Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » I think I'm Spamming people
  •  
revmark

Messages: 23
Karma: 0
Send a private message to this user
Help, I think I need some help. This is the only thing I can think of.

I was I was noticing a slight slowdown of my server last night. I checked the logs and was watching literally hundreds of emails (show a snippet below) in the mail log. I am in the process of replacing 19 old Win98/2000/XP machines with Vista Business machines. Each of the new machines, I am installing AVG Pro. But I still have only completed 6 of them. So, I still have 13 more to go.

My question is how do I find which machine is doing the spamming? Is there something in KMS to show the IP or User that it is coming from? etc. etc.

Thanks for you help,
Mark
[30/Jul/2007 11:11:54] Sent: Queue-ID: 46add53c-000002e9, Recipient: <uubdc<_a.t_>aol.com>, Result: delayed, Status: 4.3.2 421-:  (DYN:T1)  http://postmaster.info.aol.com/errors/421dynt1.html

[30/Jul/2007 11:11:54] 421 SERVICE NOT AVAILABLE
[30/Jul/2007 11:11:54] Sent: Queue-ID: 46add53c-000002e9, Recipient: <uyakreg<_a.t_>aol.com>, Result: delayed, Status: 4.3.2 421-:  (DYN:T1)  http://postmaster.info.aol.com/errors/421dynt1.html

[30/Jul/2007 11:11:54] 421 SERVICE NOT AVAILABLE
[30/Jul/2007 11:12:16] Sent: Queue-ID: 46add2a7-0000023f, Recipient: <jdwelle<_a.t_>ac.net>, Result: delayed, Status: 4.1.1 450 <jdwelle<_a.t_>ac.net>: Recipient address rejected: undeliverable address: host 64.79.48.19[64.79.48.19] said: 550 5.1.1 <jdwelle<_a.t_>ac.net> is not a valid mailbox (in reply to RCPT TO command)
[30/Jul/2007 11:12:28] Sent: Queue-ID: 46add299-0000023c, Recipient: <jaypayne<_a.t_>gateway.net>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[30/Jul/2007 11:13:30] Sent: Queue-ID: 46add31e-0000025b, Recipient: <keningercrudo<_a.t_>cnsinternet.com>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[30/Jul/2007 11:15:20] Sent: Queue-ID: 46add39f-00000275, Recipient: <mary_coleman<_a.t_>mhhs.org>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[30/Jul/2007 11:17:40] Sent: Queue-ID: 46add42a-00000293, Recipient: <papinas<_a.t_>mail.state.wi.us>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[30/Jul/2007 11:19:40] Sent: Queue-ID: 46add3f3-00000285, Recipient: <muhammad.soubra<_a.t_>atk.com>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[30/Jul/2007 11:21:01] Sent: Queue-ID: 46add292-0000023b, Recipient: <jandccunningham<_a.t_>lx.net>, Result: delayed, Status: 4.4.2 Connection lost
[30/Jul/2007 11:21:54] Sent: Queue-ID: 46add525-000002df, Recipient: <thevetteman<_a.t_>dellnet.com>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[30/Jul/2007 11:22:08] Sent: Queue-ID: 46add4ad-000002b7, Recipient: <rocklin<_a.t_>gateway.net>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[30/Jul/2007 11:24:00] Sent: Queue-ID: 46add327-0000025e, Recipient: <kicknbass<_a.t_>bazillion.com>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[30/Jul/2007 11:24:01] Sent: Queue-ID: 46add12f-000001da, Recipient: <cdwood<_a.t_>micron.net>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[30/Jul/2007 11:24:16] Sent: Queue-ID: 46add2c4-00000245, Recipient: <jjarecke<_a.t_>dfwairport.com>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[30/Jul/2007 11:25:53] Sent: Queue-ID: 46add049-000001bf, Recipient: <afn43864<_a.t_>afn.org>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[30/Jul/2007 11:26:56] Sent: Queue-ID: 46add1ec-00000212, Recipient: <evonne<_a.t_>shadowlawnkennels.com>, Result: delayed, Status: 4.4.3 DNS lookup failed
[30/Jul/2007 11:27:09] Sent: Queue-ID: 46add371-0000026c, Recipient: <lholmes<_a.t_>loneoakisd.com>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[30/Jul/2007 11:28:34] Sent: Queue-ID: 46add21c-0000021d, Recipient: <garymcspadden<_a.t_>home.com>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[30/Jul/2007 11:28:34] Sent: Queue-ID: 46add21c-0000021d, Recipient: <garyo<_a.t_>argontech.net>, Result: delayed, Status: 4.1.1 450 4.1.1 <garyo<_a.t_>argontech.net>: Recipient address rejected: User unknown in local recipient table
[30/Jul/2007 11:31:30] Sent: Queue-ID: 46add2d4-00000248, Recipient: <jmontgomery<_a.t_>apfl.org>, Result: delayed, Status: 4.4.3 DNS lookup failed
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
That looks like only part of the log. There should be at least 2 corresponding lines for each message sent - they show up in pairs. There will be a pair of lines for each recipient of the message. One that shows the Queue-ID and the service used, and another that shows the same Queue-ID and the Recipient.

