LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   Spam Emails - Sendmail (http://www.linuxquestions.org/questions/linux-general-1/spam-emails-sendmail-4175445781/)

karprav 01-15-2013 10:34 PM

Spam Emails - Sendmail
 
For the past 3 days, from lot of US ip's emails are sent to other domains from our domain as it is sent from our's. But when we check we are not a open relay. But still, we tried a lot to stop it, it is not stopping. Any help will be very thankful.

-Sobhanadri

karprav 01-16-2013 02:39 AM

Below is the out for the above issue:
++++++++++++++++
Jan 16 13:58:29 mail sendmail[31922]: r0G8SSub031922: ruleset=check_rcpt, arg1=<banheirovirtual@catanduva.sescsp.org.br>, relay=67.228.212.186-static.reverse.softlayer.com [67.228.212.186], reject=550 5.7.1 <banheirovirtual@catanduva.sescsp.org.br>... Relaying denied. Proper authentication required.

Jan 16 13:58:29 mail sendmail[31922]: r0G8SSub031922: from=<mbqj@imagine.co.in>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=67.228.212.186-static.reverse.softlayer.com [67.228.212.186]

++++++++++++++++
our secondary domain is imagine.co.in. So, it is trying to send the email, but relaying denied. But immediately the 2nd option is starts working and email comes into queue and the same is happening for lot emails. Can any one help out to fix this issue.

Thank you advance.

unSpawn 01-16-2013 08:21 AM

First things would be to temporarily shut down your MTA (or block offenders via the firewall using 'ipset' and the raw table PREROUTING chain), then check for the cause, then restrict who can send email and then add an anti-spam filter before starting the MTA again. If this machine, or machines it receives email from, are web servers there may be a dynamically rendered page (often but not limited to PHP) or script somewhere that allows spammers to inject spam. Enumerate software that runs on top of the web server and check their versions (including any plugins) with what the vendor sees as current, check web server access and error logs for seemingly odd requests (also see Logwatch) and check directories the web server can read from or write to for any anomalous files. Please reply verbosely and add any information you think pertinent.

m1rr0rm3 01-21-2013 09:31 PM

Blacklisted
 
Listing in the Barracuda Blacklist could indicate any number of issues that need to be addressed in your network including but not limited to: virus-generated spam, poor server configuration, dynamic IP Addresses previously used by spammers, bulk mail sending that does not comply with the CAN-SPAM Act.

http://www.mxtoolbox.com/SuperTool.a...67.228.212.186

http://www.mxtoolbox.com/Public/Blac...x?bl=BARRACUDA

http://www.mxtoolbox.com/Public/Blac...l=Spamhaus-ZEN


All times are GMT -5. The time now is 07:01 PM.