Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Possible open relay
  FAQ FAQ  Forum Search   Register Register  Login Login

Possible open relay

 Post Reply Post Reply
Author
aco_pa View Drop Down
Newbie
Newbie


Joined: 08 April 2008
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote aco_pa Quote  Post ReplyReply Direct Link To This Post Topic: Possible open relay
    Posted: 10 April 2008 at 3:55pm
It appears that my instance of Spamfilter may be an open relay or otherwise hacked.  I have been getting tens of thousands of NDR to a bogus email account and as near as I can tell, the message originated from the server that Spamfilter (mailin.pcu.net) runs on. I have not been able to catch any outgoing messages, only the returned messages, but there is a lot more network traffic when I look at historical data in and out of my firewalls/routers.
Is something wrong? Or am I just the victim of some spammer using my domain?
 
I have included a sample message with headers and the contents of Spamfilter.ini. I can include logs if needed.
 
Thanks for the help tracking this down.
 
=================================
Returned message:
=================================
Return-Path: <>

Received: from mailin.pcu.net (mailin.pcu.net [67.128.36.6])

by mail.pcu.net (PCU.NET Mail Server v5.0) with SMTP id OZK59305

for <rlpfx@pcu.net>; Tue, 08 Apr 2008 15:54:05 -0600

Received: from 130.94.122.150 by mailin.pcu.net (LogSat Software SMTP Server); Tue, 8 Apr 2008 15:53:56 -0600

Received: from localhost (localhost)

by smtp4.mxsave.com (8.13.8/8.13.8) id m38FPfls028487;

Tue, 8 Apr 2008 08:25:41 -0700

Date: Tue, 8 Apr 2008 08:25:41 -0700

From: Mail Delivery Subsystem <MAILER-DAEMON@smtp4.mxsave.com>

Message-Id: <200804081525.m38FPfls028487@smtp4.mxsave.com>

To: <rlpfx@pcu.net>

MIME-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status;

boundary="m38FPfls028487.1207668341/smtp4.mxsave.com"

Subject: Returned mail: see transcript for details

Auto-Submitted: auto-generated (failure)

X-Server: LogSat Software SMTP Server

X-SF-RX-Return-Path: <>

X-SF-HELO-Domain: smtp4.mxsave.com

X-SF-Originating-IP: 130.94.122.150

X-SF-WhiteListedReason: Whitelisted EmailTO

X-Spam-Status: No, hits=1.22 required=6.80 tests=DATE_IN_PAST_06_12,BAYES_00,VOWEL_TOCC_5 version=3.2.1

X-Spam-Level: *

X-Spam-Checker-Version: SpamAssassin 3.2.1 (1.0) on mail.pcu.net

This is a MIME-encapsulated message

--m38FPfls028487.1207668341/smtp4.mxsave.com

The original message was received at Tue, 8 Apr 2008 08:25:37 -0700

from ppp-124-121-33-114.revip2.asianet.co.th [124.121.33.114]

----- The following addresses had permanent fatal errors -----

<exalt@goldenstar.com>

(reason: 571 Delivery not authorized, message refused)

----- Transcript of session follows -----

... while talking to [64.198.147.91]:

>>> DATA

<<< 571 Delivery not authorized, message refused

554 5.5.0 Remote protocol error

--m38FPfls028487.1207668341/smtp4.mxsave.com

Content-Type: message/delivery-status

Reporting-MTA: dns; smtp4.mxsave.com

Received-From-MTA: DNS; ppp-124-121-33-114.revip2.asianet.co.th

Arrival-Date: Tue, 8 Apr 2008 08:25:37 -0700

Final-Recipient: RFC822; exalt@goldenstar.com

Action: failed

Status: 5.0.0

Remote-MTA: DNS; [64.198.147.91]

