I have seen this attempt on 2 servers and it succeeded on one server when some one set up a new domain and did not follow procedures to the T.
Change the passwords of all ROOT accounts YESTERDAY. That is what is being used. The default root password is well known. BTW, Declude Hijack stops this spammer cold! Yes! John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Walter Sent: Monday, January 28, 2008 9:50 AM To: imail_forum@list.ipswitch.com Subject: [IMail Forum] Need some smtp log help - hacked account? My log file was enormous this morning and realized that some spammer was sending email through my server. I am running 2006.022 (whatever the latest is). Being a relative novice to this stuff I was wondering as to how a spammer was able to do this. I was able to block the ip address but not until thousands of messages had been sent. I only allow relaying to local users, and the sender was not a local user ([EMAIL PROTECTED]). So how did this happen. I have been running Imail for 8 years without incident. I upgraded to the newest version of Imail this month. What settings am I missing? Below is a snippet of my log file. I replaced my domain and ip with mymaildomain.com <http://responsiveinc.com/> [11.11.11.11], just so it wouldn't be found in google searches years from now. I would appreciate any insight or comments from anyone willing to offer them. Thanks in advance. 01:28 03:18 SMTP-(9d83018400000da7) [x] doing direct send allstccath.org 01:28 03:18 SMTP-(9d83018400000da7) Trying allstccath.org (0) 01:28 03:18 SMTP-(9d83018400000da7) [x] Connecting socket to service <SMTP> on host <allstccath.org> using protocol <tcp> 01:28 03:18 SMTP-(9d83018400000da7) [x] using source IP for mymaildomain.com <http://responsiveinc.com> [11.11.11.11] 01:28 03:18 SMTP-(9dc6019100000dcc) recip is <[EMAIL PROTECTED]> 01:28 03:18 SMTP-(9dc6019100000dcc) [x] looking up colsd.org in HOSTS and MX 01:28 03:18 SMTP-(9dc6019100000dcc) [x] looking up colsd.org in HOSTS and MX 01:28 03:18 SMTP-(9d9a019100000db2) 250-rly-db01.mx.aol.com 84.fd.1243.static.theplanet.com 01:28 03:18 SMTP-(9d9a019100000db2) 250 HELP 01:28 03:18 SMTP-(9d9a019100000db2) >MAIL FROM:<[EMAIL PROTECTED]> 01:28 03:18 SMTP-(9d9a019100000db2) 250 OK 01:28 03:18 SMTP-(9d9a019100000db2) >RCPT To:<[EMAIL PROTECTED]> 01:28 03:18 SMTP-(9d83018400000da7) 220 mx3.fuse.net ESMTP ecelerity 2.1.1.22 r(17669) Mon, 28 Jan 2008 04:18:24 -0500 01:28 03:18 SMTP-(9d83018400000da7) Connect allstccath.org [216.68.8.213:25] (1) 01:28 03:18 SMTP-(9d83018400000da7) >EHLO responsiveinc.com 01:28 03:18 SMTP-(9d8d01a000000dab) 250 Ok 01:28 03:18 SMTP-(9d8d01a000000dab) >DATA 01:28 03:18 SMTP-(9d83018400000da7) 250-gwin3 says EHLO to 11.11.11.11 <http://67.18.253.132> 01:28 03:18 SMTP-(9d83018400000da7) 250-ENHANCEDSTATUSCODES 01:28 03:18 SMTP-(9d83018400000da7) 250-PIPELINING 01:28 03:18 SMTP-(9d83018400000da7) 250 8BITMIME 01:28 03:18 SMTP-(9d83018400000da7) >MAIL FROM:<[EMAIL PROTECTED]> 01:28 03:18 SMTP-(9d9a019100000db2) 550 MAILBOX NOT FOUND 01:28 03:18 SMTP-(9d9a019100000db2) Unexpected RCPT TO response from the SMTP server on aol.com: 550 MAILBOX NOT FOUND 01:28 03:18 SMTP-(9d9a019100000db2) >QUIT 01:28 03:18 SMTP-(9d8d01a000000dab) 354 Feed me 01:28 03:18 SMTP-(9d8d01a000000dab) >. 01:28 03:18 SMTP-(9d83018400000da7) 250 MAIL FROM accepted 01:28 03:18 SMTP-(9d83018400000da7) >RCPT To:<[EMAIL PROTECTED]> 01:28 03:18 SMTP-(9d9a019100000db2) 221 SERVICE CLOSING CHANNEL 01:28 03:18 SMTP-(9d9a019100000db2) [u] closing socket (u) 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 4 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 4 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 4 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 8 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) R<[EMAIL PROTECTED]> - 1 01:28 03:18 SMTP-(9d9a019100000db2) [x] doing direct send comcast.net 01:28 03:18 SMTP-(9d9a019100000db2) Trying comcast.net (0) 01:28 03:18 SMTP-(9d9a019100000db2) [x] Connecting socket to service <SMTP> on host <comcast.net> using protocol <tcp> 01:28 03:18 SMTP-(9d9a019100000db2) [x] using source IP for mymaildomain.com <http://responsiveinc.com/> [11.11.11.11] 01:28 03:18 SMTP-(9d83018400000da7) 550 Recipient [EMAIL PROTECTED] does not exist here 01:28 03:18 SMTP-(9d83018400000da7) Unexpected RCPT TO response from the SMTP server on allstccath.org: 550 Recipient [EMAIL PROTECTED] does not exist here 01:28 03:18 SMTP-(9d83018400000da7) >QUIT 01:28 03:18 SMTP-(9d83018400000da7) 221 gwin3 closing connection 01:28 03:18 SMTP-(9d83018400000da7) [u] closing socket (u) Thanks, Chad Walter
