Spam gets in and i can"t figure out how.

This is the area for a general support questions, discussions and information that you can read and share. Post your experiences, stats and tricks and tips that are not covered elsewhere. Remember, for questions please search the FAQ first, as your question may already be answered.

Moderators: wizard, magicspam

Post Reply
coolioso
Posts: 6
Joined: Tue Mar 16, 2010 1:24 pm

Spam gets in and i can"t figure out how.

Post by coolioso » Fri Apr 30, 2010 10:30 am

I have a Parallels Plesk Panel version 9.2.1
Operating system Linux 2.6.11-1.1369_FC4smp
CPU AuthenticAMD, AMD Opteron(tm) Processor 244
Average load 1.27; 1.00; 0.90

Ok i realize that this isn't a MagicSpam issue. I cannot seem to find help anywhere on this and i thought that one of you might be able to help. I have tried Google and found nothing to help. My issue is that although i have many rules set spam gets thru. I know its because they have auth. i don't get how they can auth tho. This is what i get .

Apr 30 12:35:31 www magicspam-plesk[18381]: AUTH_USER[info] set: assuming MUA->MTA connection.
Apr 30 12:35:31 www magicspam-plesk[18381]: HAM: mua=1,ip=[59.35.2.113:113.2.35.59.broad.st.gd.dynamic.163data.com.cn],helo=<ecqiobd.com>,from=<cwnfpme@hotmail.com>,rcpt=<windysa907@yahoo.com.tw>

Apr 30 12:35:32 www magicspam-plesk[18392]: AUTH_USER[info] set: assuming MUA->MTA connection.
Apr 30 12:35:32 www magicspam-plesk[18392]: HAM: mua=1,ip=[59.35.7.32:32.7.35.59.broad.st.gd.dynamic.163data.com.cn],helo=<ulnfav.com>,from=<xpetgf@gmail.com>,rcpt=<god19982001@yahoo.com.tw>

Apr 30 12:35:33 www magicspam-plesk[18395]: AUTH_USER[info] set: assuming MUA->MTA connection.
Apr 30 12:35:33 www magicspam-plesk[18395]: HAM: mua=1,ip=[59.35.5.127:127.5.35.59.broad.st.gd.dynamic.163data.com.cn],helo=<bjnuai.com>,from=<gzdczx@googlegroups.com>,rcpt=<service@azurehotel.com.tw>

