Re: I think I'm being relayed through, but I don't know how.
On Wed, Jun 06, 2001 at 01:44:56PM -0500, Chris Garrigues wrote: I've got this in my queue: 5 Jun 2001 14:44:17 GMT #48256 5651 [EMAIL PROTECTED] Are you bouncing spam that has false return addresses? -- Brian 'you Bastard' Reichert[EMAIL PROTECTED] 37 Crystal Ave. #303Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path
RE: I think I'm being relayed through, but I don't know how.
We all do someday :) I always feel stupid two minutes after I tried convincing my boss the logic of something... -Original Message- From: Chris Garrigues [mailto:[EMAIL PROTECTED]] Sent: vrijdag 8 juni 2001 3:24 To: qmail list Subject: Re: I think I'm being relayed through, but I don't know how. I'm feeling pretty stupid today. Chris
Re: I think I'm being relayed through, but I don't know how.
* Chris Garrigues [EMAIL PROTECTED] [010606 20:44]: I've got this in my queue: Your patched qmail-smtpd seems to have a buffer overflow problem. Vis: --- snip --- $ telnet 216.30.106.234 25 Trying 216.30.106.234... Connected to 216.30.106.234. Escape character is '^]'. 220 austin-jump.vircio.com ESMTP HELO fdskfnhosdhfdsnfcdlsncvdsndnfisndfondskivndsn fid fhiorhfoidhgfoisdoigfdsfhgpofdh gofdh gouf oghfdogh foi hgoifh glfdh göldfhgoirhg ojd flghohg odf hglodfg ofdnv df oö vhnfdlngvoifngvo rfiuvnfodvofdhoghfdshvlkzcjgflkfhdgohdfoighfdlkjgöldhglfhdglkfdshglkfdglkjdrigfdohjgldfksglkdfhglfdhgldfhglöfjgfapoijpqeiwjfkldsnglcöngfoihgöodsnfvldshgtfoihdsalfjäpgjöfadh odifh gfdijgodfgöodhgföldgöofhgafdjödflkngvlödfhgpifdjgkljdcäjgädszjgofdijglöfjbgoaskfnhosdhfdsnfcdlsncvdsndnfisndfondskivndsnfid fhiorhf oidhgfoisd oigfdsfhgpofdh gofdh gouf oghfdogh foi hgoifh glfdhgöldfhgoirhg ojd flgho hg odf hglodfg ofdnv df oö vhnfdlngvoifngvorfiuvnfodvofdhoghfdshvlkzcjgflkfhdgohdfoighfdlkjgöldhglfhdglkfdshglkfdglkjdrigfdohjgldfksglkdfhglfdhgldfhglöfjgfapoijpqeiwjfkldsnglcöngfoihgöodsnfvldshskfnhosdhfdsnfcdlsncvdsndnfisndfondskivndsnfid fhiorhf oidhgfoisd oigfdsfhgpofdh gofdh gouf oghfdogh foi hgoifh glfdhgöldfhgoirhg ojd flgho hg odf hglodfg ofdnv df oö vhnfdlngvoifngvo rfiuvnfodvofdhoghfdshvlkzcjgflkfhdgohdfoighfdlkjgöldhglfhdglkfdshglkfdglkjdrigfdohjgldfksglkdfhglfdhgldfhglöfjgfapoijpqeiwjfkldsnglcöngfoihgöodsnfvldshskfnhosdhfdsnfcdlsncvdsndnfisndfondskivndsn fid fhiorhfoidhgfoisd oigfdsfhgpofdh gofdh gouf oghfdogh foi hgoifh glfdh göldfhgoirhg ojd flghohg odf hglodfg ofdnv df oö vhnfdlngvoifngvo rfiuvnfodvofdhoghfdshvlkzcjgflkfhdgohdfoighfdlkjgöldhglfhdglkfdshglkfdglkjdrigfdohjgldfksglkdfhglfdhgldfhglöfjgfapoijpqeiwjfkldsnglcöngfoihgöodsnfvldshskfnhosdhfdsnfcdlsncvdsndnfisndfondskivndsnfid