Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Someone using a spamming list on my server! plz help
  •  
chris111690

Messages: 4
Karma: 0
Send a private message to this user
Please Disregard this below, and just read my 2nd post.


I am very new to this ail server GUI, I need help here with relaying.
I have a customer with an older version of kerio 7.0.1 build 1249 and they keep getting blacklisted recently. It is being run on a very old server over 12 years old and I want to try to replay all mail through our kerio server here. Would this stop the blacklist because it would read a different IP right? also can someone tell me what to do here.
I have tried to go into "SMTP SERVER" then clicked "allow relaying for: users from IP address group" but nothing happens when I click the drop down menu. Can someone help? or is there an easier way to do this?

**Worst case senario I can set them up in my server and host it for them. They do not have the know how to even turn on a server anyways.

manuals.kerio.com/kms/en/sect-smtpsrv.html

[Updated on: Tue, 20 November 2012 23:24]

  •  
tonyswu

Messages: 271
Karma: 5
Send a private message to this user
If you don't see any item in the drop down, that's probably because you don't have any. You can create one in the IP Address Groups. If you absolutely need relaying, I would probably use the User authenticated through SMTP. If their server is constantly listed on the blacklist, I would probably disable SMTP relaying altogether.
  •  
chris111690

Messages: 4
Karma: 0
Send a private message to this user
Well scratch that. I have a way bigger issue at hand. it seems that someone or something (bot) is sending out massive amounts of emails all day long. and they are in alphabetical order!! like in my logs it will have thousands of undeliverable that start with A's then B's then C's all the way to Z's its send thousands everyday and they all seem to be undeliverable. most are going to yahoo, gmail, comcast, charter, dell, and MSN which all have me blocked now. I am blacklisted under "UCEPROTECTL1" and they want 112 dollars to remove me, but it will happen again if I don't get this out of my server. My domain is "superiorcompanies.net"

Here is a partial log because my full log is over 500mb and climbing a couple of mb a day!!

[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <hale_jared<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <hale856<_at_>hotmail.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halee11<_at_>hotmail.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haleed3<_at_>earthlink.net>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haleem1478<_at_>gmail.com>, Result: failed, Status: 5.1.1 550 5.2.1 The email account that you tried to reach is disabled. f5si10404159qap.14
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haleema_u<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halehkz<_at_>hotmail.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haleigh62r<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haleighelaine<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haleighgirl1<_at_>ymail.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haleighh123<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haleine1992<_at_>rondotech.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haleiwadiva<_at_>gmail.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halejandro55<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halejr22<_at_>comcast.net>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halelait<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haleluijah06<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haleluyadiet<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halema_korbu<_at_>dell.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halen04<_at_>cs.com>, Result: failed, Status: 4.4.1 421 mtain-mg01.r1000.mx.aol.com Service unavailable - try again later
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halenaa<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halenvan1984<_at_>hotmail.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halepahoa<_at_>aol.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halephelps<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halerobin1<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <hales_thomas<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <hales25_89<_at_>hotmail.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halesaccount<_at_>hotmail.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halesky2000<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halesworthp<_at_>aol.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haletiang55<_at_>gmail.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haleum<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halewis7<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <halex<_at_>barrick.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haley.chadick<_at_>gmail.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haley.freeman23630<_at_>go.hindscc.edu>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haley.kenny<_at_>gmail.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haley_12_basketball<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haley_babe101<_at_>hotmail.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haley_forell<_at_>yahoo.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haley_jay<_at_>hotmail.com>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:53:31] Sent: Queue-ID: 509d7748-0001a458, Recipient: <haley1214<_at_>comcast.net>, Result: failed, Status: 4.4.1 Cannot connect to remote host
[20/Nov/2012 16:54:11] Sent: Queue-ID: 50abfa05-0000116e, Recipient: <btt.reeves<_at_>gmail.com>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
  •  
tonyswu

Messages: 271
Karma: 5
Send a private message to this user
You need to figure out where those emails are coming from. If you have open SMTP relay, obviously you want to close that. If you don't, then perhaps an account is compromised or a computer is infected. If you take a look at the queue, it should tell me where all those emails are sending out from. Otherwise, you'll need to take a look at the Mail log and determine which account is being used to send all those emails out.
  •  
chris111690

Messages: 4
Karma: 0
Send a private message to this user
In message Queue it is completly empty. Under message queue processing I have 8 emails here that are from a btt.reeves<_at_>gmail.com a quick google of that shows it is the email used to host fake bank phishing sites in 2010. And this name has shown up a lot in my logs. What can I do?
  •  
clan

Messages: 236
Karma: 22
Send a private message to this user
First of all you should make sure you are no open relay. If you are no open relay you need to find out which local account is used to send out the spam and disable it. This information should be available in the queue processing or the mail logs.
  •  
chris111690

Messages: 4
Karma: 0
Send a private message to this user
There is no open relay at all. And the account sending them is that gmail address posted above. Which obviously is not being hosted here. The logs tell me nothing but undeliverable errors and that gmail and countless other hosters have blocked my IP address. I think someone is spoofing their name to look like emails are coming from one of us. Almost all of them fail due do countless blocks and blacklists. But to answer your question there is not anything under the queue except those 8 under the processing tab. and all my users use webmail not Outlook or anything like that. Do you think changing the password of all accounts would work?
  •  
clan

Messages: 236
Karma: 22
Send a private message to this user
If you are no open relay then someone must authenticate on your Kerio server to use it for SMTP. That is what I meant by 'local account used'. So what username is used to log into Kerio to send this email? If a user account is compromised it is dead easy to use any 'From:' address on SMTP that you can think of. Somewhere the emails have entered your server, either by SMTP or by Webmail, and you need to find how and using which local user this happened. If you have eight messages in your queue you you should be able to look up how they entered your system in the mail log. Just changing all passwords may not be enough if a user has a compromised PC, you need to find out which account was used.
Previous Topic: Using Built-in Apache
Next Topic: Core Dump File Questions
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Oct 20 21:37:40 CEST 2017

Total time taken to generate the page: 0.00485 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.