Apr 30 12:35:34 www magicspam-plesk[18407]: AUTH_USER[info] set: assuming MUA->MTA connection.
Apr 30 12:35:34 www magicspam-plesk[18407]: HAM: mua=1,ip=[59.35.103.191:191.103.35.59.broad.st.gd.dynamic.163data.com.cn],helo=<gptiim.com>,from=<nzbvle@ms74.hinet.net>,rcpt=<gpr951@yahoo.com.tw>
Apr 30 12:35:34 www qmail-queue-handlers[18403]: from=xpetgf@gmail.com
Apr 30 12:35:34 www qmail-queue-handlers[18403]: to=god19982001@yahoo.com.tw
Apr 30 12:35:34 www qmail-queue-handlers[18403]: hook_dir = '/usr/local/psa/handlers/before-queue'
Apr 30 12:35:34 www qmail-queue-handlers[18403]: recipient[3] = 'god19982001@yahoo.com.tw'
Apr 30 12:35:34 www qmail-queue-handlers[18403]: handlers dir = '/usr/local/psa/handlers/before-queue/recipient/god19982001@yahoo.com.tw'
Apr 30 12:35:34 www qmail-queue-handlers[18403]: starter: submitter[18408] exited normally
Apr 30 12:35:34 www qmail: 1272645334.133753 new msg 13445785
Apr 30 12:35:34 www qmail: 1272645334.133832 info msg 13445785: bytes 2499 from <xpetgf@gmail.com> qp 18408 uid 2020
Apr 30 12:35:34 www qmail-queue-handlers[18304]: from=qfgiygommwxf@yahoo-inc.com
Apr 30 12:35:34 www qmail-queue-handlers[18304]: to=rabaa5468@yahoo.com.tw
Apr 30 12:35:34 www qmail-queue-handlers[18304]: hook_dir = '/usr/local/psa/handlers/before-queue'
Apr 30 12:35:34 www qmail-queue-handlers[18304]: recipient[3] = 'rabaa5468@yahoo.com.tw'
Apr 30 12:35:34 www qmail-queue-handlers[18304]: handlers dir = '/usr/local/psa/handlers/before-queue/recipient/rabaa5468@yahoo.com.tw'
Apr 30 12:35:34 www qmail-queue-handlers[18304]: starter: submitter[18409] exited normally
Apr 30 12:35:34 www qmail: 1272645334.268715 new msg 13445787
Apr 30 12:35:34 www qmail: 1272645334.268802 info msg 13445787: bytes 3053 from <qfgiygommwxf@yahoo-inc.com> qp 18409 uid 2020
Apr 30 12:35:34 www qmail-queue-handlers[18405]: from=gzdczx@googlegroups.com
Apr 30 12:35:34 www qmail-queue-handlers[18405]: to=service@azurehotel.com.tw
Apr 30 12:35:34 www qmail-queue-handlers[18405]: hook_dir = '/usr/local/psa/handlers/before-queue'
Apr 30 12:35:34 www qmail-queue-handlers[18405]: recipient[3] = 'service@azurehotel.com.tw'
Apr 30 12:35:34 www qmail-queue-handlers[18405]: handlers dir = '/usr/local/psa/handlers/before-queue/recipient/service@azurehotel.com.tw'
Apr 30 12:35:34 www qmail-queue-handlers[18405]: starter: submitter[18414] exited normally
Apr 30 12:35:34 www qmail: 1272645334.547970 new msg 13445789
Apr 30 12:35:34 www qmail: 1272645334.548055 info msg 13445789: bytes 2498 from <gzdczx@googlegroups.com> qp 18414 uid 2020
Apr 30 12:35:34 www qmail-queue-handlers[18418]: Handlers Filter before-queue for qmail started ...
Apr 30 12:35:34 www relaylock: /var/qmail/bin/relaylock: mail from 116.26.20.198:1344 (not defined)
Apr 30 12:35:34 www relaylock: /var/qmail/bin/relaylock: mail from 59.35.101.215:2890 (215.101.35.59.broad.st.gd.dynamic.163data.com.cn)
Apr 30 12:35:35 www relaylock: /var/qmail/bin/relaylock: mail from 59.35.102.78:2583 (78.102.35.59.broad.st.gd.dynamic.163data.com.cn)
Apr 30 12:35:35 www qmail-queue-handlers[18418]: from=nzbvle@ms74.hinet.net
Apr 30 12:35:35 www qmail-queue-handlers[18418]: to=gpr951@yahoo.com.tw
Apr 30 12:35:35 www qmail-queue-handlers[18418]: hook_dir = '/usr/local/psa/handlers/before-queue'
Apr 30 12:35:35 www qmail-queue-handlers[18418]: recipient[3] = 'gpr951@yahoo.com.tw'
Apr 30 12:35:35 www qmail-queue-handlers[18418]: handlers dir = '/usr/local/psa/handlers/before-queue/recipient/gpr951@yahoo.com.tw'
Apr 30 12:35:35 www qmail-queue-handlers[18418]: starter: submitter[18425] exited normally
Apr 30 12:35:35 www qmail: 1272645335.846623 new msg 13445793
Apr 30 12:35:35 www qmail: 1272645335.846703 info msg 13445793: bytes 2602 from <nzbvle@ms74.hinet.net> qp 18425 uid 2020
Apr 30 12:35:36 www qmail: 1272645336.667437 delivery 88: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
Apr 30 12:35:36 www qmail: 1272645336.667532 status: local 1/10 remote 19/20


Alright now that you see what i do i have made the part i don't get blue. This is not a valid user on my system. This is not one of our ip's. I need to know how this jerk gets into my system. They send mail at a rate of 50/min and it is trashing my system. Please if anybody can help it would be truly appreciated. I have been dealing with this for a while now but it is getting out of hand at this rate.

Thank You


P.S. this is your heads up i am a Linux newbie

magicspam
Posts: 1563
Joined: Tue Oct 28, 2008 2:27 pm

Re: Spam gets in and i can"t figure out how.

Post by magicspam » Fri Apr 30, 2010 1:35 pm

Is it possible that one of your users' accounts got compromised? It's possible to log in as one user, but send as though you're someone else.
-- MagicSpam Support Team --

coolioso
Posts: 6
Joined: Tue Mar 16, 2010 1:24 pm

Re: Spam gets in and i can"t figure out how.

Post by coolioso » Sat May 01, 2010 7:20 pm

I do not know how to look to see which users are logged in. I can see that it is user 2020 but i have no idea, and haven't found anything in Google searches to help me find, who that is. We use qmail. If I could figure out who that is I would force a password change.

magicspam
Posts: 1563
Joined: Tue Oct 28, 2008 2:27 pm

Re: Spam gets in and i can"t figure out how.

Post by magicspam » Mon May 03, 2010 9:37 am

You should be able to examine the qmail logs to find more information. Depending on your setup, you may have a daemon running that specifically handles logins, in which case you should examine that program's logs.
-- MagicSpam Support Team --

Post Reply

Return to “General Discussions and Support Questions”

Who is online

Users browsing this forum: No registered users and 26 guests