> I tried the domlist on a partial log file I have on my local
> machine...don't think it will help to much CUS there is only
> one domain..
If you run it with a log file from before (35 meg) and one now (400K), it will at
least let you know whether the excess was incoming or outgoing. If it was outgoing,
you're probably dealing with a spammer. If it's incoming, then you may have
accidentally blocked too many IPs.
> the problem as I see it is someone is using our mail server to
> send bulk emails that look like they are coming from us...
This should be easy to determine from the logs...
> I see this kind of thing thousands of times in the logs...
> The way I read it is that someone is coming in from 64.30.217.73
> and trying to send out to a whole bunch of email addresses and
> it looks as if they are coming from us...
Yup, that would be a spammer hijacking your server.
> since I have be seeing this from several different IP addresses in
> the 64.30.***.*** range I put in the IMail admin access control to
> not accept from IP 64.30.0.0 --> 255.255.255.0 I found 5
> IP blocks that this was happening in so I did the same thing with
> the other blocks of IP addresses.
Just be aware that the 64.x.x.x block is used by uunet, and tons of dialup accounts
use those. Depending on who legitimately should use your mail server, blocking too
many of those could be a problem.
>02:08 00:00 SMTPD(03A40234) [64.30.217.73] HELO faroc.com.au
>02:08 00:00 SMTPD(03A40234) [64.30.217.73] MAIL From: <[EMAIL PROTECTED]>
>02:08 00:00 SMTPD(03A40234) [64.30.217.73] RCPT
>To:<[EMAIL PROTECTED]>
>02:08 00:00 SMTPD(03A40234) [64.30.217.73] ERR mail.eurobid.com invalid user
><[EMAIL PROTECTED]
That's a GOOD thing! That's the spammer (I would guess, since I assume you are
neither AOL or Mindspring). Your mail server is telling him that he can't send mail.
But do check to make sure you are using "Relay for addresses", not "Relay for
spammers" (also known as "Relay for hosts" or "Relay for users").
--
-Scott
Declude: Anti-virus and Anti-spam solutions for IMail. http://www.declude.com
--
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