Diagnostic-Code: SMTP; 571 Delivery not authorized, message refused

Last-Attempt-Date: Tue, 8 Apr 2008 08:25:41 -0700

--m38FPfls028487.1207668341/smtp4.mxsave.com

Content-Type: text/rfc822-headers

Return-Path: <rlpfx@pcu.net>

Received: from ppp-124-121-33-114.revip2.asianet.co.th (ppp-124-121-33-114.revip2.asianet.co.th [124.121.33.114])

by smtp4.mxsave.com (8.13.8/8.13.8) with SMTP id m38FPQls028290

for <exalt@goldenstar.com>; Tue, 8 Apr 2008 08:25:37 -0700

Received: from 67.128.36.6 (HELO mailin.pcu.net)

by goldenstar.com with esmtp ({nChar[8-12]} {nChar[4-6]})

id QsPPZ-IB58uA-F0

for exalt@goldenstar.com; Tue, 08 Apr 2008 22:24:08 +0700

Message-ID: <0a5501c8998c$96edfef0$7221797c@Vance>

From: "Vance Oconnor" <Vance@pcu.net>

To: "Sammie Skinner" <exalt@goldenstar.com>

Subject: Hot nights are guaranteed

Date: Tue, 08 Apr 2008 22:24:08 +0700

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_2643_0ABD_01C899C7.434CD6F0"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2869

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869

--m38FPfls028487.1207668341/smtp4.mxsave.com--

 
 
