<div dir="ltr">another thing that I have seen is that it's coming from a script on the server.<div><br></div><div>I'm not sure how it got there but there was a php program that was forwarding mail from remote places through my local mail server. It took me a while to figure that one out. </div>
<div><br></div><div>Once I deleted the program and changed all the users passwords on the infected site everything was fine.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Jan 12, 2014 at 11:16 PM, David Hahn <span dir="ltr"><<a href="mailto:blueonyx@sb9.com" target="_blank">blueonyx@sb9.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
That is not a actual User on the system except as admin file owner
right? and it appears to be coming from outside the server...<br>
I have no accounts with 'User' as the user name. <br>
I don't believe I have a open relay. They use different IP's so
blocking is not really a option sine they use it once then use
another..<br>
Using localhost.localdomain as a forged header i assume to fool
spamassassin..<br>
<br>
Below is header from me to a test account on the same server.<br>
<br>
Received: from [192.168.0.11] (<a href="http://cpe-666-688-111-203.austin.res.com" target="_blank">cpe-666-688-111-203.austin.res.com</a>
[666.688.111.203]) <br>
(authenticated bits=0) by <a href="http://fs.mailserver.com" target="_blank">fs.mailserver.com</a> (8.13.8/8.13.8) with
ESMTP id s0D56s3B013948 (version=TLSv1/SSLv3
cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <a href="mailto:x@xxx.com" target="_blank"><x@xxx.com></a>;
Sun, 12 Jan 2014 23:06:56 -0600
Message-ID: <a href="mailto:52D37472.5000709@xxx.com" target="_blank"><52D37472.5000709@xxx.com></a><br>
i've never seen localhost.localdomain using local mail... <br>
<br>
Thanks to all.. i'll look further..<div class="im"><br>
<br>
<br>
<div>On 1/12/2014 12:38 PM, Chuck Tetlow
wrote:<br>
</div>
</div><div><div class="h5"><blockquote type="cite">
It appears that someone has a valid username/password on your
server, and is using the SMTP-Auth to relay e-mail.
<br>
<br>
So, first and easiest thing to do to stop it is firewall out that
address. At the command line, enter:
<br>
iptables -I acctin 1 -s <a href="http://200.111.101.0/24" target="_blank">200.111.101.0/24</a> -j DROP
<br>
That will stop the scumbag from relaying any e-mail through you,
even if he changes his IP to another in his network.
<br>
<br>
Then you've got to figure out which account on your server is
being used. That's a little harder - and takes time sorting
through the logs to find. Although sometimes you can spot it by
going through the management GUI and looking at USAGE reports on
which domain/user is sending the most e-mail/using the network the
heaviest.
<br>
<br>
Once you've figured out which account is being used, simply change
the password. That should stop it. Worse case, delete that
account. I had one just like it two weeks ago, and even
suspending the account didn't prevent him from relaying through
the server. So I just deleted the account which put a end to it.
