Anyone else getting hit by spammers?

[GXX]

I'm seeing a ton of these requests in my exim log:

2006-06-13 12:50:44 H=201-26-75-22.dsl.telesp.net.br  [201.26.75.22] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2006-06-13 12:50:46 H=201-26-75-22.dsl.telesp.net.br [201.26.75.22] F=<[email protected] > rejected RCPT <[email protected]>: authentication required
2006-06-13 12:50:47 H=201-26-75-22.dsl.telesp.net.br [201.26.75.22] F=<[email protected]> rejected RCPT <[email protected] >: authentication required
2006-06-13 12:50:49 H=201-26-75-22.dsl.telesp.net.br [201.26.75.22] F=< [email][email protected][/email]> rejected RCPT <[email protected]>: authentication required
2006-06-13 12:50:51 H=201-26-75-22.dsl.telesp.net.br [201.26.75.22] F=<[email protected]> rejected RCPT <[email protected] >: authentication required

I've blocked most of the IPs so now their connections just drop. I was however notified by my provider that a select number of these spams messages managed to get through. How is this possible when the log says it failed authentication?

 

[nobaloney]

You'd have to show a log entry for one that did get through to figure that out.

Jeff

 

[GXX]

You'd have to show a log entry for one that did get through to figure that out.

Jeff

Here's what I found on one of the reports:

2006-06-13 10:49:06 1FqACE-0000FE-LI => [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp S=2280 H=mx3.mail.yahoo.com [4.79.181.134] C="250 ok dirdel"

From that line, it looks like it went through?

 

[nobaloney]

Check the lines immediately before this one for the ID number 1FqACE-0000FE-LI. It looks as if it might be a legitimate forward from an address on your server to an address off your server.

Jeff

 

[GXX]

I looked right before the line I pasted, but there wasn't one with that ID.

I did a search and these are what it found:

2006-06-13 10:48:47 1FqACE-0000FE-LI <= [email][email protected][/email] H=201-27-2-178.dsl.telesp.net.br [201.27.2.178] P=smtp S=2220 [email protected] T="²]¿º¤kÀu¥ßªá¨½¤l¤j¥þ¶°¨t¦CDVD®MÀ\\ Â_ȱo¦¬ÂÃcandidate" from <[email protected]> for [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email]
2006-06-13 10:48:47 1FqACE-0000FE-LI ** [email][email protected][/email] F=<[email protected]>: Unrouteable address
2006-06-13 10:48:49 1FqACE-0000FE-LI ** [email][email protected][/email] F=<[email protected]>: Unrouteable address
2006-06-13 10:48:51 1FqACE-0000FE-LI => [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp S=2280 H=mail52.messagelabs.com [216.82.244.67] C="250 ok 1150210132 qp 22499 server-13.tower-52.messagelabs.com!1150210130!47873053!1"
2006-06-13 10:48:56 1FqACE-0000FE-LI ** [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host bear.cc.ncu.edu.tw [140.115.17.211]: 550 5.1.1 <[email protected]>... User unknown
2006-06-13 10:49:06 1FqACE-0000FE-LI => [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp S=2280 H=mx3.mail.yahoo.com [4.79.181.134] C="250 ok dirdel"
2006-06-13 10:49:10 1FqACE-0000FE-LI => [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp S=2280 H=mail.educities.edu.tw [210.71.187.194] C="250 2.5.0 Ok."
2006-06-13 10:49:12 1FqACE-0000FE-LI => [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp S=2280 H=mx2.hotmail.com [65.54.245.40] C="250  <[email protected]> Queued mail for delivery"
2006-06-13 10:49:13 1FqACE-0000FE-LI => [email][email protected][/email] <[email protected]> F=<[email protected]> R=lookuphost T=remote_smtp S=2280 H=mailin-04.mx.aol.com [205.188.156.249] C="250 OK"
2006-06-13 10:49:18 1FqACE-0000FE-LI => [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp S=2280 H=mx.seed.net.tw [139.175.54.239] C="250 OK id=1FqACk-000KSA-Hj"
2006-06-13 10:49:34 1FqACE-0000FE-LI thchen.ch.ncku.edu.tw [140.116.23.76] Connection timed out
2006-06-13 10:49:34 1FqACE-0000FE-LI == [email][email protected][/email] <[email protected]> R=lookuphost T=remote_smtp defer (110): Connection timed out

There's a bunch more, but they're all similar. Thanks for the insight so far, still trying to figure out how this is happening.

The box it's on has only one domain and all the users do not have forwards.