 
=================================
Spamfilter config
===================================
; a true after an ordb entry means their DNS is expecting the IP to be reversed
; i.e. to test a connection from 1.2.3.4 they expect 4.3.2.1.bl.spamcop.net
;site6=dnsbl.sorbs.net, true
;site7=dun.dnsrbl.net, true
[server settings]
; dns - your DNS server
dns=127.0.0.1,64.137.0.6,67.128.36.11,205.171.3.65,205.171.2.65
; SpamFilter can be limited to listen on one or more specific IPs. Leave empty for all IPs, or separate multiple IPs with a comma ","
;ListenIP=209.26.140.2
;or....
;ListenIP=209.26.140.2,209.26.140.3
ListenFQDN=mailin.pcu.net
ListenPort=25
;The email address to use in Error Replies to senders
ErrorHandlerEmailAddress="System Administrator" <server@pcu.net>
; DestinationServer is where you want all mail received by SpamFilter to be forwarded to
DestinationServer=mail.pcu.net
DestinationPort=25
; AllowPercent is used to accept (AllowPercent=1) or reject (AllowPercent=0) emails containing the % character.
; Many SMTP servers are susceptible to being tricked into relaying with this.
; Ex. if you are netwide.net, then a spammer can use
; mail to: joe%yahoo.com@netwide.net
; to relay mail to joe@yahoo.com if your server is vulnerable
; Setting AllowPercent to 0 rejects ALL recipients email addresses conatining the % sign
;log daily activity to logfiles
Logging=1
MultiThreaded=1
MaxInboundConnections=450
;Set this to 1 if you want to disable EHLO extensions
DisableEHLO=0
;Any emails whose text portion exceeds this number of KB will not be scanned for keywords and Bayes
;Higher values *may* catch more spam but will cause higher load on processor
MaxMsgSizeForKeywordScan=64
;Set FilterBase64html to 1 if you want to block any emails with Content-Transfer-Encoding=base64 and Content-Type=text/html or text/plain
FilterBase64html=0
;Set RequireHELOBeforeMAILFROM to 0 if you do not want to require remote servers to issue a HELO or EHLO command before sending the email
RequireHELOBeforeMAILFROM=1
;Controls the minimum number of good and spam emails that must be received before the Bayesian filter kicks in
MinEmailsForBayesKickIn=5000
;by default SpamFilter will not allow any IP to relay thru it. Change DoNotTrustSelfByDefault to 1 if you want localhost to be able to relay
DoNotTrustSelfByDefault=0
;Remove any stale token in the corpus db.dat file that did not appear in incoming emails for the past n days
CleanUpCorpusIntervalDays=3
;Force disconnect of sessions after they have remained connected for this long
IdleDisconnectMinutesTimeout=15
;Force disconnect of sessions if a command has not been received within the last nn seconds
ReadTimeout=120
;Timeout when delivering emails to the destination SMTP server (in seconds)
ReadTimeoutOutgoing=120
;if turned on, this will cause tokens in incoming emails being logged to screen with relevant probabilities
ShowBayesianTokens=0
;Set TagSPAMAndQuarantine=1 if you want to prefix every quarantine subject line with the prefix specified in SPAMTagPrefix ini parameter
;This SPAMTagPrefix will be prefixed to all subject lines marked for "mark as SPAM and deliver" along with the ation specified by TagSPAMAndQuarantine
SPAMTagPrefix=SPAM:
;Setting DoNotSendNDROnQuarantine to 1 will prevent generation of NDR when email are quarantined by causing SpamFilter *not* to send an error code when quarantining emails
DoNotSendNDROnQuarantine=0
;If turned on, the threads that save to disk and load into memory the bayes corpus tokens will have increased priority
BoostBayesPriority=1
;if TrailingSQLSemiColon is set to 1 SpamFilter will add a ";" to the end of SQL statements. Disable only to help solve problems with some databases.
TrailingSQLSemiColon=1
;If turned on, any quarantined (false positives) emails that the end user force-delivers will cause the sender to be automatically whitelisted
AutoWhiteListForceDeliveryEnabled=1
;if EnableBadMailDir is set to 1, this will cause all emails that generate a "server error" when forwarded to your destination SMTP server will be saved in a "BadMailDir" for troubleshooting
