Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About JBradford

  • Rank
  1. JBradford

    Request for next steps to take

    NEVERMIND Just found the answer by looking a bit deeper in the forums.. whee! welcome to thousands of reports comin your way SpamCop! (original message) Three hours ago I got finished downloading nearly 10,000 spam emails that had been cluttered there. I've been on holiday for the past few weeks so it was quite a suprise. Upon review, I noticed almost 6000 mails (roughly) that were bounce-backs from mailservers.. "Undeliverable", "<spam?> Returned Mail", and stuff like that. Some were even in non-English, but were easily identified as returns from mailservers. I've sent an email to pacbell to see if there is anything they can do about it.. I'm guessing someone is spoofing my email address to send unsolicited mail. I did not send these mails, but I surely cant be expected to contact 7000 different recipients just to tell them "Sorry, wasn't me". Changing to a new email address to avoid this isn't possible. Too much money has already been invested in advertising and printing that carry the addresses that are being abused. I'm doubting, seriously, that any mailserver is going to block 'pacbell.net', as they are one of the largest ISP's in the southwest U.S., but I'd like to know if there is a way for me to either 'block' or 'auto-delete' these incoming mail bounce messages. Or should I be doing something else? I mean, these mails are coming from mailservers - and I did not request them - so are they spam that can be reported? Doubting that. Any help to 'cure' this problem will be appreciated. Kudos, J
  2. There seems to be nothing in the Visnetic Mailserver program to allow me to determine whether the reject notices go to the address or the IP. I cant find any answers online at the Visnetic site (deerfield.com), nor do I get any answers from my forum requests for assistance there. I've shut the server down for the evening.. gonna have a few ticked off people callin me tommorrow morning.. early.. so I've unplugged the phones And I still have no clue if I am interpreting the log file correctly or not.. since that's really the only 'instant' information I can get out of my server as to what's going on, I'm hoping someone can explain to me why 'we do not relay' is a bad thing.
  3. Thanks for the assistance. Here's another tidbit of information that I thought of.. dont know if it means anything or not, but I dont want to leave any stone unturned.. When our system was showing up as an 'open relay', it was obviously being abused by some type of spamming entity or software. When we appeared on the blocked lists (AOL was the first one to actually show up in our log files that even hinted about being blocked) our 'outgoing message queue' exploded with messages awaiting transmission to AOL.. then there were a lot of them from Yahoo listed on the queue. Then I changed our server settings and stopped our open relay. I deleted all of the messages in the outgoing queue.. and have never seen another one in there since. So.. if being on a blocked list keeps those mails from being sent.. thus they get held up in our outgoing list.. and we are still on those blocked list but the messages never make it to the queue.. Why does that NOT tell me that the messages are not going through our server any more? Additionally, I still need to know what kind of stupid I am. Apparantly I am misreading our log files. As I see it now, since every single email that has attempted to be sent through our system gets nothing but a 'we do not relay' message - that's telling me that my server is not sending them. I even checked some of the reported spams that I can actually read online.. the one's that are being blamed on my server for their transmission. When I cross reference those emails, based on time/sender/reciever, my logs tell me that the mail was not sent. They say 'we do not relay'. So.. am I misreading the 'we do not relay' part of my logs? Does that not mean what I think it means? I think it means the message came knocking, my server did it's validation on the sender, found out that the sender address was not listed among my authorized accounts list, and the message was turned away.. it was never sent. If that's not what it means, then I need to know what I DO need to look for in my logs. If I think 'we do not relay' means what it says, then obviously I need to set my goal at some other message in my log file. From what I can see in my logs - my server is not doing the sending. I suppose there is one way to test that theory.. shut it off for a day and see if it's still happening. I'm doubting that's going to work, because I'm not debating whether or not my server is actually sending these.. I just need to know how I can know for sure that I finally got it fixed. When every tester system on the internet tells me that my system is not allowing unauthorized emails