SPAM going though

J

jca

Verified User
Joined
Oct 31, 2006
Messages
306
Location
Allen, TX
Hi, I saw a huge email queue today (seems to come from one ip) and somehow it's able to relay though me (since I get error messages back) Any ideas on how it's being done?

Code: 
2009-01-13 10:06:28 1LMlmd-0004UV-Vy <= [email protected] H=123-204-74-135.adsl.dynamic.seed.net.tw (1.2.3.5) [123.204.74.135] P=smtp S=1410 [email protected] T="¦³¯qÅé¾z¡A±j¤Æ¥Í¸Ì¾÷¯à,«P¶i·s³¯¥NÁÂ,¼W±j§K¬Ì¤O" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2009-01-13 10:06:29 1LMlmd-0004UV-Vy ** [email protected] F=<[email protected]>: Unrouteable address
2009-01-13 10:06:29 1LMlmd-0004UV-Vy ** [email protected] F=<[email protected]>: Unrouteable address
2009-01-13 10:06:31 1LMlmd-0004UV-Vy ** [email protected] F=<[email protected]>: Unrouteable address
2009-01-13 10:06:33 1LMlmd-0004UV-Vy => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=1455 H=ms22a.hinet.net [168.95.5.22] C="250 AAA03967 Message accepted for delivery"
2009-01-13 10:06:33 1LMlmd-0004UV-Vy => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=1455 H=msa-mx9.hinet.net [168.95.6.180] C="250 AAA24390 Message accepted for delivery"
2009-01-13 10:06:33 1LMlmd-0004UV-Vy -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=1455 H=msa-mx9.hinet.net [168.95.6.180] C="250 AAA24390 Message accepted for delivery"
2009-01-13 10:06:35 1LMlmd-0004UV-Vy => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=1455 H=ms38a.hinet.net [168.95.5.38] C="250 AAA08779 Message accepted for delivery"
2009-01-13 10:06:36 1LMlmd-0004UV-Vy == [email protected] R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<[email protected]>: host mail.tnvs.tnc.edu.tw [210.59.18.8]: 450 4.7.1 <[email protected]>: Recipient address rejected: Service is unavailable
2009-01-13 10:06:38 1LMlmd-0004UV-Vy ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mx.seed.net.tw [139.175.54.239]: 550 Spam suspect,Your are not Yahoo Server
2009-01-13 10:06:40 1LMlmd-0004UV-Vy => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=1455 H=mail.ntak.gov.tw [210.69.59.1] C="250 2.0.0 n0DG6pv1097261 Message accepted for delivery"
2009-01-13 10:09:42 1LMlmd-0004UV-Vy w3.ylps.tp.edu.tw [163.21.138.11] Connection timed out
2009-01-13 10:09:42 1LMlmd-0004UV-Vy == [email protected] R=lookuphost T=remote_smtp defer (110): Connection timed out
2009-01-13 10:09:49 1LMlmd-0004UV-Vy phome.com.tw [82.98.86.162] Connection timed out
2009-01-13 10:09:49 1LMlmd-0004UV-Vy == [email protected] R=lookuphost T=remote_smtp defer (110): Connection timed out
2009-01-13 10:09:49 1LMlpt-0004WU-R0 <= <> R=1LMlmd-0004UV-Vy U=mail P=local S=2615 T="Mail delivery failed: returning message to sender" from <> for [email protected]

Thanks

Jose
 
Last edited:
And another one... (worth mentioning over 200 failed between this too)