EnableBadMailDir=0
;if ScanReceivedHeaders is set to 1 SpamFilter will add the "Received:" headers to the text examined for keywords and statistical Bayesian searches.
ScanReceivedHeaders=1
;if ScanAllHeaders is set to 1 SpamFilter will add all email's headers to the text examined for keywords and statistical Bayesian searches.
ScanAllHeaders=0
;Number of hours SpamFilter will retry to deliver messages in queue to your destination SMTP server if it was unreacheable. Enter 0 to try forever until back online.
ExpireRetryQueueHours=0
;Path to logfile directory
LogFilePath=C:\Program Files\SpamFilter\logfiles
;Optional destination SMTP server where to forward SPAM emails only. Good emails are still forwarded to main SMTP server
DestSMTPServerForSPAM=
;The frequency in seconds for which the quarantine table is scanned to check for emails pending delivery - includes web-access password registration emails
QuarantineToDeliverCheckInterval=5
;By default the activity logfile is saved to disk every 60 seconds. Set RealtimeDiskLogging=1 to save the log every time it is updated
RealtimeDiskLogging=0
;Add any IPs (separated by commas - no wildcards) that you do not wish to be automatically added to the Honeypot IP blacklist. This setting also prevents those IPs to be added to the IP cache blacklist
DoNotAddIPToHoneypot=
;An alternate server for sending NDR (non-delivery) notification emails can be used. Leave the "NotificationSMTPServer" value blank to use the default destination SMTP server
NotificationSMTPServer=
NotificationSMTPServerPort=25
;Set EnableDbgLogs=1 to enable separate detailed logging for troubleshooting purposes
EnableDbgLogs=0
;The timeout in milliseconds for all DNS-related queries.
DNSTimeout=5000
;If an IP sends more than this number of spams in a certain period of time then it is temporarily banned (blacklisted)
IPCacheLimboCountTrigger=3
;If an IP sends more than a certain number of spams during this number of minutes then it is temporarily banned (blacklisted)
IPCacheLimboTimeTrigger=10
;If an IP address was banned because it sent too many spams in a certain time interval, it will be un-banned after this number of minutes
IPCacheBlacklistDuration=60
;You can force the antivirus plugin to block emails if they contain password protected archives that cannot be tested for viruses by setting this to 1
BlockArchivesWithPassword=0
;By default SpamFilter will only perform DNS lookups when the reverse DNS filter is enable. Change value to 1 to always perform a reverse lookup on connecting IPs
AlwaysDoReverseDNSLookups=0
;Specifies how often the logfiles are rotated (Min=1, Max=24). The default is 24 (rotates at midnight). A value of 1 means every hour at the hour, value of 2 means at 2am, 4am, 6am etc...
RotateLogsEveryNNhours=24
;Change DoNotStartWithoutAV to 1 if you do not want SpamFilter to start/run if there is an error with the Antivirus plugin.
DoNotStartWithoutAV=0
;Determines if SpamFilter should hold in the queue emails that were rejected by the destination SMTP server with an error in the 4xy range
QueueIfDestinationError400=0
;Determines if SpamFilter should hold in the queue emails that were rejected by the destination SMTP server with an error in the 5xy range
QueueIfDestinationError500=0
;Determines if SpamFilter should remove from the queue emails that could not be delivered to the destination SMTP server due to a "Read Timeout" (an NDR is sent if the email is removed from the queue)
DoNotQueueIfReadTimeout=0
;Image filter threshold. Higher values indicate a more aggressive filter. 0 disables the filter. Min=0, Max=15
;Image filter color sensitivity. Used internally to detect color shades
SpamImageColorSensitivity=20
;Images embedded in email's html having a width smaller than this will not be scanned. Useful to bypass signatures and logos
SpamImageMinWidth=300
;Images embedded in email's html having a height smaller than this will not be scanned. Useful to bypass signatures and logos
SpamImageMinHeight=300
;Determines the number of points that will be scanned in a image to process it for spam
