Is it possible they guessed a users account/password and are using SMTP Auth to relay through your system?
Darrell ---------------------------------------------------------------------------- ------------------------------------ Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. ----- Original Message ----- From: "serge" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 03, 2004 8:26 PM Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked > 20040903 104237 127.0.0.1 SMTPD (11AF0190) [208.154.200.6] connect > 61.144.136.193 port 4124 > 20040903 104238 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] EHLO > sapling > > these are the only other lines "(11AF0190)" > [208.154.200.6] is my server ip > > > ----- Original Message ----- > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, September 03, 2004 11:47 PM > Subject: RE: [Declude.JunkMail] HELP, I'm beiing hijacked > > > > You are missing a line. What does connect line show, which is the line > > before the MAIL FROM? > > > > John Tolmachoff > > Engineer/Consultant/Owner > > eServices For You > > > > > >> -----Original Message----- > >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > >> [EMAIL PROTECTED] On Behalf Of serge > >> Sent: Friday, September 03, 2004 4:36 PM > >> To: [EMAIL PROTECTED] > >> Cc: [EMAIL PROTECTED] > >> Subject: [Declude.JunkMail] HELP, I'm beiing hijacked > >> > >> Hi all > >> > >> I have 100's of lines like: > >> 20040903 104526 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] MAIL > > FROM: > >> <[EMAIL PROTECTED]> > >> 20040903 104529 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] RCPT > >> TO:<[EMAIL PROTECTED]> > >> 20040903 104532 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] > >> F:\Imail\spool\D4b4611af01909a4c.SMD 952 > >> > >> All from same IP [61.144.136.193], and all with same "SMTPD (11AF0190)", > >> also the spool file name is different > >> I have smtp set to "relay for addresses", and they do not include > >> 61.144.136.193 > >> > >> i can see no auth from 61.144.136.193 in the logs > >> > >> i added 61.144.136.193 to smtp "control access", but how can i prevent > > this > >> from happening, and how can i find how/why they gained access to my > > server? > >> > >> TIA > >> > >> --- > >> [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > >> > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.JunkMail". The archives can be found > >> at http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.