PDA

View Full Version : major spam issue



Secret Agent
7th November 2004, 03:46 AM
Received "33" complaints regarding spam with this header

Email from 66.98.250.153 / Tue, 2 Nov 2004 02:54:30 +0100 (CET)
http://www.spamcop.net/w3m?i=z1279104888z46bce319b1a5e2c0376e99fc50bdaeed z

[ Offending message ]
Return-Path:
Received: from av3-1-sn2.hy.skanova.net (av3-1-sn2.hy.skanova.net [81.228.8.100])
by d1o1123.telia.com (8.11.1/8.10.1) with ESMTP id iA21saS21588
for ; Tue, 2 Nov 2004 02:54:36 +0100 (CET)
Received: by av3-1-sn2.hy.skanova.net (Postfix, from userid 502)
id 1F77B37E46; Tue, 2 Nov 2004 02:54:31 +0100 (CET)
Received: from smtp1-2-sn4.m-sp.skanova.net (smtp1-2-sn4.m-sp.skanova.net [81.228.10.121])
by av3-1-sn2.hy.skanova.net (Postfix) with ESMTP id 104C037E42
for ; Tue, 2 Nov 2004 02:54:31 +0100 (CET)
Received: by smtp1-2-sn4.m-sp.skanova.net (Postfix, from userid 503)
id 01B2537E61; Tue, 2 Nov 2004 02:54:30 +0100 (CET)
X-Original-Recipient: x
Received: from 66.98.250.153 (ns1.mydomain.com [xx.xx.250.153])
by smtp1-2-sn4.m-sp.skanova.net (Postfix) with ESMTP id 5CA0037E43;
Tue, 2 Nov 2004 02:54:30 +0100 (CET)
From: "Credit Consultants"
To: x
Cc: x
Subject: CREDIT REPAIR KIT MADE SIMPLE AND INEXPENSIVE
Date: Mon, 01 Nov 2004 19:54:31 -0600
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <2004_________________7E43@smtp1-2-sn4.m-sp.skanova.net>
Status:


I find no informatin in /var/log/maillog at all for this. Tried every IP and bits and details. The log goes back to Oct 31st and this email(s) sent Nov 2nd. Please help

DRE.ORGY.NET
7th November 2004, 04:42 AM
Your not running an open mail relay are you?

Secret Agent
7th November 2004, 04:48 AM
How would I know if open mail relay is on or off? I've never intentionally done anything with mail configuraiton on my server

crackers
7th November 2004, 05:13 AM
1) Is your computer connected directly to the Internet?
2) Do you have a firewall configured?
3) Are you running sendmail?

DRE.ORGY.NET
7th November 2004, 02:18 PM
As stated above, are you running sendmail if so are you using it? If your not I would disable it and then try again.

You can try doing a telnet to yourself on port 110 to see if something is accepting connections.

ilja
7th November 2004, 05:37 PM
seems not to be open relay server with this test : http://www.abuse.net/relay.html

Secret Agent
8th November 2004, 03:49 AM
1) Is your computer connected directly to the Internet?
2) Do you have a firewall configured?
3) Are you running sendmail?

1. What do you mean "directly" to the internet?
2. Yes, APF
3. I'm using mailman according to WHM (web host managner, cpanel's admin area)

I heard mailman has a sendmail compatbility/similiarity but not sure 100%.

So what do I do? I dont' want to get booted of my server :)

crackers
9th November 2004, 04:54 AM
Directly means there's nothing between you and the wire coming out of the wall except the modem.

Okay, since ilja's checked that you're not an open mail relay, does this computer act as the mail-server and/or firewall/gateway for any Windows-based computers? If so, you'll really, really, really want to check them for spyware and/or worms/viruses. I would also strongly suggest checking the mailman logs (not familiar with that, so I don't know where they are - probably in /var/log) and check to see exactly where those e-mails came from. There should be some record and you can check vs. the timestamps on the e-mails.