The first line will show the e-mail address the message is from, the To: address, the sender host, and the user who authenticated to send the mail. It will start out like this:
[30/Jul/2007 14:20:41] Recv: Queue-ID: 46ae2bf9-000058da, Service: SMTP, From:


The second line, that you have below, shows the recipient and delivery status. It will start out like:
[30/Jul/2007 14:20:42] Sent: Queue-ID: 46ae2bf9-000058da, Recipient:


Notice the same queue id. That's how you know which messages belong together. What you have to do with the log snippet you included is scroll up a bit. You should eventually see the first line of the pair showing the sender host and the authenticated user (if there was one). Depending on your server load, and the amount of mail queued at the time, these two lines could be quite a ways apart in the mail log.

Scott
  •  
revmark

Messages: 23
Karma: 0
Send a private message to this user
But I did the lookups that you suggested. What I found is that the emails are coming from a valid email address on KMS but is not attached to any particular computer. That email address/UID is only used on the Webmail client. In other words the email address showing up as the sender has no Outlook or Outlook express client anywhere. Only the web access.

The address is our main catch all business address we use on our webites, TV shows, Radio shows, etc.

The Ip address shows up as our ISP (Cox) but no other info. is there no way to see what was the IP address of the sending computer, such as 192.168.0.112, or what ever on the local network?

[Updated on: Mon, 30 July 2007 22:26]

  •  
freakinvibe

Messages: 1552
Karma: 62
Send a private message to this user
So if this is your "main catch all business" address, is it something like

info<_a.t_>yourcompany.com ?

When you created this address, did you set a password? If not, or if the password is very weak, spammers may have found this address just by trying common user IDs (info, webmaster, admin) and common passwords (empty password, 12345, pwd).

Once they have found your user ID and password combination, they login with it and send thousands of spams a an authenticated user!

What you should do:

- Set a strong password for your "main catch all business" address user.

- Restart KMS

- Clear the queue

- Check ALL users for strong passwords (at least 8 characters)

Regards,

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
revmark wrote on Mon, 30 July 2007 15:48

That email address/UID is only used on the Webmail client. In other words the email address showing up as the sender has no Outlook or Outlook express client anywhere. Only the web access.

Maybe not that you set up. Anyone with a username and password (or without if you don't have authentication required), can set up a mail client to use your SMTP server.

Quote:

The Ip address shows up as our ISP (Cox) but no other info. is there no way to see what was the IP address of the sending computer, such as 192.168.0.112, or what ever on the local network?

Then the IP address that's sending is not within your network, and is another node on Cox's network. That's not uncommon. If there is no authenticated user specified on the line in the mail log, it might mean you don't have authentication set up properly, and are allowing anonymous access to send mail (aka an Open Relay). If no username and password are required, there's no authenticated user to log.

Scott
  •  
revmark

Messages: 23
Karma: 0
Send a private message to this user
Done. And you are correct. I had a very weak password. Fixed that.

I have another question of similar nature (I think).

I get a lot of email from users that are no longer here. How do I

HOT DAMN!!!! I just watched a mess of SMTP failed login attempts from the same IP address along with several entries for SMTP connections rejected for director harvest attack. messages. Awesome! Thanks guys.

Anyway. back to my other question. Some look like valid emails, other look like spam, etc. Where do they go. should I bounce them. How? Should I just leave them alone. Are the taking up disc space, etc etc.

again thanks
mark
Previous Topic: Cannot received mail
Next Topic: Print message before sending
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 15:04:14 CET 2017

Total time taken to generate the page: 0.00391 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.