fhiorhf oidhgfoisd oigfdsfhgpofdh gofdh gouf oghfdogh foi hgoifh glfdhgöldfhgoirhg ojd flgho hg odf hglodfg ofdnv df oö vhnfdlngvoifngvo rfiuvnfodvofdhoghfdshvlkzcjgflkfhdgohdfoighfdlkjgöldhglfhdglkfdshglkfdglkjdrigfdohjgldfksglkdfhglfdhgldfhglöfjgfapoijpqeiwjfkldsnglcöngfoihgöodsnfvldshskfnhosdhfdsnfcdlsncvdsndnfisndfondskivndsn fid fhiorhf oidhgfoisd oigfdsfhgpofdh gofdh gouf oghfdoghfoi hgoifh glfdh göldfhgoirhg ojd flgho hg odf hglodfg ofdnv df oövhnfdlngvoifngvo rfiuvnfodvofdhoghfdshvlkzcjgflkfhdgohdfoighfdlkjgöldhglfhdglkfdshglkfdglkjdrigfdohjgldfksglkdfhglfdhgldfhglöfjgfapoijpqeiwjfkldsnglcöngfoihgöodsnfvldshskfnhosdhfdsnfcdlsncvdsndnfisndfondskivndsn fid fhiorhf oidhgfoisd oigfdsfhgpofdhgofdh gouf oghfdogh foi hgoifh glfdh göldfhgoirhg ojd flgho hg odf hglodfg ofdnv dfoö vhnfdlngvoifngvo rfiuvnfodvofdhoghfdshvlkzcjgflkfhdgohdfoighfdlkjgöldhglfhdglkfdshglkfdglkjdrigfdohjgldfksglkdfhglfdhgldfhglöfjgfapoijpqeiwjfkldsnglcöngfoihgöodnfvldsh 250 austin-jump.vircio.com MAIL FROM:[EMAIL PROTECTED] 250 ok RCPT TO:[EMAIL PROTECTED] 250 ok DATA 354 go ahead Subject: Hejhej Dadaa , . 250 ok 991911255 qp 1264 QUIT 221 austin-jump.vircio.com Connection closed by foreign host. --- snap --- -- Johan Almqvist http://www.almqvist.net/johan/ PGP signature
Re: I think I'm being relayed through, but I don't know how.
* Johan Almqvist [EMAIL PROTECTED] [010607 12:59]: * Chris Garrigues [EMAIL PROTECTED] [010606 20:44]: I've got this in my queue: Your patched qmail-smtpd seems to have a buffer overflow problem. Vis: And attached is the confirmation. -Johan -- Johan Almqvist http://www.almqvist.net/johan/qmail/ PGP signature
Re: I think I'm being relayed through, but I don't know how.
I've got a slightly old set of qmail-ldap patches. I guess I'd better upgrade! Thanks. Chris From: Johan Almqvist [EMAIL PROTECTED] Date: Thu, 7 Jun 2001 14:43:04 +0200 * Johan Almqvist [EMAIL PROTECTED] [010607 12:59]: * Chris Garrigues [EMAIL PROTECTED] [010606 20:44 = ]: I've got this in my queue: Your patched qmail-smtpd seems to have a buffer overflow problem. Vis: And attached is the confirmation. -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ virCIO http://www.virCIO.Com 4314 Avenue C Austin, TX 78751-3709 +1 512 374 0500 My email address is an experiment in SPAM elimination. For an explanation of what we're doing, see http://www.DeepEddy.Com/tms.html Nobody ever got fired for buying Microsoft, but they could get fired for relying on Microsoft. PGP signature
Re: I think I'm being relayed through, but I don't know how.
