Gender: Unspecified Location: One for the other hand
Linux Red Hat Question
Posted this on the Linux forum and not getting any help so I thought I would try here for any KMC programs out there that can help me.
I have been having this issue for about a week now and it looks like one of our clients has been infected by a spam virus that is sending out emails through his computer however I知 not able to figure out which client this is. We run cPanel and I have checked the logs for any increases in SMTP traffic and I知 not seeing any spikes and in the log files I知 not able to find any noticeable traffic. I have tried searching the log files for suspicious message ID but every time I do the message ID is not found so I知 not able to look at the header information for sent mail. Our normal traffic is about 300 to 400 a day and we have been hitting close to 2,000 daily according to Godaddy SMTP reports. We have checked our system and it doesn稚 accept Open Relays.
I have been searching on the net trying to find some answers to this problem but either the suggestions haven稚 panned out or I知 not finding what I知 looking for. Any help would be great because we are trying to stop this so that our IP is not blacklisted for spam.
Operating System: Red Hat Fedora Core 7
Sample of the exim_mainlog, client emails have been * out
2009-05-29 07:50:51 H=(FSINGVA) [125.211.167.243] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:50:53 H=adsl-84-227-23-6.adslplus.ch [84.227.23.6] F=<[email protected]> rejected RCPT <*******@*******.net>: "JunkMail rejected - adsl-84-227-23-6.adslplus.ch [84.227.23.6] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?84.227.23.6"
2009-05-29 07:50:53 H=adsl-84-227-23-6.adslplus.ch [84.227.23.6] Warning: "Increment Connection Ratelimit - adsl-84-227-23-6.adslplus.ch [84.227.23.6] because of RBL match"
2009-05-29 07:51:09 no IP address found for host host-41-196-156-251.static.link.com.eg (during SMTP connection from [41.196.156.251])
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) [41.196.156.251] F=<[email protected]> rejected RCPT <*******@*******.net>: "JunkMail rejected - (host-41-196-156-251.static.link.com.eg) [41.196.156.251] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?41.196.156.251"
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) [41.196.156.251] Warning: "Increment Connection Ratelimit - (host-41-196-156-251.static.link.com.eg) [41.196.156.251] because of RBL match"
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) [41.196.156.251] Warning: Sender rate 0.0 / 1h
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] F=<[email protected]> rejected RCPT <*******@******.com>: "JunkMail rejected - c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?76.108.210.126"
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] Warning: "Increment Connection Ratelimit - c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] because of RBL match"
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] Warning: Sender rate 0.0 / 1h
2009-05-29 07:51:57 no IP address found for host 18912188161.user.veloxzone.com.br (during SMTP connection from [189.12.188.161])
2009-05-29 07:51:58 H=(pappiro2) [189.12.188.161] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:23 no host name found for IP address 59.93.127.133
2009-05-29 07:53:25 H=(VQEGLBS) [59.93.127.133] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:36 no IP address found for host 18912188161.user.veloxzone.com.br (during SMTP connection from [189.12.188.161])
2009-05-29 07:53:40 H=(pappiro2) [189.12.188.161] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:43 H=amefcinfo.com [209.190.241.36] Warning: Sender rate 0.0 / 1h
2009-05-29 07:53:46 1MA3Ss-0004H0-9m Completed
2009-05-29 07:53:46 1MA3Ss-0004H0-9m => loans <*******@*******.net> R=virtual_user T=virtual_userdelivery
2009-05-29 07:53:46 1MA3Ss-0004H0-9m <= [email protected][/email] H=amefcinfo.com [209.190.241.36] P=smtp S=5523 [email protected]
2009-05-29 07:54:26 H=smtp1.nylx.com [64.106.165.4] Warning: Sender rate 0.7 / 1h
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 Completed
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 <= [email][email protected] H=smtp1.nylx.com [64.106.165.4] P=smtp S=5831 [email protected]
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 => paul <******@******.net> R=virtual_user T=virtual_userdelivery
2009-05-29 07:54:34 H=adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] Warning: Sender rate 0.0 / 1h
2009-05-29 07:54:36 H=adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] F=<[email protected]> rejected RCPT <[email protected]>: "JunkMail rejected - adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?78.99.44.131"
2009-05-29 07:54:36 H=adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] Warning: "Increment Connection Ratelimit - adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] because of RBL match"
2009-05-29 07:54:45 H=114-76-246-201.adsl.terra.cl [201.246.76.114] Warning: Sender rate 0.0 / 1h
2009-05-29 07:54:51 H=114-76-246-201.adsl.terra.cl [201.246.76.114] F=<[email protected]> rejected RCPT <*******@******.com>: "JunkMail rejected - 114-76-246-201.adsl.terra.cl [201.246.76.114] is in an RBL, see http://www.spamhaus.org/query/bl?ip=201.246.76.114"
2009-05-29 07:54:51 H=114-76-246-201.adsl.terra.cl [201.246.76.114] Warning: "Increment Connection Ratelimit - 114-76-246-201.adsl.terra.cl [201.246.76.114] because of RBL match"
2009-05-29 07:54:55 no IP address found for host 189-79-42-195.dsl.telesp.net.br (during SMTP connection from [189.79.42.195])
2009-05-29 07:54:57 H=(189-79-42-195.dsl.telesp.net.br) [189.79.42.195] Warning: Sender rate 0.0 / 1h
2009-05-29 07:55:00 H=(189-79-42-195.dsl.telesp.net.br) [189.79.42.195] F=<[email protected]> rejected RCPT <[email protected]>: "JunkMail rejected - (189-79-42-195.dsl.telesp.net.br) [189.79.42.195] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?189.79.42.195"
2009-05-29 07:55:00 H=(189-79-42-195.dsl.telesp.net.br) [189.79.42.195] Warning: "Increment Connection Ratelimit - (189-79-42-195.dsl.telesp.net.br) [189.79.42.195] because of RBL match"
2009-05-29 07:55:39 H=(TNWUEOYV) [116.41.65.189] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:55:39 no host name found for IP address 116.41.65.189
2009-05-29 07:55:41 no host name found for IP address 88.244.150.151
2009-05-29 07:55:42 H=(server) [88.244.150.151] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:55:55 H=pool-71-121-53-27.plspca.dsl-w.verizon.net (71.121.53.27) [71.121.53.27] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.3)
2009-05-29 07:55:59 H=adsl201-232-234-28.epm.net.co [201.232.234.28] Warning: Sender rate 0.0 / 1h
Gender: Unspecified Location: One for the other hand
Thanks but this is a hosting server for many of our clients. I've done a bit more research and it looks like he is bouncing the emails off the server but not going through. The log files show the email being passed and forward onto me but there is not copy or other record of it on the server of the other emails, even the email that was to be forward to me is gone.