very possible but i am trying to find a way to find which account is beiing used is there a way to find the account that authorized the session ?
Also, is there a log analyzer that can show the messages where the both the sender and the recipient are not local ?
TIA
----- Original Message ----- From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, September 04, 2004 1:33 AM
Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked
Is it possible they guessed a users account/password and are using SMTP Auth
to relay through your system?
Darrell
----------------------------------------------------------------------------
------------------------------------
Check out http://www.invariantsystems.com for utilities for Declude And
Imail.
IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers.
----- Original Message ----- From: "serge" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 03, 2004 8:26 PM
Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked
(11AF0190)",20040903 104237 127.0.0.1 SMTPD (11AF0190) [208.154.200.6] connect 61.144.136.193 port 4124 20040903 104238 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] EHLO sapling
these are the only other lines "(11AF0190)" [208.154.200.6] is my server ip
----- Original Message ----- From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 03, 2004 11:47 PM
Subject: RE: [Declude.JunkMail] HELP, I'm beiing hijacked
> You are missing a line. What does connect line show, which is the line > before the MAIL FROM? > > John Tolmachoff > Engineer/Consultant/Owner > eServices For You > > >> -----Original Message----- >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- >> [EMAIL PROTECTED] On Behalf Of serge >> Sent: Friday, September 03, 2004 4:36 PM >> To: [EMAIL PROTECTED] >> Cc: [EMAIL PROTECTED] >> Subject: [Declude.JunkMail] HELP, I'm beiing hijacked >> >> Hi all >> >> I have 100's of lines like: >> 20040903 104526 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] MAIL > FROM: >> <[EMAIL PROTECTED]> >> 20040903 104529 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] RCPT >> TO:<[EMAIL PROTECTED]> >> 20040903 104532 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] >> F:\Imail\spool\D4b4611af01909a4c.SMD 952 >> >> All from same IP [61.144.136.193], and all with same "SMTPD(http://www.declude.com)]>> also the spool file name is different >> I have smtp set to "relay for addresses", and they do not include >> 61.144.136.193 >> >> i can see no auth from 61.144.136.193 in the logs >> >> i added 61.144.136.193 to smtp "control access", but how can i prevent > this >> from happening, and how can i find how/why they gained access to my > server? >> >> TIA >> >> --- >> [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] >> >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.JunkMail". The archives can be found >> at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. >
--- [This E-mail was scanned for viruses by Declude Virus
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.