SpamImageSamplingPoints=200
;to reduce false positives, emails with multiple inline images can bypass the image filter by setting this value to 1
SpamImagePassMultiImage=1
;Specify the max number of pages a PDF document must contain in order to be scanned for spam signatures. The scan will be skipped altogether if there are more than this number of pages
SpamPDFMaxPagesToScan=0
;Anthony changed this from 1 to 0 09/15/2007 to alleviate too many connections to mail server
;Specify the max number height in pixel of a PDF pages that will be scanned for spam signatures. To reduce false positives, pages taller than this will not be scanned
SpamPDFMaxPixelHeight=1600
;SpamFilter can block emails that contain only an empty, blank body and one of the following attachment. Clear the list if you don't want to stop such emails. Specify multiple attachments separated by commas
BlockBlankEmailsWithAttachments=*.pdf
;Set this to 0 to prevent queued emails to be spooled to memory, and force spooling to disk. While less efficient, spooling to disk helps allow existing antivirus software to detect and block some infected email files
SpoolQueueFilesToMemory=1
;If the private key of the SSL certificate is protected by a password, enter is here
SSLCertificatePassword=
;Some older email clients have a bug that requires them to see "AUTH=LOGIN" in the EHLo response rather than "AUTH LOGIN". Set this to 1 to add the incorrect syntax to the EHLO output. Changes to this setting require SpamFilter to be restarted
AddIncorrectAUTHLOGINEHLOEntry=0
;Timeout in seconds used in the some SQL commands (Ex. inserting a new record in the tblQuarantine table)
MiscSQLTimeout=5
;SpamFilter Enterprise will delete temporary entries in the tblReloadTableInfo after they have been kept for this long. This parameter is used to allow multiple installations of SpamFilter Enterprise to maintain their settings in sync. It can be reduced to 5-10 seconds for installations running only one instance of SpamFilter Enterprise
SecondsToHoldEntriesIntblReloadTableInfo=600
;If the "AuthorizedTO" whitelist is used to specify the list of valid email addresses that can be accepted, by default SpamFilter will terminate a connection when the remote server specifies an invalid address in the RCPT TO command. You can use the following option to disable this forced disconnect, and cause SpamFilter to simply reject the invalid recipient, and continue to accept additional ones
ForceDisconnectOnNonAuthorizedTO=true
;Use this option to prevent SpamFilter from performing the routine cleanup of the quarantine database by deleting old archived emails. Useful if admins want to perform their own cleanup
DoNotDeleteExpiredEmailsFromQuarantine=0
;SpamFilter is able to block blank emails that contain specific attachments. This parameter is used to specify the threshold of characters below which an email is considered blank
MaxLettersToConsiderEmailBlank=4
LocalDomainsFilterMatrixFileName=
SFEActivationCode=
DestSMTPServerForSPAMPort=25
ListenPortSSL=465
ResponseWelcomeBanner=Welcome to SpamFilterISP SMTP Server %Ver%  
XServerHeader=LogSat Software SMTP Server
ccTLDsFileName=C:\Program Files\SpamFilter\ccTLDs.txt
ResolveDNSCache=1
EnableActivityLog=0
EnableIPCacheBlacklist=1
PatchesURL=http://download.logsat.com/SpamFilter/pub/
LogKeywords=1
AutoVersionCheck=1
DisableConnectionsGrid=0
AddVirusSenderToHoneypot=0
RememberStats=1
MaxInboundConnectionsSameIP=10
MaxRCPTTO=25
MaxIncomingMsgSize=0
FlushQueueInterval=15
VirusFoundAction=0
ArchiveSpamDays=0
DeleteExpiredEmailInterval=60
DBPatchesApplied=
SFDB_URL=http://sfdb.logsat.com/SFDBUpload/
UserSelectEnterpriseVersion=0
DisconnectOnNonAuthorizedTO=1
MaxGridRecords=1000
BayesProbTrigger=138
EnableBayesianThread=1
ReceiveBodyIfNotInAuthTO=1
SPAMTagHeader=X-SF-SPAM:Y
HideXSFWhiteListedReasonHeader=0
GreyListEnabled=0
ForwardAllSPAMtoEmailAddress=
ListenIP=
MaxMsgSizeForSpamFiltering=768
GreyListInterval=300
GreyListLimboHold=12
GreyListAllowedHold=90
HashCacheBlacklistDuration=60
SFDC_URL=http://sfdb.logsat.com/SFDCUpload/
 