From: Chris Garrigues [EMAIL PROTECTED] Date: Thu, 07 Jun 2001 09:38:56 -0500 I've got a slightly old set of qmail-ldap patches. I guess I'd better upgrade! For those who made an attempt to help me out, I'd like to report that it was all due to my own stupidity. my smtp.cdb file didn't have what I thought it had in it and I was relaying with or without a buffer overflow. I'm feeling pretty stupid today. Chris -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ virCIO http://www.virCIO.Com 4314 Avenue C Austin, TX 78751-3709 +1 512 374 0500 My email address is an experiment in SPAM elimination. For an explanation of what we're doing, see http://www.DeepEddy.Com/tms.html Nobody ever got fired for buying Microsoft, but they could get fired for relying on Microsoft. PGP signature
Re: I think I'm being relayed through, but I don't know how.
From: Chris Garrigues [EMAIL PROTECTED] Date: Wed, 06 Jun 2001 13:44:56 -0500 For the record, I've added that envelope to my badmailfrom and deleted a bunch of stuff by hand, but I'd still like to know how they managed to use me as a relay. My configuration hasn't changed. It also seems to me that this list is running very slow right now. Is it possible that some spammer found an exploit and is also hitting muncher.math.uic.edu in the same way I was being hit? Chris -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ virCIO http://www.virCIO.Com 4314 Avenue C Austin, TX 78751-3709 +1 512 374 0500 My email address is an experiment in SPAM elimination. For an explanation of what we're doing, see http://www.DeepEddy.Com/tms.html Nobody ever got fired for buying Microsoft, but they could get fired for relying on Microsoft. PGP signature
Re: I think I'm being relayed through, but I don't know how.
Chris Garrigues [EMAIL PROTECTED] wrote: I've got this in my queue: 5 Jun 2001 14:44:17 GMT #48256 5651 [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] Neither mail.com nor mindless.com are my domains Okay so far. [root@austin-jump network-scripts]# more /etc/qmail/control/rcpthosts [no mindless.com] my smtp.cdb contains: 10.:allow,RELAYCLIENT= :allow Looking at the guts of the message in the queue, I find: [...] Received: (qmail 2993 invoked by uid 104); 5 Jun 2001 14:44:17 - Received: from [EMAIL PROTECTED] by austin-jump.vircio.com with qmail-scanner- 0.90 (uvscan: v4.1.20/v4127. . Clean. Processed in 3.919065 secs); 05/06/2001 09 :44:13 Received: from pppa16-resaleeasternmab1-3r7830.dialinx.net (HELO oemcomputer???1 02.74.4.25???by?mtiwmhc08.worldnet.att.net??InterMail?v03.02.07.07?118-134??with ?SMTP?id??2116195506.ZOOK28505@oemcomputer??from?worldnet.att.net???12.77.19 4.15???by?mtiwmhc03.worldnet.att.netmindspring??user-3qt5hn.dialup.mindspring.co m?99.174.150.55???by?smtp6.mindspring.com??8.9.3/8.8.5??with?SMTP?id?OAA06398??f rom?110140321worldnet.att.net???102.70.21.32???by?mtiwmhc98.worldnet.att.net??In terMail?v03.02.07.07?118-134??with?SMTP?id?20090116195452.ZOMX28505@110940321wor [...] That's a lot of garbage. It's either the world's worst attempt at forging Received: headers, or perhaps qmail-scanner is broken in this instance? Any other rewriting going on? so it appears that the message arrived from pppa16-resaleeasternmab1-3r7830.dialinx.net at 4.45.125.13. I didn't get that far in the headers; there appeared to be a lot more garbage, so I'm not sure I agree with you. I don't know why this wasn't rejected by tcpcontrol. You aren't rejecting anything with tcpserver; you're accepting all connections. How it got relayed is another matter. To trace this, you need to find the qmail qid in this message, then go through your qmail-send logs to find out where this message originated and how. Based on the timestamp you find there for new msg ..., look in your qmail-smtpd logs. That will tell you exactly where the message originated. Perhaps you have a CGI script which sends mail, and contains a security hole? Or something else is letting people into your 10. address space? Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: I think I'm being relayed through, but I don't know how.
