Da Pittman
Posted this on the Linux forum and not getting any help so I thought I would try here for any KMC programs out there that can help me.
I have been having this issue for about a week now and it looks like one of our clients has been infected by a spam virus that is sending out emails through his computer however I知 not able to figure out which client this is. We run cPanel and I have checked the logs for any increases in SMTP traffic and I知 not seeing any spikes and in the log files I知 not able to find any noticeable traffic. I have tried searching the log files for suspicious message ID but every time I do the message ID is not found so I知 not able to look at the header information for sent mail. Our normal traffic is about 300 to 400 a day and we have been hitting close to 2,000 daily according to Godaddy SMTP reports. We have checked our system and it doesn稚 accept Open Relays.
I have been searching on the net trying to find some answers to this problem but either the suggestions haven稚 panned out or I知 not finding what I知 looking for. Any help would be great because we are trying to stop this so that our IP is not blacklisted for spam.
Operating System: Red Hat Fedora Core 7
Sample of the exim_mainlog, client emails have been * out
2009-05-29 07:50:51 H=(FSINGVA) rejected MAIL <restlesszh335@lastiness.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:50:53 H=adsl-84-227-23-6.adslplus.ch F=<compensatepz63@slowinestorage.com> rejected RCPT <*******@*******.net>: "JunkMail rejected - adsl-84-227-23-6.adslplus.ch is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?84.227.23.6"
2009-05-29 07:50:53 H=adsl-84-227-23-6.adslplus.ch Warning: "Increment Connection Ratelimit - adsl-84-227-23-6.adslplus.ch because of RBL match"
2009-05-29 07:51:09 no IP address found for host host-41-196-156-251.static.link.com.eg (during SMTP connection from )
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) F=<hughh39@dentaltrez.com> rejected RCPT <*******@*******.net>: "JunkMail rejected - (host-41-196-156-251.static.link.com.eg) is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?41.196.156.251"
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) Warning: "Increment Connection Ratelimit - (host-41-196-156-251.static.link.com.eg) because of RBL match"
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) Warning: Sender rate 0.0 / 1h
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net F=<tenuringna4@neiengineering.com> rejected RCPT <*******@******.com>: "JunkMail rejected - c-76-108-210-126.hsd1.fl.comcast.net is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?76.108.210.126"
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net Warning: "Increment Connection Ratelimit - c-76-108-210-126.hsd1.fl.comcast.net because of RBL match"
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net Warning: Sender rate 0.0 / 1h
2009-05-29 07:51:57 no IP address found for host 18912188161.user.veloxzone.com.br (during SMTP connection from )
2009-05-29 07:51:58 H=(pappiro2) rejected MAIL <distressfulk5@returns.sales.overstock.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:23 no host name found for IP address 59.93.127.133
2009-05-29 07:53:25 H=(VQEGLBS) rejected MAIL <pollyannacvr6@klocwork.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:36 no IP address found for host 18912188161.user.veloxzone.com.br (during SMTP connection from )
2009-05-29 07:53:40 H=(pappiro2) rejected MAIL <concavitiesy999@rite-wayelec.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:43 H=amefcinfo.com Warning: Sender rate 0.0 / 1h
2009-05-29 07:53:46 1MA3Ss-0004H0-9m Completed
2009-05-29 07:53:46 1MA3Ss-0004H0-9m => loans <*******@*******.net> R=virtual_user T=virtual_userdelivery
2009-05-29 07:53:46 1MA3Ss-0004H0-9m <= reply@amefcinfo.com H=amefcinfo.com P=smtp S=5523 id=571.725.448183.16249.13095492.687@amefc.com
2009-05-29 07:54:26 H=smtp1.nylx.com Warning: Sender rate 0.7 / 1h
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 Completed
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 <= noreply@lendingart.com H=smtp1.nylx.com P=smtp S=5831 id=WS1keI2QQUR5oSmUmhX00079726@smtp1.nylx.com
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 => paul <******@******.net> R=virtual_user T=virtual_userdelivery
