External Sender sending through my mail server

[cripperz]

Hi all

I have a big problem and read a little with regards to open relay. Please advise me what best can be done to resolve the issue. I have external users from gmail and other bogus domain sending emails through my mail servers. They are not my users for sure

Sender
1N3d2B-00047I-R7 0m 2.7K <[email protected]> no

recipients
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

 

[nobaloney]

Prove it. Let's see one of those emails, and a snippet of the relevant log entries. Without that there's no way to see what could be going on, and frankly it's doubtful that it's happening as you think it is because DirectAdmin's default exim.conf file, and all the others I've put out and announced in these forums... all do NOT enable open relays.

Jeff

 

[cripperz]

Prove it. Let's see one of those emails, and a snippet of the relevant log entries. Without that there's no way to see what could be going on, and frankly it's doubtful that it's happening as you think it is because DirectAdmin's default exim.conf file, and all the others I've put out and announced in these forums... all do NOT enable open relays.

Jeff

Hi jeff,

are you referring to email headers or content. Below is the headers in one of those lots of mail que i see from the panel. svr.cripperz.net is my main server hostname

216P Received: from ml82.128.20.227.multilinks.com ([82.128.20.227] helo=User)
by svr.cripperz.net with esmtpa (Exim 4.69)
(envelope-from <[email protected]>)
id 1N3ddy-0006xq-UD; Fri, 30 Oct 2009 06:39:01 +0800
034R Reply-To: <[email protected]>
046F From: "Vivian Rowan"<[email protected]>
046 Subject: ONLINE COMPANY REPRESENTATIVE NEEDED
038 Date: Thu, 29 Oct 2009 23:43:51 +0100
018 MIME-Version: 1.0
050 Content-Type: text/plain;
charset="Windows-1251"
032 Content-Transfer-Encoding: 7bit
014 X-Priority: 3
026 X-MSMail-Priority: Normal
051 X-Mailer: Microsoft Outlook Express 6.00.2800.1081
057 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081

 

[cripperz]

Hi Jeff,

below is another one. which is having a lot of mailque


185P Received: from [59.154.25.30] (helo=User)
by svr.cripperz.net with esmtpa (Exim 4.69)
(envelope-from <[email protected]>)
id 1N3ddv-0006wD-O3; Fri, 30 Oct 2009 06:38:57 +0800
037R Reply-To: <[email protected]>
051F From: "Michael Brickner"<[email protected]>
040 Subject: Job Offer (The Pay Is Good)!!!
038 Date: Thu, 29 Oct 2009 23:43:53 +0100
018 MIME-Version: 1.0
050 Content-Type: text/plain;
charset="Windows-1251"
032 Content-Transfer-Encoding: 7bit
014 X-Priority: 3
026 X-MSMail-Priority: Normal
051 X-Mailer: Microsoft Outlook Express 6.00.2600.0000
057 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

 

[nobaloney]

Nothing here helpful; Unless you run life.com or sify.com.

Please look again at what I asked you to post if you'd like further help from me. Otherwise perhaps someone else can help you because I can't.

Jeff

 

[cripperz]

Hi jlasman,

not sure what kind of logs are you referring to? its going crazy. I realise that all these emails are being auth as one of the directadmin user log in. Forr example, auth id jon is my user. When i suspended that account, things was ok then after which i will receive whole new spam activity with another auth id ben.

1N7mow-000795-U6-H
mail 8 8
<[email protected]>
1257844526 0
-helo_name User
-host_address 84.59.51.39.1052
-host_name dslb-084-059-051-039.pools.arcor-ip.net
-host_auth login
-interface_address 203.211.130.210.25
-received_protocol esmtpa
-body_linecount 10
-max_received_linelength 87
-auth_id jon <---- my directadmin user
YY [email protected]
YY [email protected]
YY [email protected]
YY [email protected]
NY [email protected]
NN [email protected]
NN [email protected]
YY [email protected]
YN [email protected]
NN [email protected]

 

[nobaloney]

Either someone has broken into your user account or has gotten your password. First step is to change your password. Second step is to check every file on your system owned by user jon, and third step is to find every process on the server running as user jon.

You can hire me or someone else to do it for you if you don't know how to do it yourself.

Jeff