Actually, it looks like they tried to send to those users but you don't have them and they bounced. If they forged the sender then the bounce can't go through and you'll eventually get a double bounce to postmaster. That's happened to me a couple of times. Check the logs to see what they say. According to your tcp.smtp.cdb file you're not an open relay. Regards. At 01:44 PM 6/6/2001 -0500, you wrote: I've got this in my queue: 5 Jun 2001 14:44:17 GMT #48256 5651 [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] Neither mail.com nor mindless.com are my domains snipped - Kourosh Ghassemieh MindWare Information Systems Technologies 9255 Sunset Blvd, Penthouse West Hollywood CA 90069 (310) 729-1784 [EMAIL PROTECTED] Networking Solutions for Your Business
Re: I think I'm being relayed through, but I don't know how.
From: Kourosh Ghassemieh [EMAIL PROTECTED] Date: Wed, 06 Jun 2001 14:36:59 -0700 Actually, it looks like they tried to send to those users but you don't have them and they bounced. If they forged the sender then the bounce can't go through and you'll eventually get a double bounce to postmaster. That's happened to me a couple of times. Check the logs to see what they say. According to your tcp.smtp.cdb file you're not an open relay. But my point is that mindless.com isn't even my domain. The ones that say 'done' were relayed and shouldn't have been. The attempt to send to mindless.com should have been rejected by tcpserver because it's not in my control/locals. Chris At 01:44 PM 6/6/2001 -0500, you wrote: I've got this in my queue: 5 Jun 2001 14:44:17 GMT #48256 5651 [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] Neither mail.com nor mindless.com are my domains snipped -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ virCIO http://www.virCIO.Com 4314 Avenue C Austin, TX 78751-3709 +1 512 374 0500 My email address is an experiment in SPAM elimination. For an explanation of what we're doing, see http://www.DeepEddy.Com/tms.html Nobody ever got fired for buying Microsoft, but they could get fired for relying on Microsoft. PGP signature
Re: I think I'm being relayed through, but I don't know how.
From: Chris Garrigues [EMAIL PROTECTED] Date: Wed, 06 Jun 2001 16:40:03 -0500 From: Kourosh Ghassemieh [EMAIL PROTECTED] Date: Wed, 06 Jun 2001 14:36:59 -0700 Actually, it looks like they tried to send to those users but you don't have them and they bounced. If they forged the sender then the bounce can't go through and you'll eventually get a double bounce to postmaster. That's happened to me a couple of times. Check the logs to see what they say. According to your tcp.smtp.cdb file you're not an open relay. But my point is that mindless.com isn't even my domain. The ones that say 'done' were relayed and shouldn't have been. The attempt to send to mindless.com should have been rejected by tcpserver because it's not in my ^ I meant 'qmail-smtpd'. control/locals. Chris -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ virCIO http://www.virCIO.Com 4314 Avenue C Austin, TX 78751-3709 +1 512 374 0500 My email address is an experiment in SPAM elimination. For an explanation of what we're doing, see http://www.DeepEddy.Com/tms.html Nobody ever got fired for buying Microsoft, but they could get fired for relying on Microsoft. PGP signature
Re: I think I'm being relayed through, but I don't know how.
Chris Garrigues [EMAIL PROTECTED] wrote: For the record, I've added that envelope to my badmailfrom and deleted a bunch of stuff by hand, but I'd still like to know how they managed to use me as a relay. You still haven't shown the log entries that would prove this is what happened. I asked for those in my last message. My configuration hasn't changed. If you were used as a relay, then your configuration was broken to begin with, but nobody was exploiting it. Don't take this as an insult; it's just a fact. It also seems to me that this list is running very slow right now. Is it possible that some spammer found an exploit and is also hitting muncher.math.uic.edu in the same way I was being hit? No. UIC (where list.cr.yp.to is located) is running out of network bandwidth during peak times, and the various lists there get bitten as a result. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: I think I'm being relayed through, but I don't know how.