2009-05-29 07:54:34 H=adsl-dyn131.78-99-44.t-com.sk Warning: Sender rate 0.0 / 1h
2009-05-29 07:54:36 H=adsl-dyn131.78-99-44.t-com.sk F=<accusatoryuh24@koon.privatedns.com> rejected RCPT <freeman@creditunionadvantage.com>: "JunkMail rejected - adsl-dyn131.78-99-44.t-com.sk is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?78.99.44.131"
2009-05-29 07:54:36 H=adsl-dyn131.78-99-44.t-com.sk Warning: "Increment Connection Ratelimit - adsl-dyn131.78-99-44.t-com.sk because of RBL match"
2009-05-29 07:54:45 H=114-76-246-201.adsl.terra.cl Warning: Sender rate 0.0 / 1h
2009-05-29 07:54:51 H=114-76-246-201.adsl.terra.cl F=<carefulf@moredirect.com> rejected RCPT <*******@******.com>: "JunkMail rejected - 114-76-246-201.adsl.terra.cl is in an RBL, see http://www.spamhaus.org/query/bl?ip=201.246.76.114"
2009-05-29 07:54:51 H=114-76-246-201.adsl.terra.cl Warning: "Increment Connection Ratelimit - 114-76-246-201.adsl.terra.cl because of RBL match"
2009-05-29 07:54:55 no IP address found for host 189-79-42-195.dsl.telesp.net.br (during SMTP connection from )
2009-05-29 07:54:57 H=(189-79-42-195.dsl.telesp.net.br) Warning: Sender rate 0.0 / 1h
2009-05-29 07:55:00 H=(189-79-42-195.dsl.telesp.net.br) F=<fragrancesok25@khakisoftware.com> rejected RCPT <freeman@creditunionadvantage.com>: "JunkMail rejected - (189-79-42-195.dsl.telesp.net.br) is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?189.79.42.195"
2009-05-29 07:55:00 H=(189-79-42-195.dsl.telesp.net.br) Warning: "Increment Connection Ratelimit - (189-79-42-195.dsl.telesp.net.br) because of RBL match"
2009-05-29 07:55:39 H=(TNWUEOYV) rejected MAIL <scapegoatede01@burnablehvd.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:55:39 no host name found for IP address 116.41.65.189
2009-05-29 07:55:41 no host name found for IP address 88.244.150.151
2009-05-29 07:55:42 H=(server) rejected MAIL <admin@michaellikhinin.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:55:55 H=pool-71-121-53-27.plspca.dsl-w.verizon.net (71.121.53.27) rejected MAIL <founderedoutraged@jonnieandbrookie.com>: Access denied - Invalid HELO name (See RFC2821 4.1.3)
2009-05-29 07:55:59 H=adsl201-232-234-28.epm.net.co Warning: Sender rate 0.0 / 1h
I have been having this issue for about a week now and it looks like one of our clients has been infected by a spam virus that is sending out emails through his computer however I知 not able to figure out which client this is. We run cPanel and I have checked the logs for any increases in SMTP traffic and I知 not seeing any spikes and in the log files I知 not able to find any noticeable traffic. I have tried searching the log files for suspicious message ID but every time I do the message ID is not found so I知 not able to look at the header information for sent mail. Our normal traffic is about 300 to 400 a day and we have been hitting close to 2,000 daily according to Godaddy SMTP reports. We have checked our system and it doesn稚 accept Open Relays.
I have been searching on the net trying to find some answers to this problem but either the suggestions haven稚 panned out or I知 not finding what I知 looking for. Any help would be great because we are trying to stop this so that our IP is not blacklisted for spam.
Operating System: Red Hat Fedora Core 7
Sample of the exim_mainlog, client emails have been * out
2009-05-29 07:50:51 H=(FSINGVA) rejected MAIL <restlesszh335@lastiness.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:50:53 H=adsl-84-227-23-6.adslplus.ch F=<compensatepz63@slowinestorage.com> rejected RCPT <*******@*******.net>: "JunkMail rejected - adsl-84-227-23-6.adslplus.ch is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?84.227.23.6"
2009-05-29 07:50:53 H=adsl-84-227-23-6.adslplus.ch Warning: "Increment Connection Ratelimit - adsl-84-227-23-6.adslplus.ch because of RBL match"
2009-05-29 07:51:09 no IP address found for host host-41-196-156-251.static.link.com.eg (during SMTP connection from )
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) F=<hughh39@dentaltrez.com> rejected RCPT <*******@*******.net>: "JunkMail rejected - (host-41-196-156-251.static.link.com.eg) is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?41.196.156.251"
