Hey Sebastian,
I thought leaked password as well at first, but there are at least two accounts I see under auth: mine and one other. I suppose it's possible that they were guessed/leaked, but it's awfully coincidental that it's two accounts in the same domain on a server running at least 6 domains. I only saw two IP addresses doing all this spamming, so I put those in iptables and things seem quiet for now. I'll change the passwords on those two accounts as well. I'm really glad spamcop has an easy way to delist a server once an issue is fixed. Thanks. Kelly On 04/03/2014 11:42, Sebastian Grewe wrote: > Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. > > Cheers, > Sebastian > > On 03.04.2014, at 14:30, Kelly Cobean <kcob...@vipercrazy.com> wrote: > >> I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. >> >> I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. >> >> Can y'all help me diagnose and solve this? Here's a snippet of the current file: >> >> @40000000533d52101655376c CHKUSER relaying rcpt: from <fe...@782782.ru:kcob...@vipercrazy.com [1]:> remote <91.235.7.37:unknown:91.235.7.37> rcpt <1dawmydgeaa...@prosoft-m.ru> : client allowed to relay >> @40000000533d521016554324 policy_check: local kcob...@vipercrazy.com -> remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) >> @40000000533d52101655470c policy_check: policy allows transmission >> @40000000533d52101703edfc CHKUSER accepted sender: from <i...@3vlodke.ru:bi...@vipercrazy.com:> remote <91.235.7.37:unknown:91.235.7.37> rcpt <> : sender accepted >> @40000000533d521108b8a88c CHKUSER relaying rcpt: from <i...@3vlodke.ru:bi...@vipercrazy.com:> remote <91.235.7.37:unknown:91.235.7.37> rcpt <inf...@dvugadn.kht.ru> : client allowed to relay >> @40000000533d521108b8b444 policy_check: local bi...@vipercrazy.com -> remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) >> @40000000533d521108b8b444 policy_check: policy allows transmission >> @40000000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru >> @40000000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 >> @40000000533d521139ada1f4 tcpserver: end 13709 status 0 >> @40000000533d521139ada5dc tcpserver: status: 1/100 >> @40000000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru [2] >> @40000000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 >> @40000000533d52121a62824c tcpserver: status: 2/100 >> @40000000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 >> @40000000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64980 >> @40000000533d5212201bdb34 tcpserver: end 13717 status 0 >> @40000000533d5212201bdf1c tcpserver: status: 1/100 >> @40000000533d521302016b8c tcpserver: status: 2/100 >> @40000000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 >> @40000000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64990 >> @40000000533d52132c0ba474 CHKUSER accepted sender: from <pa...@143904.ru:kcob...@vipercrazy.com [1]:> remote <91.235.7.37:unknown:91.235.7.37> rcpt <> : sender accepted >> @40000000533d52133ae2b6f4 CHKUSER relaying rcpt: from <pa...@143904.ru:kcob...@vipercrazy.com [1]:> remote <91.235.7.37:unknown:91.235.7.37> rcpt <4-1696808-19797-20060901154637-v...@subscribe.ru> : client allowed to relay >> @40000000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com -> remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) >> @40000000533d52133ae2ca7c policy_check: policy allows transmission >> @40000000533d521413dbfdf4 CHKUSER accepted sender: from <o...@7-design.ru:bi...@vipercrazy.com:> remote <91.235.7.37:unknown:91.235.7.37> rcpt <> : sender accepted >> @40000000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru >> @40000000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 >> @40000000533d5214285cb1ec CHKUSER relaying rcpt: from <o...@7-design.ru:bi...@vipercrazy.com:> remote <91.235.7.37:unknown:91.235.7.37> rcpt <pavel_ma...@tut.by> : client allowed to relay >> @40000000533d5214285cb9bc policy_check: local bi...@vipercrazy.com -> remote pavel_ma...@tut.by (AUTHENTICATED SENDER) >> @40000000533d5214285cbda4 policy_check: policy allows transmission >> @40000000533d5214317e9204 tcpserver: end 13764 status 0 >> @40000000533d5214317e95ec tcpserver: status: 1/100 >> @40000000533d521513228964 tcpserver: status: 2/100 >> @40000000533d521513228d4c tcpserver: pid 13811 from 91.235.7.37 >> @40000000533d521513229134 tcpserver: ok 13811 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::65030 >> @40000000533d52152188a204 simscan:[13767]:RELAYCLIENT:0.5571s:-:91.235.7.37:o...@7-design.ru:pavel_ma...@tut.by >> @40000000533d5215223220a4 spamdyke[13766]: ALLOWED from: o...@7-design.ru to: pavel_ma...@tut.by origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527627_qp_13803 >> @40000000533d52152ef946b4 tcpserver: end 13766 status 0 >> @40000000533d52152ef94e84 tcpserver: status: 1/100 >> @40000000533d52160e541164 tcpserver: status: 2/100 >> @40000000533d52160e54154c tcpserver: pid 13822 from 91.235.7.37 >> @40000000533d52160e541934 tcpserver: ok 13822 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::65046 >> @40000000533d52162335bd94 CHKUSER accepted sender: from <bog...@360dpi-nn.ru:kcob...@vipercrazy.com [1]:> remote <91.235.7.37:unknown:91.235.7.37> rcpt <> : sender accepted >> @40000000533d521715db544c CHKUSER relaying rcpt: from <bog...@360dpi-nn.ru:kcob...@vipercrazy.com [1]:> remote <91.235.7.37:unknown:91.235.7.37> rcpt <mailer-dae...@isp.uralasbest.ru> : client allowed to relay >> @40000000533d521715db6004 policy_check: local kcob...@vipercrazy.com -> remote mailer-dae...@isp.uralasbest.ru (AUTHENTICATED SENDER) >> @40000000533d521715db6004 policy_check: policy allows transmission Links: ------ [1] http://vipercrazy.com [2] http://dvugadn.kht.ru [3] http://www.novagunrunners.com
