Page 1 of 1

Spam gets in and i can"t figure out how.

Posted: Fri Apr 30, 2010 10:30 am
by coolioso
I have a Parallels Plesk Panel version 9.2.1
Operating system Linux 2.6.11-1.1369_FC4smp
CPU AuthenticAMD, AMD Opteron(tm) Processor 244
Average load 1.27; 1.00; 0.90

Ok i realize that this isn't a MagicSpam issue. I cannot seem to find help anywhere on this and i thought that one of you might be able to help. I have tried Google and found nothing to help. My issue is that although i have many rules set spam gets thru. I know its because they have auth. i don't get how they can auth tho. This is what i get .

Apr 30 12:35:31 www magicspam-plesk[18381]: AUTH_USER[info] set: assuming MUA->MTA connection.
Apr 30 12:35:31 www magicspam-plesk[18381]: HAM: mua=1,ip=[59.35.2.113:113.2.35.59.broad.st.gd.dynamic.163data.com.cn],helo=<ecqiobd.com>,from=<cwnfpme@hotmail.com>,rcpt=<windysa907@yahoo.com.tw>

Apr 30 12:35:32 www magicspam-plesk[18392]: AUTH_USER[info] set: assuming MUA->MTA connection.
Apr 30 12:35:32 www magicspam-plesk[18392]: HAM: mua=1,ip=[59.35.7.32:32.7.35.59.broad.st.gd.dynamic.163data.com.cn],helo=<ulnfav.com>,from=<xpetgf@gmail.com>,rcpt=<god19982001@yahoo.com.tw>

Apr 30 12:35:33 www magicspam-plesk[18395]: AUTH_USER[info] set: assuming MUA->MTA connection.
Apr 30 12:35:33 www magicspam-plesk[18395]: HAM: mua=1,ip=[59.35.5.127:127.5.35.59.broad.st.gd.dynamic.163data.com.cn],helo=<bjnuai.com>,from=<gzdczx@googlegroups.com>,rcpt=<service@azurehotel.com.tw>

