Hello Eric,
Inserted is a snippet of my log for last night.
-- log insert ------------------------------------------
@400000004fcb49a336ca19a4 CHKUSER accepted sender: from <kenwri...@gmail.com:waver...@nnn.com.au:> remote
<nnn.com.au;waver...@nnn.com.au:unknown:197.254.125.102> rcpt <> : sender accepted
@400000004fcb49a40059e1c4 tcpserver: end 30219 status 0
@400000004fcb49a40059e5ac tcpserver: status: 3/100
@400000004fcb49a43935030c CHKUSER relaying rcpt: from <kenwri...@gmail.com:waver...@nnn.com.au:> remote
<nnn.com.au;waver...@nnn.com.au:unknown:197.254.125.102> rcpt <hofmann-zuha...@t-online.de> : client allowed to relay
@400000004fcb49a4393535d4 policy_check: local waver...@nnn.com.au -> remote
hofmann-zuha...@t-online.de (AUTHENTICATED SENDER)
@400000004fcb49a43935ca44 policy_check: policy allows transmission
@400000004fcb49a53b033b2c CHKUSER relaying rcpt: from <kenwri...@gmail.com:waver...@nnn.com.au:> remote
<nnn.com.au;waver...@nnn.com.au:unknown:197.254.125.102> rcpt <<hofmatth...@hotmail.com> : client allowed to relay
@400000004fcb49a53b03623c policy_check: local waver...@nnn.com.au -> remote
<hofmatth...@hotmail.com (AUTHENTICATED SENDER)
@400000004fcb49a53b03a4a4 policy_check: policy allows transmission
@400000004fcb49a613fde5a4 tcpserver: end 30223 status 0
@400000004fcb49a613fe08cc tcpserver: status: 2/100
@400000004fcb49a702104454 CHKUSER relaying rcpt: from <kenwri...@gmail.com:waver...@nnn.com.au:> remote
<nnn.com.au;waver...@nnn.com.au:unknown:197.254.125.102> rcpt <<hof...@aol.com> : client allowed to relay
@400000004fcb49a702106f4c policy_check: local waver...@nnn.com.au -> remote
<hof...@aol.com (AUTHENTICATED SENDER)
@400000004fcb49a70210adcc policy_check: policy allows transmission
@400000004fcb49a8033f8524 CHKUSER relaying rcpt: from <kenwri...@gmail.com:waver...@nnn.com.au:> remote
<nnn.com.au;waver...@nnn.com.au:unknown:197.254.125.102> rcpt <<hofn...@aol.com> : client allowed to relay
@400000004fcb49a8033fb404 policy_check: local waver...@nnn.com.au -> remote
<hofn...@aol.com (AUTHENTICATED SENDER)
@400000004fcb49a8033fee9c policy_check: policy allows transmission
--- log insert end ------------------------------------
best wishes
Tony White
On 08/06/2012 11:44, Tony White wrote:
Hi Eric,
Update: At this stage I think it is email from a valid account.,
The owner of the account will be in later today and I will test
for virus/Trojans.
best wishes
Tony White
On 08/06/2012 11:29, Tony White wrote:
Hello Eric,
See notes in text please...
best wishes
Tony White
On 08/06/2012 03:58, Eric Shubert wrote:
On 06/07/2012 02:41 AM, Tony White wrote:
Hello,
I am sending from my yahoo account as my ip is in the spamcop system. Of
course
QMT uses spamcop therefore I am unable to send email from my normal account.
At this time I am experienceing a spam attack against a single email
address in one
of my domains.
The format is as follows...
CHKUSER accepted sender: from
<escort...@9ether.com:va...@email.address.com:> remote
<static-mumbai.wnet.net.in:unkn etc......
I have had to disable the account to at least stem the flow of emails
but I do understand how
this kind of attack works. Firstly an invalid email address followed by
a valid one which
seems to guarantee delivery.
2 separate emails in one smtp session I take it? Hmmm.
When you say you disabled the account, is that the recipient account, or an
authenticated sender account?
Disabled the recipient account ie the valid one.
Is this normal? Has anyone else seen this and has a resolution? I would
appreciate
any and all help here.
I wouldn't consider it to be normal.
Also I seem to get "chkuser accepted any recipient for this domain" is
this linked to
this problem.
tcp.smtp contents might tell the story here.
What's in your tcp.smtp file?
127.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/private"
125.168.12.213:allow,RELAYCLIENT=""
125.168.15.237:allow,RELAYCLIENT=""
:allow,CHKUSER_RCPTLIMIT="20",CHKUSER_WRONGRCPTLIMIT="20",DKSIGN="/var/qmail/control/domainkeys/%/private"
Thank you all in advance...
Tony White
A full sample from your smtp log would be helpful. You can redact your domain(s) if you'd like, but try to leave the
messages intact as much as possible. qmlog shows a nice format btw.
Are you running spamdyke? If not, installing it is the first thing I would do. I have yet to hear a good reason for not
running spamdyke (although you may need to adjust the stock settings slightly for your situation). In addition to
blocking 80+% of the spam, it will also lighten the load on your host.
On a side note, I don't know the cause, but it also seems to me that there are fewer spam attempts recently, compared
to when I first installed spamdyke. Years ago it seemed like there was an smtp session active nearly every minute. Now
several minutes may pass with no smtp activity. It's as though there are fewer spammers trying to send stuff. I'm not
certain at all what the cause of this is, but I wonder if perhaps the spam lists are being cleaned of addresses that
are undeliverable to spammers (which spamdyke rejections would appear to be). Spam lists would after all be more
valuable with a higher degree of deliverability, so they do have an incentive to keep their lists clean. Just a thought.
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
