Ron, I believed we solved part to the mystery.
Spamdyke ignores all rules once SMTP auth is completed so that explains why it was ignoring all the other rules. The offender is coming from all different IPs. Also, we have a theory that even though we had changed the password for user "tom" smtp auth and or other processes we still allowing the old credentials. We have seen the relaying reduced down and now its stopped completely in the last hour. Thanks, K > -----Original Message----- > From: spamdyke-users-boun...@spamdyke.org [mailto:spamdyke-users- > boun...@spamdyke.org] On Behalf Of spamdyke-users-requ...@spamdyke.org > Sent: Wednesday, September 26, 2012 11:31 AM > To: spamdyke-users@spamdyke.org > Subject: spamdyke-users Digest, Vol 64, Issue 26 > > Send spamdyke-users mailing list submissions to > spamdyke-users@spamdyke.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > or, via email, send a message with subject or body 'help' to > spamdyke-users-requ...@spamdyke.org > > You can reach the person managing the list at > spamdyke-users-ow...@spamdyke.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of spamdyke-users digest..." > > > Today's Topics: > > 1. Re: Need Paid Assistance Referral (Gary Gendel) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 26 Sep 2012 14:25:55 -0400 > From: Gary Gendel <g...@genashor.com> > Subject: Re: [spamdyke-users] Need Paid Assistance Referral > To: spamdyke users <spamdyke-users@spamdyke.org> > Message-ID: <506348b3.4070...@genashor.com> > Content-Type: text/plain; charset="iso-8859-1" > > Kevin, > > Qmail looks for the environment variable RELAYCLIENT, if that is set, > then qmail will happily relay. > > My guess is that something upstream or downstream from spamdyke is doing > the dirty deed. For example, if you use tcpserver, check it's rules and > make sure that the correct rules have been compiled. Specifically, look > for any rule that would match the offender's ip address: 76.186.240.2. > > For example, if the following line was in the tcpserver rules file: > > 78.168.:allow,RELAYCLIENT="" > > It would be allowed to relay. > > Gary > > > On 9/26/12 2:10 PM, ke...@firedrum.com wrote: > > > > Can anyone refer a company or individual for help with Qmail? > > > > We are fairly experienced admins with email hosting > > > > but this one has us stumped. > > > > We installed spamdyke and that has helped considerably to > > > > inspect what is happening but were not able to stop > > > > access to qmail relaying to remote addresses for this > > > > one particular user. > > > > The user can not even be found in our system, yet, this > > > > user "tom" can access our smtp and relay mail through. > > > > We are desperate and willing to pay for any assistance. > > > > Thanks, Kevin > > > > Example log file: > > > > 09/25/2012 22:29:43 CURRENT CONFIG > > > > config-file=/etc/spamdyke.conf > > > > dns-blacklist-entry=sbl-xbl.spamhaus.org > > > > dns-blacklist-entry=bl.spamcop.net > > > > dns-blacklist-entry=b.barracudacentral.org > > > > full-log-dir=/var/www/spamdykelog > > > > graylist-dir=/var/www/graylist > > > > graylist-level=always-create-dir > > > > graylist-max-secs=1814400 > > > > graylist-min-secs=300 > > > > greeting-delay-secs=3 > > > > idle-timeout-secs=300 > > > > ip-blacklist-file=/var/www/blacklist_ip/ip-blacklist-file > > > > ip-in-rdns-keyword-blacklist-file=/var/www/ip-in-rdns-keyword-blacklist- > file > > > > local-domains-file=/var/qmail/control/rcpthosts > > > > log-level=info > > > > max-recipients=10 > > > > recipient-blacklist-entry*=@mail.ru* > > > > recipient-blacklist-entry=@rambler.ru > > > > recipient-blacklist-entry=@udm.ru > > > > recipient-blacklist-entry=@trans-oil.ru > > > > recipient-blacklist-entry=@rshb.samtel.ru > > > > recipient-blacklist-entry=@.ru > > > > recipient-blacklist-entry=@yandex.ru > > > > reject-missing-sender-mx=1 > > > > sender-blacklist-file=/var/www/blacklist_senders/sender-blacklist-file > > > > 09/25/2012 22:29:53 LOG OUTPUT AUTH:*tom* > > > > DEBUG(find_username()@spamdyke.c:194): searching for username between > > positions 9 and 27: RCPT TO:<darkbars...@mail.ru> > > > > DEBUG(find_domain()@spamdyke.c:428): searching for domain between > > positions 20 and 27: RCPT TO:<darkbars...@mail.ru> > > > > DEBUG(find_address()@spamdyke.c:793): found username: darkbars666 > > > > DEBUG(find_address()@spamdyke.c:810): found domain: mail.ru > > > > DEBUG(filter_recipient_relay()@filter.c:2360): checking relaying; > > relay-level: 0 recipient: darkbars...@mail.ru ip: 76.186.240.2 rdns: > > cpe-76-186-240-2.tx.res.rr.com local_recipient: false > > relaying_allowed: false > > > > ALLOWEDfrom: ro...@zaz.com.br to: darkbars...@mail.ru origin_ip: > > 76.186.240.2 origin_rdns: cpe-76-186-240-2.tx.res.rr.com auth: tom > > encryption: (none) reason: 250_ok_1348637395_qp_22493 > > > > ***"Get Your Message Out!"* > > > > ** > > > > *Kevin Troendle **| *VP Technology > > > > FireDrum Internet Marketing > > > > Tel: 480.699.1524 | Fax: 480.699.1657 > > > > 7898 E. Acoma Dr. Suite 210 > > > > Scottsdale, AZ 85260 > > > > www.FireDrum.com <http://www.firedrum.com/> | > > www.firedrummarketing.com <http://www.firedrummarketing.com/> > > > > <http://www.firedrum.com/blog> > > <http://www.facebook.com/FireDrumIntMktg> > > <http://twitter.com/FireDrumIntMktg> > > > > > > > > _______________________________________________ > > spamdyke-users mailing list > > spamdyke-users@spamdyke.org > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.spamdyke.org/mailman/private/spamdyke- > users/attachments/20120926/6a12cdb7/attachment.html > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: image/gif > Size: 1579 bytes > Desc: not available > Url : http://www.spamdyke.org/mailman/private/spamdyke- > users/attachments/20120926/6a12cdb7/attachment.gif > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: image/gif > Size: 1518 bytes > Desc: not available > Url : http://www.spamdyke.org/mailman/private/spamdyke- > users/attachments/20120926/6a12cdb7/attachment-0001.gif > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: image/gif > Size: 1503 bytes > Desc: not available > Url : http://www.spamdyke.org/mailman/private/spamdyke- > users/attachments/20120926/6a12cdb7/attachment-0002.gif > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: image/gif > Size: 1160 bytes > Desc: not available > Url : http://www.spamdyke.org/mailman/private/spamdyke- > users/attachments/20120926/6a12cdb7/attachment-0003.gif > > ------------------------------ > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > End of spamdyke-users Digest, Vol 64, Issue 26 > ********************************************** _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