;SpamFilter uses the http and https protocols to query the SFDB database and to download antivirus updates. You can specify a proxy to use for these operations the the option in the [proxy settings] section
[proxy settings]
ProxyServer=
ProxyUsername=
ProxyPassword=
ProxyPort=0
ProxyBasicAuthentication=0
[Error Response]
ResponseBlacklistedMAPS=521 The IP %IP% is Blacklisted by %MAPSResponse%.
ResponseBlacklistedSURBL=521 A URL in the email is Blacklisted by SURBL: %MAPSResponse%.
ResponseBlacklistLocalIP=521 The IP %IP% is Blacklisted.
ResponseBlacklistLocalDomain=521 The domain %Domain% is Blacklisted.
ResponseEmptyMAILFROM=521 Emails with an empty MAIL FROM are not allowed
ResponseBlacklistLocalEMail=521 The EMail %EMailFrom% is Blacklisted.
ResponseBlacklistLocalEMailTo=521 The EMail %EMailTo% is Blacklisted.
ResponseNoReverseDNS=557 Your IP %IP% does not have a reverse DNS entry. Disconnecting...
ResponseNoMX=557 Your domain %Domain% does not have a valid MX DNS record. Disconnecting...
ResponseMaxRCPTTO=557 You exceeded then maximum number of RCPT TO. Disconnecting...
ResponseCountryBlacklist=557 Your IP address is from a blacklisted country. Disconnecting..
ResponseRelayRestricted=557 You are not allowed to send mail to %EMailTo%
ResponseNotInAuthorizedTO=557 You are not allowed to send mail to %EMailTo%
ResponseHoneypotMatch=521 The IP %IP% is Blacklisted.
ResponseKeywordMatch=557 This email is rejected. It contains keywords rejected by the antispam content filter.
ResponseVirusFound=557 This email is rejected because it contains a virus
ResponseSPF=550 The sender did not meet Sender Policy Framework rules. Please see http://spf.pobox.com
ResponseMaxIncomingMsgSize=552 This email is rejected. It exceeds the maximum allowed message size.
ResponseIPCacheBlacklist=421 Your IP is temporarily blocked, please try again later.
ResponseSpamImage=557 This email is rejected. It contains content rejected by the antispam filter.
ResponseSFDB=557 Your IP %IP% is currently listed in SpamFilter ISP's Distributed Blacklist. Please see http://www.logsat.com/SFDB/why.asp for details.
ResponseSFDC=557 The email content matches known spam signatures.
ResponseGreyList=421 This server implements greylisting, please try again in %Time% seconds
[NVC]
AVActivationCode=
AVUpdateURL=https://nvc.logsat.com/SpamFilter/
AVEnableUpdates=1
[Authentication settings]
AuthenticationMethod=0
ActiveDirectoryDomain=
PasswdFileFileName=
LDAPServerPrimary=
LDAPPortPrimary=389
LDAPServerSecondary=
LDAPPortSecondary=389
LDAPSearchDN=
LDAPSearchPassword=
LDAPSearchBaseDN=
LDAPSearchMask=(|(sAMAccountName=%0:s)(uid=%0:s)(UserPrincipalName=%0:s))
ActiveDirectoryAuthPrefixDefaultDomain=0
ActiveDirectoryAuthAppendDefaultDomain=0
[stats]
RequestCount=80064330
EMailsBlocked=45187050
EMailsForwarded:=2025261
EmailsReceived=31975437
[statscountry]
C0=213549
C1=270
C2=15321
C3=8211
C4=254310
C5=2739
C6=35885
C7=2353
C8=13261
C9=8042
C10=14755
C11=2881
C12=0
C13=1993859
C14=344
C15=389995
C16=863820
C17=9651
C18=29320
C19=34755
C20=17678
C21=21387
C22=230793
C23=8457
C24=404201
C25=47549
C26=107
C27=2900
C28=4871
C29=6774
C30=63343
C31=4312362
C32=11365
C33=287
C34=0
C35=6454
C36=52571
C37=5235
C38=1100072
C39=0
C40=1383
C41=111
C42=64
C43=448329
C44=22872
C45=18
C46=849782
C47=4161
C48=2838344
C49=1335709
C50=36939
C51=12839
C52=2325
C53=0
C54=12740
C55=754264
C56=3486500
C57=1792
C58=340246
C59=1183
C60=257933
C61=120093
C62=56677
C63=53935
C64=147535
C65=0
C66=759
C67=3432784
C68=3695
C69=195834
C70=6729
C71=4
C72=42
C73=7617
C74=3969138
C75=0
C76=1861
C77=3767680
C78=5247
C79=31243
C80=0
C81=2669
C82=2925
C83=3052
C84=1207
C85=270
C86=808
C87=761
C88=316505
C89=0
C90=108965
C91=827
C92=15
C93=639
C94=273156
C95=104
C96=26943
C97=150233
C98=3758
C99=707646
C100=137142
C101=202382
C102=959350
C103=1087123
C104=0
C105=2058
C106=86470
C107=40942
C108=4843319
C109=26192
C110=29023
C111=2768194
C112=18358
C113=7323
C114=7242
C115=27
C116=17
C117=2552
C118=0
C119=1255168
C120=63445
C121=1314
C122=144322
C123=6985
C124=17424
C125=5773
C126=20411
C127=28489
C128=95
C129=386
C130=239282
C131=42968
C132=147086
C133=8285
C134=331252
C135=4150
C136=24279
C137=2251
C138=113
C139=45251
C140=2546
C141=74
C142=13366
C143=22520
C144=2499
C145=433
C146=1908
C147=182
C148=32486
C149=19897
C150=6734
C151=904
C152=672772
C153=506274
C154=2061
C155=3251
C156=4723
C157=375
C158=0
C159=22026
C160=11148
C161=1393486
C162=173538
C163=3272
C164=0
C165=0
C166=97583
C167=11466
C168=65754
C169=964369
C170=5019
C171=282
C172=269733
C173=87755
C174=2652071
C175=358
C176=0
C177=117160
C178=32968
C179=717943
C180=239
C181=9967
C182=51251
C183=814
C184=1033148
C185=3187211
C186=194
C187=123432
C188=380
C189=1333
C190=6679
C191=395910
C192=175788
C193=0
C194=68910
C195=0
C196=255138
C197=2556
C198=2465
C199=28033
C200=364
C201=4476
C202=490
C203=55982
C204=7156
C205=168
C206=860
C207=19
C208=0
C209=2579
C210=831945
C211=2566
C212=0
C213=533
C214=2689
C215=124
C216=0
C217=3392564
C218=30074
C219=1
C220=308722
C221=3549
C222=680582
C223=1335
C224=0
C225=13762880
C226=89872
C227=14634
C228=33
C229=4013
C230=310248
C231=1476
C232=2593
C233=279827
C234=557
C235=12
C236=18
C237=2565
C238=3
C239=208118
C240=144802
C241=1531
C242=7357
C243=1592
C244=53
C245=36569
 
