My log files have trippled in size the last 3 days.
Quick action is key to hijacking. The spammer has already gotten his money's worth from your service. Three days of spamming before getting kicked off is excellent for a spammer. They are happy with 12 hours if they can get it.
Entering your IP in the Spam Database Lookup tool at http://www.DNSstuff.com shows the PSBL listing, which lists this evidence:
From [EMAIL PROTECTED] Tue Sep 07 15:20:34 2004 Delivery-date: Tue, 07 Sep 2004 15:20:34 -0400 Received: from [65.240.164.10] (helo=ethixs.com) by mail.victim.example with esmtp (Exim 4.41) id 1C4lW6-0003Ru-1O for [EMAIL PROTECTED]; Tue, 07 Sep 2004 15:20:34 -0400 Received: from scooping [201.129.134.20] by ethixs.com with ESMTP (SMTPD32-7.11) id A85B449A025C; Tue, 07 Sep 2004 15:13:31 -0400 From: "Moira Shori"<[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: FDA APPROVED PRESCRl|PT|0N MEDI1CATlONS. Mime-Version: 1.0 Date: Tue, 7 Sep 2004 15:14:03 -0400
Removing all but the Received: headers brings it down to:
Received: from [65.240.164.10] (helo=ethixs.com)
by mail.victim.example with esmtp (Exim 4.41)
id 1C4lW6-0003Ru-1O
for [EMAIL PROTECTED]; Tue, 07 Sep 2004 15:20:34 -0400
Received: from scooping [201.129.134.20] by ethixs.com with ESMTP
(SMTPD32-7.11) id A85B449A025C; Tue, 07 Sep 2004 15:13:31 -0400
The first Received: header is from the mailserver that actually received the spam. The second one is the one that it apparently from your mailserver. And guess what? It matches the IMail Received: header format perfectly. Guess what else? You can cross-reference that with your IMail log files to prove that IMail did indeed send the E-mail. And you can check to see if the IP 201.129.134.20 is allowed to relay. And you can check to see if any funky stuff went on to get the E-mail sent out (such as authentication or a deprecated routing format using '%' or '!').
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.