Looks to me like both accounts are being used, from the same IP address.
You could also add the IP address to the /etc/spamdyke/blacklist_ip file
(provided you've installed spamdyke, which you should do if you haven't).
On 04/03/2014 10:09 AM, Sebastian Grewe wrote:
Auth line is: kcob...@vipercrazy.com <mailto:kcob...@vipercrazy.com>
I'd guess that's the account?
Cheers,
Sebastian
On 03.04.2014, at 18:46, "Helmut Fritz" <hel...@fritz.us.com
<mailto:hel...@fritz.us.com>> wrote:
I would shut down bi...@vipercrazy.com <mailto:bi...@vipercrazy.com>
for now and see if the relaying stops.
Do you know if that was an easily hacked password?
*From:*Sebastian Grewe [mailto:sebast...@grewe.ca]
*Sent:* Thursday, April 03, 2014 8:42 AM
*To:* qmailtoaster-list@qmailtoaster.com
<mailto:qmailtoaster-list@qmailtoaster.com>
*Subject:* Re: [qmailtoaster] Help, I'm an open relay!!
Have you checked for hijacked accounts? Looks like all mails are sent
from a single account and IP. Most likely a guessed/leaked password.
Cheers,
Sebastian
On 03.04.2014, at 14:30, Kelly Cobean <kcob...@vipercrazy.com
<mailto:kcob...@vipercrazy.com>> wrote:
I don't understand what's going on here, but somehow all of a
sudden I am on the spamcop RBL. If I tail
/var/log/qmail/smtp/current, I'm seeing a TON of emails getting
relayed that are all .ru hosts and addresses.
I've run every open relay test I could find and all of them say
I'm good to go, but spamdyke says I'm accepting over 75000 emails
a day and they're not hitting any of my inboxes.
Can y'all help me diagnose and solve this? Here's a snippet of
the current file:
@40000000533d52101655376c CHKUSER relaying rcpt: from
<fe...@782782.ru:kcob...@vipercrazy.com <http://vipercrazy.com>:>
remote <91.235.7.37:unknown:91.235.7.37> rcpt
<1dawmydgeaa...@prosoft-m.ru <mailto:1dawmydgeaa...@prosoft-m.ru>>
: client allowed to relay
@40000000533d521016554324 policy_check: local
kcob...@vipercrazy.com <mailto:kcob...@vipercrazy.com> -> remote
1dawmydgeaa...@prosoft-m.ru <mailto:1dawmydgeaa...@prosoft-m.ru>
(AUTHENTICATED SENDER)
@40000000533d52101655470c policy_check: policy allows transmission
@40000000533d52101703edfc CHKUSER accepted sender: from
<i...@3vlodke.ru:bi...@vipercrazy.com <mailto:e...@vipercrazy.com>:>
remote <91.235.7.37:unknown:91.235.7.37> rcpt <> : sender accepted
@40000000533d521108b8a88c CHKUSER relaying rcpt: from
<i...@3vlodke.ru:bi...@vipercrazy.com <mailto:e...@vipercrazy.com>:>
remote <91.235.7.37:unknown:91.235.7.37> rcpt
<inf...@dvugadn.kht.ru <mailto:inf...@dvugadn.kht.ru>> : client
allowed to relay
@40000000533d521108b8b444 policy_check: local bi...@vipercrazy.com
<mailto:bi...@vipercrazy.com> -> remote inf...@dvugadn.kht.ru
<mailto:inf...@dvugadn.kht.ru> (AUTHENTICATED SENDER)
@40000000533d521108b8b444 policy_check: policy allows transmission
@40000000533d52112c20499c
simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru
<mailto:fe...@782782.ru>:1dawmydgeaa...@prosoft-m.ru
<mailto:1dawmydgeaa...@prosoft-m.ru>
@40000000533d52112cba283c spamdyke[13709]: ALLOWED from:
fe...@782782.ru <mailto:fe...@782782.ru> to:
1dawmydgeaa...@prosoft-m.ru <mailto:1dawmydgeaa...@prosoft-m.ru>
origin_ip: 91.235.7.37 origin_rdns: (unknown) auth:
kcob...@vipercrazy.com <mailto:kcob...@vipercrazy.com> encryption:
(none) reason: 250_ok_1396527623_qp_13732
@40000000533d521139ada1f4 tcpserver: end 13709 status 0
@40000000533d521139ada5dc tcpserver: status: 1/100
@40000000533d5212129d193c
simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru
<http://dvugadn.kht.ru>
@40000000533d52121316601c spamdyke[13717]: ALLOWED from:
i...@3vlodke.ru <mailto:i...@3vlodke.ru> to: inf...@dvugadn.kht.ru
<mailto:inf...@dvugadn.kht.ru> origin_ip: 91.235.7.37 origin_rdns:
(unknown) auth: bi...@vipercrazy.com <mailto:bi...@vipercrazy.com>
encryption: (none) reason: 250_ok_1396527624_qp_13752
@40000000533d52121a62824c tcpserver: status: 2/100
@40000000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37
@40000000533d52121a628634 tcpserver: ok 13764
www.novagunrunners.com
<http://www.novagunrunners.com>:66.151.32.133:25 :91.235.7.37::64980
@40000000533d5212201bdb34 tcpserver: end 13717 status 0
@40000000533d5212201bdf1c tcpserver: status: 1/100
@40000000533d521302016b8c tcpserver: status: 2/100
