[BlueOnyx:14257] Re: Stopping User at localhost.localdomain Spam

Herb Rubin herbr at pfinders.com
Sun Jan 12 17:45:14 -05 2014 

Or just change that user's email password. 

Herb 


----- Original Message -----

From: "Chuck Tetlow" <chuck at tetlow.net> 
To: blueonyx at sb9.com, "BlueOnyx General Mailing List" <blueonyx at mail.blueonyx.it> 
Sent: Sunday, January 12, 2014 10:38:58 AM 
Subject: [BlueOnyx:14254] Re: Stopping User at localhost.localdomain Spam 

It appears that someone has a valid username/password on your server, and is using the SMTP-Auth to relay e-mail. 

So, first and easiest thing to do to stop it is firewall out that address. At the command line, enter: 
iptables -I acctin 1 -s 200.111.101.0/24 -j DROP 
That will stop the scumbag from relaying any e-mail through you, even if he changes his IP to another in his network. 

Then you've got to figure out which account on your server is being used. That's a little harder - and takes time sorting through the logs to find. Although sometimes you can spot it by going through the management GUI and looking at USAGE reports on which domain/user is sending the most e-mail/using the network the heaviest. 

Once you've figured out which account is being used, simply change the password. That should stop it. Worse case, delete that account. I had one just like it two weeks ago, and even suspending the account didn't prevent him from relaying through the server. So I just deleted the account which put a end to it. 



Chuck 


---------- Original Message ----------- 
From: David Hahn <blueonyx at sb9.com> 
To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it> 
Sent: Sun, 12 Jan 2014 11:51:22 -0600 
Subject: [BlueOnyx:14253] Stopping User at localhost.localdomain Spam 

> I Hi all hope all is well, 
> I can't seem to stop some spam. I have the from address (*@icicibank.com) 
> Blacklisted in the GUI but it always gets through. 
> 
> Here are the headers: 
> 
> Return-Path: <customer.care at icicibank.com> 
> Received: from localhost.localdomain ([200.111.101.6]) 
> by fs.xxx.com (8.13.8/8.13.8) with ESMTP id s0CFCENu001942 
> (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) 
> for <x at xxx.com>; Sun, 12 Jan 2014 09:12:16 -0600 
> Received: from User (localhost.localdomain [127.0.0.1]) 
> by localhost.localdomain (8.13.8/8.13.8) with SMTP id s07GUSDv031525; 
> Tue, 7 Jan 2014 13:30:30 -0300 
> Message-Id: <201401071630.s07GUSDv031525 at localhost.localdomain> 
> From: "ICICI Bank"<customer.care at icicibank.com> 
> Subject: ICICI ALERT: Important Security Message 
> 
> Logs: 
> Jan 12 09:12:15 fs sendmail[1942]: STARTTLS=server, relay=[200.111.101.6], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256 
> Jan 12 09:12:16 fs milter-greylist: s0CFCENu001942: addr 200.111.101.6 from <customer.care at icicibank.com> rcpt <xt at xxx.com>: autowhitelisted for 72:00:00 
> Jan 12 09:12:19 fs sendmail[1942]: s0CFCENu001942: from=<customer.care at icicibank.com>, size=1195619, class=0, nrcpts=1, msgid=<201401071630.s07GUSDv031525 at localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=[200.111.101.6] 
> Jan 12 09:12:19 fs sendmail[1956]: s0CFCENu001942: to=<x at xxx.com>, delay=00:00:03, xdelay=00:00:00, mailer=local, pri=1226110, dsn=2.0.0, stat=Sent 
> 
> It looks like the 'Received: from User (localhost.localdomain [127.0.0.1])' might be the reason it bypasses the spam a/v and spamassassin. 
> 
> Any suggestions would be helpful. 
> 
> -- 
> Thank you 
> David Hahn 
> ---- 
> Hey Super Users! - su 
> Get E Mail Alerts when sites or services are up or down. 
> Remotely Monitor Website and/or Service Absolutely Free in seconds. 
> http://mon.pagekeeperservice.com 
> 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at mail.blueonyx.it 
> http://mail.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message ------- 

_______________________________________________ 
Blueonyx mailing list 
Blueonyx at mail.blueonyx.it 
http://mail.blueonyx.it/mailman/listinfo/blueonyx 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20140112/9d6130e0/attachment.html>

More information about the Blueonyx mailing list