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) Warning: "Increment Connection Ratelimit - (host-41-196-156-251.static.link.com.eg) because of RBL match"
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) Warning: Sender rate 0.0 / 1h
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net F=<tenuringna4@neiengineering.com> rejected RCPT <*******@******.com>: "JunkMail rejected - c-76-108-210-126.hsd1.fl.comcast.net is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?76.108.210.126"
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net Warning: "Increment Connection Ratelimit - c-76-108-210-126.hsd1.fl.comcast.net because of RBL match"
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net Warning: Sender rate 0.0 / 1h
2009-05-29 07:51:57 no IP address found for host 18912188161.user.veloxzone.com.br (during SMTP connection from )
2009-05-29 07:51:58 H=(pappiro2) rejected MAIL <distressfulk5@returns.sales.overstock.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:23 no host name found for IP address 59.93.127.133
2009-05-29 07:53:25 H=(VQEGLBS) rejected MAIL <pollyannacvr6@klocwork.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:36 no IP address found for host 18912188161.user.veloxzone.com.br (during SMTP connection from )
2009-05-29 07:53:40 H=(pappiro2) rejected MAIL <concavitiesy999@rite-wayelec.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:43 H=amefcinfo.com Warning: Sender rate 0.0 / 1h
2009-05-29 07:53:46 1MA3Ss-0004H0-9m Completed
2009-05-29 07:53:46 1MA3Ss-0004H0-9m => loans <*******@*******.net> R=virtual_user T=virtual_userdelivery
2009-05-29 07:53:46 1MA3Ss-0004H0-9m <= reply@amefcinfo.com H=amefcinfo.com P=smtp S=5523 id=571.725.448183.16249.13095492.687@amefc.com
2009-05-29 07:54:26 H=smtp1.nylx.com Warning: Sender rate 0.7 / 1h
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 Completed
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 <= noreply@lendingart.com H=smtp1.nylx.com P=smtp S=5831 id=WS1keI2QQUR5oSmUmhX00079726@smtp1.nylx.com
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 => paul <******@******.net> R=virtual_user T=virtual_userdelivery
2009-05-29 07:54:34 H=adsl-dyn131.78-99-44.t-com.sk Warning: Sender rate 0.0 / 1h
2009-05-29 07:54:36 H=adsl-dyn131.78-99-44.t-com.sk F=<accusatoryuh24@koon.privatedns.com> rejected RCPT <freeman@creditunionadvantage.com>: "JunkMail rejected - adsl-dyn131.78-99-44.t-com.sk is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?78.99.44.131"
2009-05-29 07:54:36 H=adsl-dyn131.78-99-44.t-com.sk Warning: "Increment Connection Ratelimit - adsl-dyn131.78-99-44.t-com.sk because of RBL match"
2009-05-29 07:54:45 H=114-76-246-201.adsl.terra.cl Warning: Sender rate 0.0 / 1h
2009-05-29 07:54:51 H=114-76-246-201.adsl.terra.cl F=<carefulf@moredirect.com> rejected RCPT <*******@******.com>: "JunkMail rejected - 114-76-246-201.adsl.terra.cl is in an RBL, see http://www.spamhaus.org/query/bl?ip=201.246.76.114"
2009-05-29 07:54:51 H=114-76-246-201.adsl.terra.cl Warning: "Increment Connection Ratelimit - 114-76-246-201.adsl.terra.cl because of RBL match"
2009-05-29 07:54:55 no IP address found for host 189-79-42-195.dsl.telesp.net.br (during SMTP connection from )
2009-05-29 07:54:57 H=(189-79-42-195.dsl.telesp.net.br) Warning: Sender rate 0.0 / 1h
2009-05-29 07:55:00 H=(189-79-42-195.dsl.telesp.net.br) F=<fragrancesok25@khakisoftware.com> rejected RCPT <freeman@creditunionadvantage.com>: "JunkMail rejected - (189-79-42-195.dsl.telesp.net.br) is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?189.79.42.195"
2009-05-29 07:55:00 H=(189-79-42-195.dsl.telesp.net.br) Warning: "Increment Connection Ratelimit - (189-79-42-195.dsl.telesp.net.br) because of RBL match"
2009-05-29 07:55:39 H=(TNWUEOYV) rejected MAIL <scapegoatede01@burnablehvd.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:55:39 no host name found for IP address 116.41.65.189
2009-05-29 07:55:41 no host name found for IP address 88.244.150.151
2009-05-29 07:55:42 H=(server) rejected MAIL <admin@michaellikhinin.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:55:55 H=pool-71-121-53-27.plspca.dsl-w.verizon.net (71.121.53.27) rejected MAIL <founderedoutraged@jonnieandbrookie.com>: Access denied - Invalid HELO name (See RFC2821 4.1.3)
2009-05-29 07:55:59 H=adsl201-232-234-28.epm.net.co Warning: Sender rate 0.0 / 1h