Hi,
In one of our server there seems to be spamming and its by SMTP ( not from scripts), mail seems to have FROM address set to gmail.com and all are outgoing mails.
Interesting fact is that there is no authentication seen in the mail headers. auth_id or auth_host or entries in maillog.
Exim 4.67 with log selector set to +all
Mail headers and exim log details are pasted below. Any clue how thsi mail is being sent . The server is not an open relay.
Any one having clue on this ...........
<XX.XX.XX.XX> is server IP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@serv ~]# exim -Mvh 1KB6LZ-0007S6-Nd
1KB6LZ-0007S6-Nd-H
mail 8 12
<[email protected]>
1214305561 0
-helo_name <XX.XX.XX.XX>
-host_address 60.181.173.124.3007
-host_name 124.173.181.60.broad.wz.zj.dynamic.163data.com.cn
-interface_address <XX.XX.XX.XX>.25
-received_protocol smtp
-body_linecount 28
YY [email protected]
YY [email protected]
NN [email protected]
NN [email protected]
NY [email protected]
NN [email protected]
18
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
242P Received: from 124.173.181.60.broad.wz.zj.dynamic.163data.com.cn ([60.181.173.124]:3007 helo=<XX.XX.XX.XX>)
by <hostname> with smtp (Exim 4.67)
(envelope-from <[email protected]>)
id 1KB6LZ-0007S6-Nd; Tue, 24 Jun 2008 06:06:02 -0500
140P Received: from dns8.yahoo.com (dns8.yahoo.com [235.40.106.96]) by with Microsoft SMTPSVC(5.0.2195.6824);
Tue, 24 Jun 2008 14:58:46 +0400
073I Message-ID: <[email protected]>
038 Date: Tue, 24 Jun 2008 07:05:46 -0400
071F From: "¦۩ç.¸ò¡¤k¥ʥæ¨g®g¦o¥ޥÞ[14P]..." <[email protected]>
075R Reply-To: "¦۩ç.¸ò¡¤k¥ʥæ¨g®g¦o¥ޥÞ[14P]..." <[email protected]>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@serv ~]# exim -Mvl 1KB6LZ-0007S6-Nd
2008-06-24 06:06:02 Received from [email protected] H=124.173.181.60.broad.wz.zj.dynamic.163data.com.cn (<XX.XX.XX.XX>) [60.181.173.124]:3007 I=[XX.XX.XX.XX]:25 P=smtp S=2051 [email protected] T="¡O»¨¨ÅÁô¬ù´²µo¥X²H¶®«լX²M*»."
In one of our server there seems to be spamming and its by SMTP ( not from scripts), mail seems to have FROM address set to gmail.com and all are outgoing mails.
Interesting fact is that there is no authentication seen in the mail headers. auth_id or auth_host or entries in maillog.
Exim 4.67 with log selector set to +all
Mail headers and exim log details are pasted below. Any clue how thsi mail is being sent . The server is not an open relay.
Any one having clue on this ...........
<XX.XX.XX.XX> is server IP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@serv ~]# exim -Mvh 1KB6LZ-0007S6-Nd
1KB6LZ-0007S6-Nd-H
mail 8 12
<[email protected]>
1214305561 0
-helo_name <XX.XX.XX.XX>
-host_address 60.181.173.124.3007
-host_name 124.173.181.60.broad.wz.zj.dynamic.163data.com.cn
-interface_address <XX.XX.XX.XX>.25
-received_protocol smtp
-body_linecount 28
YY [email protected]
YY [email protected]
NN [email protected]
NN [email protected]
NY [email protected]
NN [email protected]
18
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
242P Received: from 124.173.181.60.broad.wz.zj.dynamic.163data.com.cn ([60.181.173.124]:3007 helo=<XX.XX.XX.XX>)
by <hostname> with smtp (Exim 4.67)
(envelope-from <[email protected]>)
id 1KB6LZ-0007S6-Nd; Tue, 24 Jun 2008 06:06:02 -0500
140P Received: from dns8.yahoo.com (dns8.yahoo.com [235.40.106.96]) by with Microsoft SMTPSVC(5.0.2195.6824);
Tue, 24 Jun 2008 14:58:46 +0400
073I Message-ID: <[email protected]>
038 Date: Tue, 24 Jun 2008 07:05:46 -0400
071F From: "¦۩ç.¸ò¡¤k¥ʥæ¨g®g¦o¥ޥÞ[14P]..." <[email protected]>
075R Reply-To: "¦۩ç.¸ò¡¤k¥ʥæ¨g®g¦o¥ޥÞ[14P]..." <[email protected]>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@serv ~]# exim -Mvl 1KB6LZ-0007S6-Nd
2008-06-24 06:06:02 Received from [email protected] H=124.173.181.60.broad.wz.zj.dynamic.163data.com.cn (<XX.XX.XX.XX>) [60.181.173.124]:3007 I=[XX.XX.XX.XX]:25 P=smtp S=2051 [email protected] T="¡O»¨¨ÅÁô¬ù´²µo¥X²H¶®«լX²M*»."