<br>
<br>
<br>
<br>
Chuck
<br>
<br>
<font>
<br>
<b>---------- Original Message -----------</b>
<br>
From: David Hahn <a href="mailto:blueonyx@sb9.com" target="_blank"><blueonyx@sb9.com></a> <br>
To: BlueOnyx General Mailing List
<a href="mailto:blueonyx@mail.blueonyx.it" target="_blank"><blueonyx@mail.blueonyx.it></a> <br>
Sent: Sun, 12 Jan 2014 11:51:22 -0600 <br>
Subject: [BlueOnyx:14253] Stopping User at
localhost.localdomain Spam <br>
<br>
> I Hi all hope all is well, <br>
> I can't seem to stop some spam. I have the from address
(*@<a href="http://icicibank.com" target="_blank">icicibank.com</a>) <br>
> Blacklisted in the GUI but it always gets through. <br>
> <br>
> Here are the headers: <br>
> <br>
> Return-Path: <a href="mailto:customer.care@icicibank.com" target="_blank"><customer.care@icicibank.com></a> <br>
> Received: from localhost.localdomain ([200.111.101.6]) <br>
> by <a href="http://fs.xxx.com" target="_blank">fs.xxx.com</a> (8.13.8/8.13.8) with ESMTP id
s0CFCENu001942 <br>
> (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
verify=NO) <br>
> for <a href="mailto:x@xxx.com" target="_blank"><x@xxx.com></a>; Sun, 12 Jan 2014 09:12:16 -0600
<br>
> Received: from User (localhost.localdomain [127.0.0.1]) <br>
> by localhost.localdomain (8.13.8/8.13.8) with SMTP id
s07GUSDv031525; <br>
> Tue, 7 Jan 2014 13:30:30 -0300 <br>
> Message-Id:
<a href="mailto:201401071630.s07GUSDv031525@localhost.localdomain" target="_blank"><201401071630.s07GUSDv031525@localhost.localdomain></a> <br>
> From: "ICICI Bank"<a href="mailto:customer.care@icicibank.com" target="_blank"><customer.care@icicibank.com></a> <br>
> Subject: ICICI ALERT: Important Security Message <br>
> <br>
> Logs: <br>
> Jan 12 09:12:15 fs sendmail[1942]: STARTTLS=server,
relay=[200.111.101.6], version=TLSv1/SSLv3, verify=NO,
cipher=DHE-RSA-AES256-SHA, bits=256/256 <br>
> Jan 12 09:12:16 fs milter-greylist: s0CFCENu001942: addr
200.111.101.6 from <a href="mailto:customer.care@icicibank.com" target="_blank"><customer.care@icicibank.com></a> rcpt
<a href="mailto:xt@xxx.com" target="_blank"><xt@xxx.com></a>: autowhitelisted for 72:00:00 <br>
> Jan 12 09:12:19 fs sendmail[1942]: s0CFCENu001942:
from=<a href="mailto:customer.care@icicibank.com" target="_blank"><customer.care@icicibank.com></a>, size=1195619, class=0,
nrcpts=1,
msgid=<a href="mailto:201401071630.s07GUSDv031525@localhost.localdomain" target="_blank"><201401071630.s07GUSDv031525@localhost.localdomain></a>,
proto=ESMTP, daemon=MTA, relay=[200.111.101.6] <br>
> Jan 12 09:12:19 fs sendmail[1956]: s0CFCENu001942:
to=<a href="mailto:x@xxx.com" target="_blank"><x@xxx.com></a>, delay=00:00:03, xdelay=00:00:00,
mailer=local, pri=1226110, dsn=2.0.0, stat=Sent <br>
> <br>
> It looks like the 'Received: from User
(localhost.localdomain [127.0.0.1])' might be the reason it
bypasses the spam a/v and spamassassin. <br>
> <br>
> Any suggestions would be helpful. <br>
> <br>
> -- <br>
> Thank you <br>
> David Hahn <br>
> ---- <br>
> Hey Super Users! - su <br>
> Get E Mail Alerts when sites or services are up or down. <br>
> Remotely Monitor Website and/or Service Absolutely Free in
seconds. <br>
> <a href="http://mon.pagekeeperservice.com/" target="_blank">http://mon.pagekeeperservice.com</a>
<br>
> <br>
> _______________________________________________ <br>
> Blueonyx mailing list <br>
> <a href="mailto:Blueonyx@mail.blueonyx.it" target="_blank">Blueonyx@mail.blueonyx.it</a> <br>
> <a href="http://mail.blueonyx.it/mailman/listinfo/blueonyx" target="_blank">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a>
<br>
<b>------- End of Original Message -------</b>
<br>
</font>
</blockquote>
<br>
<pre cols="72">--
Thank you
David Hahn
----
Hey Super Users! - su
Get E Mail Alerts when sites or services are up or down.
Remotely Monitor Website and/or Service Absolutely Free in seconds.
<a href="http://mon.pagekeeperservice.com" target="_blank">http://mon.pagekeeperservice.com</a></pre>
</div></div></div>
<br>_______________________________________________<br>
Blueonyx mailing list<br>
<a href="mailto:Blueonyx@mail.blueonyx.it">Blueonyx@mail.blueonyx.it</a><br>
<a href="http://mail.blueonyx.it/mailman/listinfo/blueonyx" target="_blank">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a><br>
<br></blockquote></div><br></div>