through it's gates.. having a spam list tell me otherwise is just confusing. A bit more help and I can probably figure this out. I'll be doing virus scans and trojan scans out the wazoo tommorrow (nearly midnight here now and I've been at this since 7am). I'll also see about getting that rDNS problem fixed. Also.. what's with the spamcop addresses getting spammed by my server? I dont run lists of any kind. We've got 3 guys who work here with 6 email addresses between them.. and we mostly just email between ourselves? We dont 'bulk email' anything because we have no need for it. Our server is just for our own personal use. One thing I find intereresting.. and then I'll sit back and hope for a reply.. I changed ISP's about a week and a half ago. The only thing that I thought I'd have to do is swap the IP addresses on the server NIC and be done with it. Same server I've had up for 2 years now... with no spam problems at all. Within 20 minutes of me onlining the server with the new IP address.. all this spam started. No new programs were added. No modifications to any program. No operating system updates. No patches for any software. Just a new IP address. Kind of makes me wonder how anyone could have found my mailserver so quick, when it had just barely managed to propogate the net to it's new IP address that same day.. and the mailserver was off for most of that day. 20 minutes, I kid you not.. that's all it took for this thing to start flinging spam like it was candy to kids on halloween. Any theories on that one? Or do I just have lousey luck? Thanks again for the advice.. I'll be hittin that first thing. Until then, I'm going to manually shut down my mailserver for the evening to test a theory Kudos, JB
  4. Hello, We recently discovered that our newly moved (to a new IP address) mailserver was being used as an open relay to send out spams. Thousands of them. This past Friday we were alerted to the issue and immediatly closed that gaping hole. However, even though all of our logs since Friday are showing thousands of attempts at sending spam through our server - and every one of those attempts showing a 'We do not Relay' message before disconnection from the sending source - the spams are still going through. I have my server set to require POP authentication to send a message. My only relay is through the local server itself and no other IP addresses. I have the server set to reject all incoming mail that cannot provide a rDNS lookup I have the server set to reject all incoming mail from hostnames that have no MX record Every time I have checked the various 'Open Relay Checkers' online, my system passes with flying colors. None of them show me as being an open relay. So, if I'm not an open relay and I have all of the previously mentioned security procedures in place.. how is it that spam is still going out with my IP address plastered all over it as the sender? I am using Visnetic Mailserver v.5 My IP Address is Here is a short exerpt from my recent log file: [0001B9B4] Wed, 02 Nov 2005 20:20:03 -0700 Connected [0001B9B4] Wed, 02 Nov 2005 20:20:03 -0700 >>> 220 mail.emrsystem.com ESMTP VisNetic.MailServer.v5.0.2.3; Wed, 02 Nov 2005 20:20:03 -0700 [0001B9B4] Wed, 02 Nov 2005 20:20:04 -0700 <<< EHLO euroseek.com [0001B9B4] Wed, 02 Nov 2005 20:20:04 -0700 >>> 250-mail.emrsystem.com Hello euroseek.com [], pleased to meet you. [0001B9B4] Wed, 02 Nov 2005 20:20:04 -0700 <<< MAIL FROM: <fakesender[at]mail2Carolyn.com> [0001B9B4] Wed, 02 Nov 2005 20:20:04 -0700 >>> 250 2.1.0 <fakesender[at]mail2Carolyn.com>... Sender ok [0001B9B4] Wed, 02 Nov 2005 20:20:05 -0700 <<< RCPT TO: <intended_recipient[at]adni.net> [0001B9B4] Wed, 02 Nov 2005 20:20:05 -0700 >>> 550 5.7.1 <intended_recipient[at]adni.net>... we do not relay <fakesender[at]mail2Carolyn.com> [0001B9B4] Wed, 02 Nov 2005 20:20:05 -0700 <<< RCPT TO: <second_recipient[at]adni.net> [0001B9B4] Wed, 02 Nov 2005 20:20:05 -0700 >>> 550 5.7.1 <second_recipient[at]adni.net>... we do not relay <fakesender[at]mail2Carolyn.com> [0001B9B4] Wed, 02 Nov 2005 20:20:05 -0700 <<< RCPT TO: <third_recipient[at]adni.net> [0001B9B4] Wed, 02 Nov 2005 20:20:05 -0700 >>> 550 5.7.1 <third_recipient[at]adni.net>... we do not relay <fakesender[at]mail2Carolyn.com> SYSTEM [0001B9B4] Wed, 02 Nov 2005 20:20:05 -0700 Disconnected I changed the actual sender and reciever email address names, but left the domain names in tact. Other than that, nothing at all was changed. I plainly see 'we do not relay' in every instance of an email attempt. Every one of the thousands of lines in my logs (that are not legitimate mails going out or coming in) have 'we do not relay'. Going back through all logs until last Friday shows the same message. Am I reading it wrong? Thanks for any help anyone can give me. I have contacted Visnetic to see if they can assist me, but haven't heard back from them for a day. J. Bradford CTO EMRSystem Inc. (frustrated mailserver admin)