<br />Once you've figured out which account is being used, simply change the password. That should stop it. Worse case, delete that account. I had one just like it two weeks ago, and even suspending the account didn't prevent him from relaying through the server. So I just deleted the account which put a end to it.
<br />
<br />
<br />
<br />Chuck
<br />
<br /><font size="2">
<br /><b>---------- Original Message
-----------</b>
<br />
From: David Hahn <blueonyx@sb9.com>
<br />
To: BlueOnyx General Mailing List <blueonyx@mail.blueonyx.it>
<br />
Sent: Sun, 12 Jan 2014 11:51:22 -0600
<br />
Subject: [BlueOnyx:14253] Stopping User at localhost.localdomain Spam
<br />
<br />> I Hi all hope all is well,
<br />>
I can't seem to stop some spam. I have the from address (*@icicibank.com)
<br />>
Blacklisted in the GUI but it always gets through.
<br />>
<br />>
Here are the headers:
<br />>
<br />>
Return-Path: <customer.care@icicibank.com>
<br />>
Received: from localhost.localdomain ([200.111.101.6])
<br />>
by fs.xxx.com (8.13.8/8.13.8) with ESMTP id
s0CFCENu001942
<br />>
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
verify=NO)
<br />>
for <x@xxx.com>; Sun, 12 Jan 2014 09:12:16 -0600
<br />>
Received: from User (localhost.localdomain [127.0.0.1])
<br />>
by localhost.localdomain (8.13.8/8.13.8) with SMTP id
s07GUSDv031525;
<br />>
Tue, 7 Jan 2014 13:30:30 -0300
<br />>
Message-Id: <201401071630.s07GUSDv031525@localhost.localdomain>
<br />>
From: "ICICI Bank"<customer.care@icicibank.com>
<br />>
Subject: ICICI ALERT: Important Security Message
<br />>
<br />>
Logs:
<br />>
Jan 12 09:12:15 fs sendmail[1942]: STARTTLS=server, relay=[200.111.101.6],
version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
<br />>
Jan 12 09:12:16 fs milter-greylist: s0CFCENu001942: addr 200.111.101.6 from
<customer.care@icicibank.com> rcpt <xt@xxx.com>: autowhitelisted for
72:00:00
<br />>
Jan 12 09:12:19 fs sendmail[1942]: s0CFCENu001942:
from=<customer.care@icicibank.com>, size=1195619, class=0, nrcpts=1,
msgid=<201401071630.s07GUSDv031525@localhost.localdomain>, proto=ESMTP,
daemon=MTA, relay=[200.111.101.6]
<br />>
Jan 12 09:12:19 fs sendmail[1956]: s0CFCENu001942: to=<x@xxx.com>,
delay=00:00:03, xdelay=00:00:00, mailer=local, pri=1226110, dsn=2.0.0, stat=Sent
<br />>
<br />>
It looks like the 'Received: from User (localhost.localdomain [127.0.0.1])'
might be the reason it bypasses the spam a/v and spamassassin.
<br />>
<br />>
Any suggestions would be helpful.
<br />>
<br />>
--
<br />>
Thank you
<br />>
David Hahn
<br />>
----
<br />>
Hey Super Users! - su
<br />>
Get E Mail Alerts when sites or services are up or down.
<br />>
Remotely Monitor Website and/or Service Absolutely Free in seconds.
<br />>
<a target="_blank" href="http://mon.pagekeeperservice.com/">http://mon.pagekeeperservice.com</a>
<br />>
<br />>
_______________________________________________
<br />>
Blueonyx mailing list
<br />>
Blueonyx@mail.blueonyx.it
<br />>
<a target="_blank" href="http://mail.blueonyx.it/mailman/listinfo/blueonyx">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a>
<br /><b>------- End of Original Message
-------</b>
<br />
</font>
</BODY>
</HTML>