Have you found the IP address of the host?
Should not it be easy to find it in one of the spam messages?
adamc
Matti Haack wrote:
We are a SERVICE Provider, so we want to provide a good service to
our customers. After the first issue from them, they cleaned up
all Maschines, but the proplem reappered two wekks later. Maybe it
is some mobile device which gets attached to their network.
So Yes, I shut down their service weeks ago. They told me,
they corrected the problem, I reactivated the account and after two
weeks it happend again... Unfortunatly they can't send from
their DUP Provider, as they force them to use the providers free
eMail Adress.
The main Problem is that this spammings normaly happens during
night time. So I am looking for a method to prevent them (and
other customers) to start this again. When we detect it (kiwi-Syslog
sends alarm), it is normally to late and our queue is filled with
bounces which has to be removed manually. To mitigate this problem, I
made a small script wich monitors the queue size and send alarm
messages, if the queue grows unusual.
As the from adress is faked to, we got masses of bounces. - And the
sender has no idea what he did...
So do you have any Idea how to force users to a special
"from:" domain? Technical, not idiological...
With best regards Matti Haack
I have some problem with the way IMAL (8.x) handles SMTP-Auth
email. A customer from us seems to have a compromised host,
which sends Spam evry two weeks or so trough their local gateway
tell them that you will not relay outbound mail that has been
submitted to their system without SMTP AUTH.
Since they are spamming you from a trusted IP, you show them your
logs and shut them off until they fix their system. In the
meantime, their own gateway can send directly to Internet and shift
the problem onto them.
- which is relayed over our IMAIL Server.
Their Mail server requires no authentification for their local
hosts to send mail
I'd be surprised if a mail-bot/trojan in a compromised machine is
doing SMTP AUTH to submit spam to their mail server. Their mail
server is more likely doing relay for addresses.
Len
- Matti Haack - Hit Haack IT Service Gmbh Poltlbauer Weg 4, D-94036
Passau +49 851 50477-22 Fax: +49 851 50477-29 http://www.haack-it.de
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/