Prevent spam from localhost

[remikk]

Recently my server was added to sorbs.net and spamcop.
I found problem, one domain had malware and script try send e-mail.
I could not find the correct log information to send this spam mail, but I found a lot of trial such as this below. After that, our server went on the list.
How to defend against these attempts to send mail?
I add limit to unknown follow as help.directadmin.com and in exim.conf relay_host I have like that:

hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts

What else ?

2011-06-20 03:26:28 H=localhost (ns1.domain.com) [127.0.0.1] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2011-06-20 03:26:28 H=localhost (ns1.domain.com) [127.0.0.1] incomplete transaction (connection lost) from <[email protected]>
2011-06-20 03:26:28 unexpected disconnection while reading SMTP command from localhost (ns1.domain.com) [127.0.0.1]
2011-06-20 03:26:28 H=localhost (ns1.domain.com) [127.0.0.1] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2011-06-20 03:26:28 H=localhost (ns1.domain.com) [127.0.0.1] incomplete transaction (connection lost) from <[email protected]>
2011-06-20 03:26:28 unexpected disconnection while reading SMTP command from localhost (ns1.domain.com) [127.0.0.1]
2011-06-20 03:26:28 H=localhost (ns1.domain.com) [127.0.0.1] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2011-06-20 03:26:28 H=localhost (ns1.domain.com) [127.0.0.1] incomplete transaction (connection lost) from <[email protected]>
2011-06-20 03:26:28 unexpected disconnection while reading SMTP command from localhost (ns1.domain.com) [127.0.0.1]
2011-06-20 03:26:28 H=localhost (ns1.domain.com) [127.0.0.1] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2011-06-20 03:26:28 H=localhost (ns1.domain.com) [127.0.0.1] incomplete transaction (connection lost) from <[email protected]>
2011-06-20 03:26:28 unexpected disconnection while reading SMTP command from localhost (ns1.domain.com) [127.0.0.1]
2011-06-20 03:26:29 H=localhost (ns1.domain.com) [127.0.0.1] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2011-06-20 03:26:29 H=localhost (ns1.domain.com) [127.0.0.1] incomplete transaction (connection lost) from <[email protected]>
2011-06-20 03:26:29 unexpected disconnection while reading SMTP command from localhost (ns1.domain.com) [127.0.0.1]
2011-06-20 03:26:29 H=localhost (ns1.domain.com) [127.0.0.1] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2011-06-20 03:26:29 H=localhost (ns1.domain.com) [127.0.0.1] incomplete transaction (connection lost) from <[email protected]>

 

[nobaloney]

I don't know why you're presenting that log snippet. Eiither you've heavily edited it, making it somewhat useless, or you're being hit by someone at domain.com, or you're domain name is domain.com. Obviously impossible to tell.

Since the log snippet is showing you failed attempts it's unlikely that it's showing you any information on any spammer succeding in sending email through your server.

If you can find a line in your exim.conf file with 127.0.0.1 in it you may want to remove it, but it may result in the failure of some legitimate senders being able to send email without modifying their sending software.

What I'd do first is use exim log-checking tools to see which of your senders is sending the most email, and which of your senders is sending email which is spending the longest time in your outgoing email queues. That should lead you to your spammer(s) on your server.

Jeff