@40000000533d521302017744 tcpserver: pid 13766 from 91.235.7.37
@40000000533d521302017744 tcpserver: ok 13766
www.novagunrunners.com
<http://www.novagunrunners.com>:66.151.32.133:25 :91.235.7.37::64990
@40000000533d52132c0ba474 CHKUSER accepted sender: from
<pa...@143904.ru:kcob...@vipercrazy.com <http://vipercrazy.com>:>
remote <91.235.7.37:unknown:91.235.7.37> rcpt <> : sender accepted
@40000000533d52133ae2b6f4 CHKUSER relaying rcpt: from
<pa...@143904.ru:kcob...@vipercrazy.com <http://vipercrazy.com>:>
remote <91.235.7.37:unknown:91.235.7.37> rcpt
<4-1696808-19797-20060901154637-v...@subscribe.ru
<mailto:4-1696808-19797-20060901154637-v...@subscribe.ru>> :
client allowed to relay
@40000000533d52133ae2c2ac policy_check: local
kcob...@vipercrazy.com <mailto:kcob...@vipercrazy.com> -> remote
4-1696808-19797-20060901154637-v...@subscribe.ru
<mailto:4-1696808-19797-20060901154637-v...@subscribe.ru>
(AUTHENTICATED SENDER)
@40000000533d52133ae2ca7c policy_check: policy allows transmission
@40000000533d521413dbfdf4 CHKUSER accepted sender: from
<o...@7-design.ru:bi...@vipercrazy.com <mailto:e...@vipercrazy.com>:>
remote <91.235.7.37:unknown:91.235.7.37> rcpt <> : sender accepted
@40000000533d52142423c32c
simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru
<mailto:pa...@143904.ru>:4-1696808-19797-20060901154637-v...@subscribe.ru
<mailto:4-1696808-19797-20060901154637-v...@subscribe.ru>
@40000000533d521424f524bc spamdyke[13764]: ALLOWED from:
pa...@143904.ru <mailto:pa...@143904.ru> to:
4-1696808-19797-20060901154637-v...@subscribe.ru
<mailto:4-1696808-19797-20060901154637-v...@subscribe.ru>
origin_ip: 91.235.7.37 origin_rdns: (unknown) auth:
kcob...@vipercrazy.com <mailto:kcob...@vipercrazy.com> encryption:
(none) reason: 250_ok_1396527626_qp_13785
@40000000533d5214285cb1ec CHKUSER relaying rcpt: from
<o...@7-design.ru:bi...@vipercrazy.com <mailto:e...@vipercrazy.com>:>
remote <91.235.7.37:unknown:91.235.7.37> rcpt <pavel_ma...@tut.by
<mailto:pavel_ma...@tut.by>> : client allowed to relay
@40000000533d5214285cb9bc policy_check: local bi...@vipercrazy.com
<mailto:bi...@vipercrazy.com> -> remote pavel_ma...@tut.by
<mailto:pavel_ma...@tut.by> (AUTHENTICATED SENDER)
@40000000533d5214285cbda4 policy_check: policy allows transmission
@40000000533d5214317e9204 tcpserver: end 13764 status 0
@40000000533d5214317e95ec tcpserver: status: 1/100
@40000000533d521513228964 tcpserver: status: 2/100
@40000000533d521513228d4c tcpserver: pid 13811 from 91.235.7.37
@40000000533d521513229134 tcpserver: ok 13811
www.novagunrunners.com
<http://www.novagunrunners.com>:66.151.32.133:25 :91.235.7.37::65030
@40000000533d52152188a204
simscan:[13767]:RELAYCLIENT:0.5571s:-:91.235.7.37:o...@7-design.ru:pavel_ma...@tut.by
@40000000533d5215223220a4 spamdyke[13766]: ALLOWED from:
o...@7-design.ru <mailto:o...@7-design.ru> to: pavel_ma...@tut.by
<mailto:pavel_ma...@tut.by> origin_ip: 91.235.7.37 origin_rdns:
(unknown) auth: bi...@vipercrazy.com <mailto:bi...@vipercrazy.com>
encryption: (none) reason: 250_ok_1396527627_qp_13803
@40000000533d52152ef946b4 tcpserver: end 13766 status 0
@40000000533d52152ef94e84 tcpserver: status: 1/100
@40000000533d52160e541164 tcpserver: status: 2/100
@40000000533d52160e54154c tcpserver: pid 13822 from 91.235.7.37
@40000000533d52160e541934 tcpserver: ok 13822
www.novagunrunners.com
<http://www.novagunrunners.com>:66.151.32.133:25 :91.235.7.37::65046
@40000000533d52162335bd94 CHKUSER accepted sender: from
<bog...@360dpi-nn.ru:kcob...@vipercrazy.com
<http://vipercrazy.com>:> remote <91.235.7.37:unknown:91.235.7.37>
rcpt <> : sender accepted
@40000000533d521715db544c CHKUSER relaying rcpt: from
<bog...@360dpi-nn.ru:kcob...@vipercrazy.com
<http://vipercrazy.com>:> remote <91.235.7.37:unknown:91.235.7.37>
rcpt <mailer-dae...@isp.uralasbest.ru
<mailto:mailer-dae...@isp.uralasbest.ru>> : client allowed to relay
@40000000533d521715db6004 policy_check: local
kcob...@vipercrazy.com <mailto:kcob...@vipercrazy.com> -> remote
mailer-dae...@isp.uralasbest.ru
<mailto:mailer-dae...@isp.uralasbest.ru> (AUTHENTICATED SENDER)
@40000000533d521715db6004 policy_check: policy allows transmission
--
-Eric 'shubes'
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com