Apr 30 12:35:34 www magicspam-plesk[18407]: AUTH_USER[info] set: assuming MUA->MTA connection.
Apr 30 12:35:34 www magicspam-plesk[18407]: HAM: mua=1,ip=[59.35.103.191:191.103.35.59.broad.st.gd.dynamic.163data.com.cn],helo=<gptiim.com>,from=<nzbvle@ms74.hinet.net>,rcpt=<gpr951@yahoo.com.tw>
Apr 30 12:35:34 www qmail-queue-handlers[18403]: from=xpetgf@gmail.com
Apr 30 12:35:34 www qmail-queue-handlers[18403]: to=god19982001@yahoo.com.tw
Apr 30 12:35:34 www qmail-queue-handlers[18403]: hook_dir = '/usr/local/psa/handlers/before-queue'
Apr 30 12:35:34 www qmail-queue-handlers[18403]: recipient[3] = 'god19982001@yahoo.com.tw'
Apr 30 12:35:34 www qmail-queue-handlers[18403]: handlers dir = '/usr/local/psa/handlers/before-queue/recipient/god19982001@yahoo.com.tw'
Apr 30 12:35:34 www qmail-queue-handlers[18403]: starter: submitter[18408] exited normally
Apr 30 12:35:34 www qmail: 1272645334.133753 new msg 13445785
Apr 30 12:35:34 www qmail: 1272645334.133832 info msg 13445785: bytes 2499 from <xpetgf@gmail.com> qp 18408 uid 2020
Apr 30 12:35:34 www qmail-queue-handlers[18304]: from=qfgiygommwxf@yahoo-inc.com
Apr 30 12:35:34 www qmail-queue-handlers[18304]: to=rabaa5468@yahoo.com.tw
Apr 30 12:35:34 www qmail-queue-handlers[18304]: hook_dir = '/usr/local/psa/handlers/before-queue'
Apr 30 12:35:34 www qmail-queue-handlers[18304]: recipient[3] = 'rabaa5468@yahoo.com.tw'
Apr 30 12:35:34 www qmail-queue-handlers[18304]: handlers dir = '/usr/local/psa/handlers/before-queue/recipient/rabaa5468@yahoo.com.tw'
Apr 30 12:35:34 www qmail-queue-handlers[18304]: starter: submitter[18409] exited normally
Apr 30 12:35:34 www qmail: 1272645334.268715 new msg 13445787
Apr 30 12:35:34 www qmail: 1272645334.268802 info msg 13445787: bytes 3053 from <qfgiygommwxf@yahoo-inc.com> qp 18409 uid 2020
Apr 30 12:35:34 www qmail-queue-handlers[18405]: from=gzdczx@googlegroups.com
Apr 30 12:35:34 www qmail-queue-handlers[18405]: to=service@azurehotel.com.tw
Apr 30 12:35:34 www qmail-queue-handlers[18405]: hook_dir = '/usr/local/psa/handlers/before-queue'
Apr 30 12:35:34 www qmail-queue-handlers[18405]: recipient[3] = 'service@azurehotel.com.tw'
Apr 30 12:35:34 www qmail-queue-handlers[18405]: handlers dir = '/usr/local/psa/handlers/before-queue/recipient/service@azurehotel.com.tw'
Apr 30 12:35:34 www qmail-queue-handlers[18405]: starter: submitter[18414] exited normally
Apr 30 12:35:34 www qmail: 1272645334.547970 new msg 13445789
Apr 30 12:35:34 www qmail: 1272645334.548055 info msg 13445789: bytes 2498 from <gzdczx@googlegroups.com> qp 18414 uid 2020
Apr 30 12:35:34 www qmail-queue-handlers[18418]: Handlers Filter before-queue for qmail started ...
Apr 30 12:35:34 www relaylock: /var/qmail/bin/relaylock: mail from 116.26.20.198:1344 (not defined)
Apr 30 12:35:34 www relaylock: /var/qmail/bin/relaylock: mail from 59.35.101.215:2890 (215.101.35.59.broad.st.gd.dynamic.163data.com.cn)
Apr 30 12:35:35 www relaylock: /var/qmail/bin/relaylock: mail from 59.35.102.78:2583 (78.102.35.59.broad.st.gd.dynamic.163data.com.cn)
Apr 30 12:35:35 www qmail-queue-handlers[18418]: from=nzbvle@ms74.hinet.net
Apr 30 12:35:35 www qmail-queue-handlers[18418]: to=gpr951@yahoo.com.tw
Apr 30 12:35:35 www qmail-queue-handlers[18418]: hook_dir = '/usr/local/psa/handlers/before-queue'
Apr 30 12:35:35 www qmail-queue-handlers[18418]: recipient[3] = 'gpr951@yahoo.com.tw'
Apr 30 12:35:35 www qmail-queue-handlers[18418]: handlers dir = '/usr/local/psa/handlers/before-queue/recipient/gpr951@yahoo.com.tw'
Apr 30 12:35:35 www qmail-queue-handlers[18418]: starter: submitter[18425] exited normally
Apr 30 12:35:35 www qmail: 1272645335.846623 new msg 13445793
Apr 30 12:35:35 www qmail: 1272645335.846703 info msg 13445793: bytes 2602 from <nzbvle@ms74.hinet.net> qp 18425 uid 2020
Apr 30 12:35:36 www qmail: 1272645336.667437 delivery 88: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
Apr 30 12:35:36 www qmail: 1272645336.667532 status: local 1/10 remote 19/20


Alright now that you see what i do i have made the part i don't get blue. This is not a valid user on my system. This is not one of our ip's. I need to know how this jerk gets into my system. They send mail at a rate of 50/min and it is trashing my system. Please if anybody can help it would be truly appreciated. I have been dealing with this for a while now but it is getting out of hand at this rate.

Thank You


P.S. this is your heads up i am a Linux newbie

Re: Spam gets in and i can"t figure out how.

Posted: Fri Apr 30, 2010 1:35 pm
by magicspam
Is it possible that one of your users' accounts got compromised? It's possible to log in as one user, but send as though you're someone else.

Re: Spam gets in and i can"t figure out how.

Posted: Sat May 01, 2010 7:20 pm
by coolioso
I do not know how to look to see which users are logged in. I can see that it is user 2020 but i have no idea, and haven't found anything in Google searches to help me find, who that is. We use qmail. If I could figure out who that is I would force a password change.

Re: Spam gets in and i can"t figure out how.

Posted: Mon May 03, 2010 9:37 am
by magicspam
You should be able to examine the qmail logs to find more information. Depending on your setup, you may have a daemon running that specifically handles logins, in which case you should examine that program's logs.