Re: [Declude.JunkMail] HELP, I'm beiing hijacked
How about the sending IP address -- does that match on any of the 'treated as local' lines? On Sat, 4 Sep 2004 03:53:54 -, serge <[EMAIL PROTECTED]> wrote: > Problem is that "treated as local" lines have different session ids then the > smtp lines > it would have been so nice to have the same session id numbers, but that is > not the case > i wonder why > > > > > - Original Message - > From: "Scot Desort" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, September 04, 2004 3:11 AM > Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked > > > search for "treated as local" in your IMAIL log. Try to find a line > > with that text, that also contains the same SMTPD session ID of > > 11AF0190 > > > > -- > > Scot > > > > > > On Sat, 4 Sep 2004 02:21:10 -, serge <[EMAIL PROTECTED]> wrote: > >> very possible > >> but i am trying to find a way to find which account is beiing used > >> is there a way to find the account that authorized the session ? > >> > >> Also, is there a log analyzer that can show the messages where the both > >> the > >> sender and the recipient are not local ? > >> > >> TIA > >> > >> > >> > >> > >> - Original Message - > >> From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> > >> To: <[EMAIL PROTECTED]> > >> Sent: Saturday, September 04, 2004 1:33 AM > >> Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked > >> > >> > Is it possible they guessed a users account/password and are using SMTP > >> > Auth > >> > to relay through your system? > >> > > >> > Darrell > >> > > >> > ---------------- > >> > > >> > Check out http://www.invariantsystems.com for utilities for Declude And > >> > Imail. > >> > IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log > >> > Parsers. > >> > > >> > - Original Message - > >> > From: "serge" <[EMAIL PROTECTED]> > >> > To: <[EMAIL PROTECTED]> > >> > Sent: Friday, September 03, 2004 8:26 PM > >> > Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked > >> > > >> > > >> >> 20040903 104237 127.0.0.1 SMTPD (11AF0190) [208.154.200.6] > >> >> connect > >> >> 61.144.136.193 port 4124 > >> >> 20040903 104238 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] EHLO > >> >> sapling > >> >> > >> >> these are the only other lines "(11AF0190)" > >> >> [208.154.200.6] is my server ip > >> >> > >> >> > >> >> ----- Original Message - > >> >> From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > >> >> To: <[EMAIL PROTECTED]> > >> >> Sent: Friday, September 03, 2004 11:47 PM > >> >> Subject: RE: [Declude.JunkMail] HELP, I'm beiing hijacked > >> >> > >> >> > >> >> > You are missing a line. What does connect line show, which is the > >> >> > line > >> >> > before the MAIL FROM? > >> >> > > >> >> > John Tolmachoff > >> >> > Engineer/Consultant/Owner > >> >> > eServices For You > >> >> > > >> >> > > >> >> >> -Original Message- > >> >> >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > >> >> >> [EMAIL PROTECTED] On Behalf Of serge > >> >> >> Sent: Friday, September 03, 2004 4:36 PM > >> >> >> To: [EMAIL PROTECTED] > >> >> >> Cc: [EMAIL PROTECTED] > >> >> >> Subject: [Declude.JunkMail] HELP, I'm beiing hijacked > >> >> >> > >> >> >> Hi all > >> >> >> > >> >> >> I have 100's of lines like: > >> >> >> 20040903 104526 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] > >> >> >> MAIL > >> >> > FROM: > >> >> >> <[EMAIL PROTECTED]> > >> >> >> 20040903 104529 127.0.0.1 SMTPD (11AF019
Re: [Declude.JunkMail] HELP, I'm beiing hijacked
Problem is that "treated as local" lines have different session ids then the smtp lines it would have been so nice to have the same session id numbers, but that is not the case i wonder why - Original Message - From: "Scot Desort" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, September 04, 2004 3:11 AM Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked search for "treated as local" in your IMAIL log. Try to find a line with that text, that also contains the same SMTPD session ID of 11AF0190 -- Scot On Sat, 4 Sep 2004 02:21:10 -, serge <[EMAIL PROTECTED]> wrote: very possible but i am trying to find a way to find which account is beiing used is there a way to find the account that authorized the session ? Also, is there a log analyzer that can show the messages where the both the sender and the recipient are not local ? TIA - Original Message - From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, September 04, 2004 1:33 AM Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked > Is it possible they guessed a users account/password and are using SMTP > Auth > to relay through your system? > > Darrell > > > > Check out http://www.invariantsystems.com for utilities for Declude And > Imail. > IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log > Parsers. > > - Original Message - > From: "serge" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, September 03, 2004 8:26 PM > Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked > > >> 20040903 104237 127.0.0.1 SMTPD (11AF0190) [208.154.200.6] >> connect >> 61.144.136.193 port 4124 >> 20040903 104238 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] EHLO >> sapling >> >> these are the only other lines "(11AF0190)" >> [208.154.200.6] is my server ip >> >> >> - Original Message - >> From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> >> To: <[EMAIL PROTECTED]> >> Sent: Friday, September 03, 2004 11:47 PM >> Subject: RE: [Declude.JunkMail] HELP, I'm beiing hijacked >> >> >> > You are missing a line. What does connect line show, which is the >> > line >> > before the MAIL FROM? >> > >> > John Tolmachoff >> > Engineer/Consultant/Owner >> > eServices For You >> > >> > >> >> -Original Message- >> >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- >> >> [EMAIL PROTECTED] On Behalf Of serge >> >> Sent: Friday, September 03, 2004 4:36 PM >> >> To: [EMAIL PROTECTED] >> >> Cc: [EMAIL PROTECTED] >> >> Subject: [Declude.JunkMail] HELP, I'm beiing hijacked >> >> >> >> Hi all >> >> >> >> I have 100's of lines like: >> >> 20040903 104526 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] >> >> MAIL >> > FROM: >> >> <[EMAIL PROTECTED]> >> >> 20040903 104529 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] >> >> RCPT >> >> TO:<[EMAIL PROTECTED]> >> >> 20040903 104532 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] >> >> F:\Imail\spool\D4b4611af01909a4c.SMD 952 >> >> >> >> All from same IP [61.144.136.193], and all with same "SMTPD > (11AF0190)", >> >> also the spool file name is different >> >> I have smtp set to "relay for addresses", and they do not include >> >> 61.144.136.193 >> >> >> >> i can see no auth from 61.144.136.193 in the logs >> >> >> >> i added 61.144.136.193 to smtp "control access", but how can i >> >> prevent >> > this >> >> from happening, and how can i find how/why they gained access to my >> > server? >> >> >> >> TIA >> >> >> >> --- >> >> [This E-mail was scanned for viruses by Declude Virus >> > (http://www.declude.com)] >> >> >> >> --- >> >> This E-mail came from the Declude.JunkMail mailing list. To >> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> >> type "unsubscribe Declude.JunkMail". The archives can be found >> >> at http://www.mail-archive.com. >> > >> > --- >> > [This E
Re: [Declude.JunkMail] HELP, I'm beiing hijacked
search for "treated as local" in your IMAIL log. Try to find a line with that text, that also contains the same SMTPD session ID of 11AF0190 -- Scot On Sat, 4 Sep 2004 02:21:10 -, serge <[EMAIL PROTECTED]> wrote: > very possible > but i am trying to find a way to find which account is beiing used > is there a way to find the account that authorized the session ? > > Also, is there a log analyzer that can show the messages where the both the > sender and the recipient are not local ? > > TIA > > > > > - Original Message - > From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, September 04, 2004 1:33 AM > Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked > > > Is it possible they guessed a users account/password and are using SMTP > > Auth > > to relay through your system? > > > > Darrell > > > > > > > > Check out http://www.invariantsystems.com for utilities for Declude And > > Imail. > > IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log > > Parsers. > > > > ----- Original Message - > > From: "serge" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, September 03, 2004 8:26 PM > > Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked > > > > > >> 20040903 104237 127.0.0.1 SMTPD (11AF0190) [208.154.200.6] connect > >> 61.144.136.193 port 4124 > >> 20040903 104238 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] EHLO > >> sapling > >> > >> these are the only other lines "(11AF0190)" > >> [208.154.200.6] is my server ip > >> > >> > >> - Original Message - > >> From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > >> To: <[EMAIL PROTECTED]> > >> Sent: Friday, September 03, 2004 11:47 PM > >> Subject: RE: [Declude.JunkMail] HELP, I'm beiing hijacked > >> > >> > >> > You are missing a line. What does connect line show, which is the line > >> > before the MAIL FROM? > >> > > >> > John Tolmachoff > >> > Engineer/Consultant/Owner > >> > eServices For You > >> > > >> > > >> >> -Original Message- > >> >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > >> >> [EMAIL PROTECTED] On Behalf Of serge > >> >> Sent: Friday, September 03, 2004 4:36 PM > >> >> To: [EMAIL PROTECTED] > >> >> Cc: [EMAIL PROTECTED] > >> >> Subject: [Declude.JunkMail] HELP, I'm beiing hijacked > >> >> > >> >> Hi all > >> >> > >> >> I have 100's of lines like: > >> >> 20040903 104526 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] MAIL > >> > FROM: > >> >> <[EMAIL PROTECTED]> > >> >> 20040903 104529 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] RCPT > >> >> TO:<[EMAIL PROTECTED]> > >> >> 20040903 104532 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] > >> >> F:\Imail\spool\D4b4611af01909a4c.SMD 952 > >> >> > >> >> All from same IP [61.144.136.193], and all with same "SMTPD > > (11AF0190)", > >> >> also the spool file name is different > >> >> I have smtp set to "relay for addresses", and they do not include > >> >> 61.144.136.193 > >> >> > >> >> i can see no auth from 61.144.136.193 in the logs > >> >> > >> >> i added 61.144.136.193 to smtp "control access", but how can i prevent > >> > this > >> >> from happening, and how can i find how/why they gained access to my > >> > server? > >> >> > >> >> TIA > >> >> > >> >> --- > >> >> [This E-mail was scanned for viruses by Declude Virus > >> > (http://www.declude.com)] > >> >> > >> >> --- > >> >> This E-mail came from the Declude.JunkMail mailing list. To > >> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> >> type "unsubscribe Declude.JunkMail". The archives can be found > >> >> at http://www.mail-archive.com. > >> > >
Re: [Declude.JunkMail] HELP, I'm beiing hijacked
very possible but i am trying to find a way to find which account is beiing used is there a way to find the account that authorized the session ? Also, is there a log analyzer that can show the messages where the both the sender and the recipient are not local ? TIA - Original Message - From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, September 04, 2004 1:33 AM Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked Is it possible they guessed a users account/password and are using SMTP Auth to relay through your system? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. - Original Message - From: "serge" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 03, 2004 8:26 PM Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked 20040903 104237 127.0.0.1 SMTPD (11AF0190) [208.154.200.6] connect 61.144.136.193 port 4124 20040903 104238 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] EHLO sapling these are the only other lines "(11AF0190)" [208.154.200.6] is my server ip - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 03, 2004 11:47 PM Subject: RE: [Declude.JunkMail] HELP, I'm beiing hijacked > You are missing a line. What does connect line show, which is the line > before the MAIL FROM? > > John Tolmachoff > Engineer/Consultant/Owner > eServices For You > > >> -Original Message- >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- >> [EMAIL PROTECTED] On Behalf Of serge >> Sent: Friday, September 03, 2004 4:36 PM >> To: [EMAIL PROTECTED] >> Cc: [EMAIL PROTECTED] >> Subject: [Declude.JunkMail] HELP, I'm beiing hijacked >> >> Hi all >> >> I have 100's of lines like: >> 20040903 104526 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] MAIL > FROM: >> <[EMAIL PROTECTED]> >> 20040903 104529 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] RCPT >> TO:<[EMAIL PROTECTED]> >> 20040903 104532 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] >> F:\Imail\spool\D4b4611af01909a4c.SMD 952 >> >> All from same IP [61.144.136.193], and all with same "SMTPD (11AF0190)", >> also the spool file name is different >> I have smtp set to "relay for addresses", and they do not include >> 61.144.136.193 >> >> i can see no auth from 61.144.136.193 in the logs >> >> i added 61.144.136.193 to smtp "control access", but how can i prevent > this >> from happening, and how can i find how/why they gained access to my > server? >> >> TIA >> >> --- >> [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] >> >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.JunkMail". The archives can be found >> at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELP, I'm beiing hijacked
Is it possible they guessed a users account/password and are using SMTP Auth to relay through your system? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. - Original Message - From: "serge" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 03, 2004 8:26 PM Subject: Re: [Declude.JunkMail] HELP, I'm beiing hijacked > 20040903 104237 127.0.0.1 SMTPD (11AF0190) [208.154.200.6] connect > 61.144.136.193 port 4124 > 20040903 104238 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] EHLO > sapling > > these are the only other lines "(11AF0190)" > [208.154.200.6] is my server ip > > > - Original Message - > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, September 03, 2004 11:47 PM > Subject: RE: [Declude.JunkMail] HELP, I'm beiing hijacked > > > > You are missing a line. What does connect line show, which is the line > > before the MAIL FROM? > > > > John Tolmachoff > > Engineer/Consultant/Owner > > eServices For You > > > > > >> -Original Message- > >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > >> [EMAIL PROTECTED] On Behalf Of serge > >> Sent: Friday, September 03, 2004 4:36 PM > >> To: [EMAIL PROTECTED] > >> Cc: [EMAIL PROTECTED] > >> Subject: [Declude.JunkMail] HELP, I'm beiing hijacked > >> > >> Hi all > >> > >> I have 100's of lines like: > >> 20040903 104526 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] MAIL > > FROM: > >> <[EMAIL PROTECTED]> > >> 20040903 104529 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] RCPT > >> TO:<[EMAIL PROTECTED]> > >> 20040903 104532 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] > >> F:\Imail\spool\D4b4611af01909a4c.SMD 952 > >> > >> All from same IP [61.144.136.193], and all with same "SMTPD (11AF0190)", > >> also the spool file name is different > >> I have smtp set to "relay for addresses", and they do not include > >> 61.144.136.193 > >> > >> i can see no auth from 61.144.136.193 in the logs > >> > >> i added 61.144.136.193 to smtp "control access", but how can i prevent > > this > >> from happening, and how can i find how/why they gained access to my > > server? > >> > >> TIA > >> > >> --- > >> [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > >> > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.JunkMail". The archives can be found > >> at http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELP, I'm beiing hijacked
20040903 104237 127.0.0.1 SMTPD (11AF0190) [208.154.200.6] connect 61.144.136.193 port 4124 20040903 104238 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] EHLO sapling these are the only other lines "(11AF0190)" [208.154.200.6] is my server ip - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 03, 2004 11:47 PM Subject: RE: [Declude.JunkMail] HELP, I'm beiing hijacked You are missing a line. What does connect line show, which is the line before the MAIL FROM? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of serge Sent: Friday, September 03, 2004 4:36 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] HELP, I'm beiing hijacked Hi all I have 100's of lines like: 20040903 104526 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] MAIL FROM: <[EMAIL PROTECTED]> 20040903 104529 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] RCPT TO:<[EMAIL PROTECTED]> 20040903 104532 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] F:\Imail\spool\D4b4611af01909a4c.SMD 952 All from same IP [61.144.136.193], and all with same "SMTPD (11AF0190)", also the spool file name is different I have smtp set to "relay for addresses", and they do not include 61.144.136.193 i can see no auth from 61.144.136.193 in the logs i added 61.144.136.193 to smtp "control access", but how can i prevent this from happening, and how can i find how/why they gained access to my server? TIA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELP, I'm beiing hijacked
You are missing a line. What does connect line show, which is the line before the MAIL FROM? John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of serge > Sent: Friday, September 03, 2004 4:36 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] HELP, I'm beiing hijacked > > Hi all > > I have 100's of lines like: > 20040903 104526 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] MAIL FROM: > <[EMAIL PROTECTED]> > 20040903 104529 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] RCPT > TO:<[EMAIL PROTECTED]> > 20040903 104532 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] > F:\Imail\spool\D4b4611af01909a4c.SMD 952 > > All from same IP [61.144.136.193], and all with same "SMTPD (11AF0190)", > also the spool file name is different > I have smtp set to "relay for addresses", and they do not include > 61.144.136.193 > > i can see no auth from 61.144.136.193 in the logs > > i added 61.144.136.193 to smtp "control access", but how can i prevent this > from happening, and how can i find how/why they gained access to my server? > > TIA > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HELP, I'm beiing hijacked
Hi all I have 100's of lines like: 20040903 104526 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] MAIL FROM: <[EMAIL PROTECTED]> 20040903 104529 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] RCPT TO:<[EMAIL PROTECTED]> 20040903 104532 127.0.0.1 SMTPD (11AF0190) [61.144.136.193] F:\Imail\spool\D4b4611af01909a4c.SMD 952 All from same IP [61.144.136.193], and all with same "SMTPD (11AF0190)", also the spool file name is different I have smtp set to "relay for addresses", and they do not include 61.144.136.193 i can see no auth from 61.144.136.193 in the logs i added 61.144.136.193 to smtp "control access", but how can i prevent this from happening, and how can i find how/why they gained access to my server? TIA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