Well, what do the logs say? It's possible that a spammer sent mail to random addresses in one of your hosted domains and had them listed in the BCC: field. The return address being forged as to be from mindless.com. Since the users in your domain are non-existent the messages are trying to bounce to the sender, which is refusing some of them as being non-existent as well. You'll see them double-bounce once they time out. I'm not that experienced at reading headers so I'm not 100% certain but sounds logical. Again, what do the logs say? They can help quite a bit in diagnosing problems. You should be able to find when they came in and from where and why they are being refused, if they are. What do the logs say? At 04:40 PM 6/6/2001 -0500, you wrote: From: Kourosh Ghassemieh [EMAIL PROTECTED] Date: Wed, 06 Jun 2001 14:36:59 -0700 Actually, it looks like they tried to send to those users but you don't have them and they bounced. If they forged the sender then the bounce can't go through and you'll eventually get a double bounce to postmaster. That's happened to me a couple of times. Check the logs to see what they say. According to your tcp.smtp.cdb file you're not an open relay. But my point is that mindless.com isn't even my domain. The ones that say 'done' were relayed and shouldn't have been. The attempt to send to mindless.com should have been rejected by tcpserver because it's not in my control/locals. Chris At 01:44 PM 6/6/2001 -0500, you wrote: I've got this in my queue: 5 Jun 2001 14:44:17 GMT #48256 5651 [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] Neither mail.com nor mindless.com are my domains snipped -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ virCIO http://www.virCIO.Com 4314 Avenue C Austin, TX 78751-3709 +1 512 374 0500 My email address is an experiment in SPAM elimination. For an explanation of what we're doing, see http://www.DeepEddy.Com/tms.html Nobody ever got fired for buying Microsoft, but they could get fired for relying on Microsoft. - Kourosh Ghassemieh MindWare Information Systems Technologies 9255 Sunset Blvd, Penthouse West Hollywood CA 90069 (310) 729-1784 [EMAIL PROTECTED] Networking Solutions for Your Business
Re: I think I'm being relayed through, but I don't know how.
From: Kourosh Ghassemieh [EMAIL PROTECTED] Date: Wed, 06 Jun 2001 15:30:15 -0700 Well, what do the logs say? It's possible that a spammer sent mail to random addresses in one of your hosted domains and had them listed in the BCC: field. The return address being forged as to be from mindless.com. Since the users in your domain are non-existent the messages are trying to bounce to the sender, which is refusing some of them as being non-existent as well. You'll see them double-bounce once they time out. I'm not that experienced at reading headers so I'm not 100% certain but sounds logical. When an email message is composed, addresses are extracted from the To, CC, and BCC headers and placed in the envelope. They are never again consulted. The envelope addresses determine where the message gets sent. When qmail gets a message, it looks at the envelope and puts the contents in queue/remote and/or queue/local. The contents of those files are what is displayed by qmail-qread, so we know that the envelope contained a bunch of mindless.com addresses and did not include any addresses from my domains. Again, what do the logs say? They can help quite a bit in diagnosing problems. You should be able to find when they came in and from where and why they are being refused, if they are. What do the logs say? They're being refused because some of the addreseses were bogus and the real mail server for mindless.com rejected them. Actually, I lost the logs because before I discovered this problem, I blew them away due to their having filled my file system to 100%. In hind sight, I realize this is almost certainly because I was relaying spam at the time. Chris -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ virCIO http://www.virCIO.Com 4314 Avenue C Austin, TX 78751-3709 +1 512 374 0500 My email address is an experiment in SPAM elimination. For an explanation of what we're doing, see http://www.DeepEddy.Com/tms.html Nobody ever got fired for buying Microsoft, but they could get fired for relying on Microsoft. PGP signature
Re: I think I'm being relayed through, but I don't know how.