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4106
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 10 April 2008 at 10:36pm
aco_pa,

SpamFilter is not an open relay and has not been "hacked". In the message you posted, we can see that you whitelisted the email TO "rlpfx@pcu.net" (or used a combination of wildcards in the email TO whitelist that caused that email to be whitelisted. This means that any emails sent to rlpfx@pcu.net will skip all filtering rules and will be delivered.

This said, the only email that SpamFilter processed was the NDR email that was sent to it, with the subject "Returned mail: see transcript for details" and recipient "rlpfx@pcu.net". This is the only email that was received by SpamFilter, and since the address was whitelisted, it was forwarded to your server.

Emails that are processed by SpamFilter have the header:
X-Server: LogSat Software SMTP Server
and will also have a "Received:" header containing the phrase "LogSat Software SMTP Server"

If you check your bounce email, the only place where these occurr are in the NDR itself.


The original spam, however, appears to be sent from someone else (ppp-124-121-33-114.revip2.asianet.co.th [124.121.33.114]). This spammer spoofed the return address as "rlpfx@pcu.net". This is what looks like the original spam:

Return-Path: <rlpfx@pcu.net>
Received: from ppp-124-121-33-114.revip2.asianet.co.th (ppp-124-121-33-114.revip2.asianet.co.th [124.121.33.114])
by smtp4.mxsave.com (8.13.8/8.13.8) with SMTP id m38FPQls028290
for <exalt@goldenstar.com> ; Tue, 8 Apr 2008 08:25:37 -0700
Received: from 67.128.36.6 (HELO mailin.pcu.net)
by goldenstar.com with esmtp ({nChar[8-12]} {nChar[4-6]})
id QsPPZ-IB58uA-F0
for exalt@goldenstar.com; Tue, 08 Apr 2008 22:24:08 +0700
Message-ID: <0a5501c8998c$96edfef0$7221797c@Vance
From: "Vance Oconnor" <Vance@pcu.net>
To: "Sammie Skinner" <exalt@goldenstar.com>
Subject: Hot nights are guaranteed
Date: Tue, 08 Apr 2008 22:24:08 +0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_2643_0ABD_01C899C7.434CD6F0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
--m38FPfls028487.1207668341/smtp4.mxsave.com--

Unfortunately this causes an NDR somewhere, which is sent to rlpfx@pcu.net. Since you whitelisted that address, SpamFilter then delivers you the email.

Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
anthony View Drop Down
Newbie
Newbie


Joined: 03 March 2008
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote anthony Quote  Post ReplyReply Direct Link To This Post Posted: 11 April 2008 at 12:12pm
Sorry, I had added the whitelist to collect some of the messages, that was not part of the original configuration. Since the original post, the NDRs have all but disappeared. I've never seen that volume of returned messages without there being a problem somewhere, guess I got a bit alarmed when that server more than tripled its used bandwidth.
 
Thanks for the help.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.039 seconds.