Code: 
2009-01-13 10:54:03 1LMmWh-0005Mm-CS <= [email protected] H=nk219-91-66-233.adsl.dynamic.apol.com.tw (1.2.3.4) [219.91.66.233] P=smtp S=1833 [email protected] T="¥¦¬J¬O®ø»º¡B¼W¶i°·±dªº¤è¦¡ ,¥¦ÁÙ¬O¤@¶µ¦©¤H¤ß©¶ªºÄvÁɶµ¥Ø¡C±q¨Æºô²y¹B°Ê , ¤å©ú°ª¶®¡B°Ê§@Àu¬ü , ¨C¥´¥X" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2009-01-13 10:54:04 1LMmWh-0005Mm-CS ** [email protected] F=<[email protected]>: Unrouteable address
2009-01-13 10:54:05 1LMmWh-0005Mm-CS ** [email protected] F=<[email protected]>: Unrouteable address
2009-01-13 10:54:06 1LMmWh-0005Mm-CS ** [email protected] F=<[email protected]>: Unrouteable address
2009-01-13 10:54:10 1LMmWh-0005Mm-CS => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=1882 H=mx2.mail2000.com.tw [203.69.82.34] C="250 Message accepted for delivery"
2009-01-13 10:54:11 1LMmWh-0005Mm-CS ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host autotools.com.tw [61.67.232.178]: 550 No Such User Here
2009-01-13 10:54:12 1LMmWh-0005Mm-CS Remote host spamgw2.tnc.edu.tw [163.26.200.32] closed connection in response to RCPT TO:<[email protected]>
2009-01-13 10:54:14 1LMmWh-0005Mm-CS => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=1882 H=mail.js2es.tnc.edu.tw [163.26.144.129] C="250 Ok: queued as 06DED32C94"
2009-01-13 10:54:15 1LMmWh-0005Mm-CS ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mail.rpti3.com.tw [60.251.29.68]: 550 Relaying mail to [email protected] is not allowed
2009-01-13 10:54:16 1LMmWh-0005Mm-CS ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mail.10500.idv.tw [61.61.132.99]: 550 5.7.1 <[email protected]>... Relaying denied. IP name possibly forged [1.2.3.4]
2009-01-13 10:54:20 1LMmWh-0005Mm-CS ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mx1.url.com.tw [210.59.228.42]: 550 unknown user.
2009-01-13 10:54:34 1LMmWh-0005Mm-CS ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after pipelined DATA: host mx.apol.com.tw [203.79.224.130]: 554 Error: no valid recipients
2009-01-13 10:54:34 1LMmXC-0005NF-Sh <= <> R=1LMmWh-0005Mm-CS U=mail P=local S=3884 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2009-01-13 11:02:06 1LMmWh-0005Mm-CS frozen by root
 
Found the problem, I hate not reading everything heh.

http://help.directadmin.com/item.php?id=201

You should almost never have any domains listed in the /etc/virtual/whitelist_domains file as any email with any from address as any domain in that file can relay through your server. Use it as a last resort only. Be especially careful to NOT have commonly forged domains, such as hotmail, gmail, etc., in that file.

Oh well, fixed now, thanks!

Jose
 
I'm glad you figured it out, jca. I've thought seriously about leaving the whitelist_domains file out of the next version of SpamBlocker, but I know that from time to time people need it; for example if they've got a correspondent with a domain on an IP# that can't otherwise get whitelisted and for some reason cannot list all addresses.

I've been considering allowing all whitelists only for email terminating on the server, and not for relaying off the server. What do you think?

Jeff
 
Hi Jeff,

To be honest, that's what I thought the file did. My main language is Spanish and I might misunderstand the readme. I added some domains there, since I got some clients telling me they could not get their email from *@mail.com or *@prodigy.net.mx (the second one being the biggest ISP in Mexico) so I thought it was just to avoid getting rejected, not allowing relay.
Maybe renaming whitelist_domains to always_relay_domains (just an example) and make whitelist_domains just to avoid spam checks for those address would be great!

Thanks again for everything.

Jose
 
Thanks for your input. When I first created SpamBlocker I wasn't even thinking of all the possible issues.

Jeff
 
I know Jeff, thanks to you for making it, support it and mainly taking suggestions to make it even better!

Jose
 
You must log in or register to reply here.
Back
Top