From: Charles Cazabon [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 15:19:21 -0600 Chris Garrigues [EMAIL PROTECTED] wrote: I've got this in my queue: 5 Jun 2001 14:44:17 GMT #48256 5651 [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] done remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] remote [EMAIL PROTECTED] Neither mail.com nor mindless.com are my domains Okay so far. [root@austin-jump network-scripts]# more /etc/qmail/control/rcpthosts [no mindless.com] my smtp.cdb contains: 10.:allow,RELAYCLIENT= :allow Looking at the guts of the message in the queue, I find: [...] Received: (qmail 2993 invoked by uid 104); 5 Jun 2001 14:44:17 - Received: from [EMAIL PROTECTED] by austin-jump.vircio.com with qmail-scanner- 0.90 (uvscan: v4.1.20/v4127. . Clean. Processed in 3.91906 5 secs); 05/06/2001 09 :44:13 Received: from pppa16-resaleeasternmab1-3r7830.dialinx.net (HELO oemcomputer???1 02.74.4.25???by?mtiwmhc08.worldnet.att.net??InterMail?v03.02.07.07?118-13 4??with ?SMTP?id??2116195506.ZOOK28505@oemcomputer??from?worldnet.att.net???1 2.77.19 4.15???by?mtiwmhc03.worldnet.att.netmindspring??user-3qt5hn.dialup.mindsp ring.co m?99.174.150.55???by?smtp6.mindspring.com??8.9.3/8.8.5??with?SMTP?id?OAA0 6398??f rom?110140321worldnet.att.net???102.70.21.32???by?mtiwmhc98.worldnet.att. net??In terMail?v03.02.07.07?118-134??with?SMTP?id?20090116195452.ZOMX28505@11094 0321wor [...] That's a lot of garbage. It's either the world's worst attempt at forging Received: headers, or perhaps qmail-scanner is broken in this instance? Any other rewriting going on? No. so it appears that the message arrived from pppa16-resaleeasternmab1-3r7830.dialinx.net at 4.45.125.13. I didn't get that far in the headers; there appeared to be a lot more garbage, so I'm not sure I agree with you. If you look at the line with all the garbage, and remove the stuff in the first parenthesis, you get: Received: from pppa16-resaleeasternmab1-3r7830.dialinx.net () ([4.45.125.13]) (envelope-sender [EMAIL PROTECTED]) by 216.30.106.234 (qmail-ldap-1.03) with SMTP for [EMAIL PROTECTED]; 5 Jun 2001 14:44:12 - which was written by qmail. I did a reverse lookup of pppa16-resaleeasternmab1-3r7830.dialinx.net myself getting 4.45.125.13 just like qmail. I don't know why this wasn't rejected by tcpcontrol. You aren't rejecting anything with tcpserver; you're accepting all connections. How it got relayed is another matter. Er, yeah. I meant qmail-smtpd. To trace this, you need to find the qmail qid in this message, then go through your qmail-send logs to find out where this message originated and how. Based on the timestamp you find there for new msg ..., look in your qmail-smtpd logs. That will tell you exactly where the message originated. Unfortunately, I blew away my qmail log recently because it filled my /var to 100%. :-( In hindsight I think this happened because I was relaying SPAM. Perhaps you have a CGI script which sends mail, and contains a security hole? Not on this box. Or something else is letting people into your 10. address space? Maybe. -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ virCIO http://www.virCIO.Com 4314 Avenue C Austin, TX 78751-3709 +1 512 374 0500 My email address is an experiment in SPAM elimination. For an explanation of what we're doing, see http://www.DeepEddy.Com/tms.html Nobody ever got fired for buying Microsoft, but they could get fired for relying on Microsoft. PGP signature