thousands of spam to non-existant email addresses
- Thread starter Boballoo
- Start date
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Was it your question I responded to earlier today? Please post (as an attachment) one of those spams, complete with all headers.
Also find and post the section of your /var/log/exim/mainlog file showing how the email was delivered.
Jeff
Also find and post the section of your /var/log/exim/mainlog file showing how the email was delivered.
Jeff
Yes, I am sorry. I posted here yesterday but then realized it might be in the wrong section and no one answered so I posted again. Anyway, your help is appreciated but I am afraid I have to ask for your patience as I am not an administrator or a programmer. I am the owner of the sites and I am trying to find out why my admin person is telling me that this problem is becasue of bugs in the exim file (no offense, this is his words but I am questioning that judgement). Please bear with me and excuse my ignorance and the long background story. The previous admin set up a spam mailbox so that all possible spam from all domins on my dedicated server went to a specifc mail box so that I could examine it via the web mail app and did not have to download it to my local email app. (All domains on the server are mine). I have a feeling that he has put this script (or whatever it is) before the exim file so that all mail is cheked rather than juist the mail to existing email addresses. See the example of one of these messages below (I have removed the actual "text" as it was a huge html and text file) Note: the domian vuyu.com is mine, has the "Ignore and drop" checked and the address "[email protected]" does not exist:
RFC822 Message body
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Mon, 05 Nov 2007 12:53:31 -0800
Received: from mail by u15152996.onlinehome-server.com with spam-scanned (Exim 4.51)
id 1Ip8ws-0007CF-VE
for [email protected]; Mon, 05 Nov 2007 12:53:31 -0800
Received: from [189.138.223.156] (helo=dsl-189-138-223-156.prod-infinitum.com.mx)
by u15152996.onlinehome-server.com with esmtp (Exim 4.51)
id 1Ip8wq-0007CC-0M
for [email protected]; Mon, 05 Nov 2007 12:53:30 -0800
Received: from [189.138.223.156] by dns02e.hants.gov.uk; Mon, 05 Nov 2007 13:51:50 +0000
Message-ID: <000a01c81fb3$035535c8$7c55efb1@laigpps>
From: "Impressive Watches" <[email protected]>
To: "Replica Watch Dealer " <[email protected]>
Subject: * 100% satisfaction guaranteed
Date: Mon, 05 Nov 2007 12:04:27 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C81FB3.03543035"
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
X-Spam-Prev-Subject: 100% satisfaction guaranteed
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
u15152996.onlinehome-server.com
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.9 required=-1.0 tests=BAYES_00,
ENTITY_DEC_ALPHANUM,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_80_90,
HTML_FONT_BIG,HTML_MESSAGE,MPART_ALT_DIFF,MSGID_DOLLARS,SATIS_GUAR
autolearn=no version=3.0.4
X-Spam-Report:
* 1.2 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
* 4.4 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1)
* 0.1 SATIS_GUAR BODY: Mail guarantees satisfaction
* 0.1 HTML_80_90 BODY: Message is 80% to 90% HTML
* -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
* [score: 0.0000]
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size
* 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
* 2.7 ENTITY_DEC_ALPHANUM RAW: HTML contains needlessly encoded characters
* 2.7 MSGID_DOLLARS Message-Id has pattern used in spam
RFC822 Message body
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Mon, 05 Nov 2007 12:53:31 -0800
Received: from mail by u15152996.onlinehome-server.com with spam-scanned (Exim 4.51)
id 1Ip8ws-0007CF-VE
for [email protected]; Mon, 05 Nov 2007 12:53:31 -0800
Received: from [189.138.223.156] (helo=dsl-189-138-223-156.prod-infinitum.com.mx)
by u15152996.onlinehome-server.com with esmtp (Exim 4.51)
id 1Ip8wq-0007CC-0M
for [email protected]; Mon, 05 Nov 2007 12:53:30 -0800
Received: from [189.138.223.156] by dns02e.hants.gov.uk; Mon, 05 Nov 2007 13:51:50 +0000
Message-ID: <000a01c81fb3$035535c8$7c55efb1@laigpps>
From: "Impressive Watches" <[email protected]>
To: "Replica Watch Dealer " <[email protected]>
Subject: * 100% satisfaction guaranteed
Date: Mon, 05 Nov 2007 12:04:27 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C81FB3.03543035"
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
X-Spam-Prev-Subject: 100% satisfaction guaranteed
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
u15152996.onlinehome-server.com
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.9 required=-1.0 tests=BAYES_00,
ENTITY_DEC_ALPHANUM,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_80_90,
HTML_FONT_BIG,HTML_MESSAGE,MPART_ALT_DIFF,MSGID_DOLLARS,SATIS_GUAR
autolearn=no version=3.0.4
X-Spam-Report:
* 1.2 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
* 4.4 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1)
* 0.1 SATIS_GUAR BODY: Mail guarantees satisfaction
* 0.1 HTML_80_90 BODY: Message is 80% to 90% HTML
* -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
* [score: 0.0000]
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size
* 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
* 2.7 ENTITY_DEC_ALPHANUM RAW: HTML contains needlessly encoded characters
* 2.7 MSGID_DOLLARS Message-Id has pattern used in spam
nobaloney
NoBaloney Internet Svcs - In Memoriam †
You haven't sent anything helpful. The only way to tell you anything is to see a small portion of the server log which shows the delivery.
If the user doesn't exist and the spambox as set by your previous administrator has been reset, then the only way to begin to resolve this is to log in to your server and look at the logs and pick out an entry for spam being delivered.
Can you post the first five lines from your /etc/exim.conf file? I'd like to see what version it is.
Note that Unless you've got a very old copy of DirectAdmin and have never updated the original exim.conf file, then as long as you're using a version identified as SpamBlocker, there are no bugs in it which would cause the problem you experience. Unless of course your previous administrator made changes to it.
Jeff
If the user doesn't exist and the spambox as set by your previous administrator has been reset, then the only way to begin to resolve this is to log in to your server and look at the logs and pick out an entry for spam being delivered.
Can you post the first five lines from your /etc/exim.conf file? I'd like to see what version it is.
Note that Unless you've got a very old copy of DirectAdmin and have never updated the original exim.conf file, then as long as you're using a version identified as SpamBlocker, there are no bugs in it which would cause the problem you experience. Unless of course your previous administrator made changes to it.
Jeff