Relay that is not….

So it looks like relay, but it is not. Seen from outside, it looks like it comes from a local mail address, but IP is somewhere in China, and it sends to (obviously) spam addresses :
Mar 16 18:34:02 mail-2012 milter-greylist: r2GHgggY013773: addr = [xxx.240.252.251][140.240.252.251], from = , rcpt = <835299525@qq.com>
…..
Mar 16 17:15:37 mail-2012 sendmail[6703]: AUTH=server, relay=[xxx.240.252.251], authid=user, mech=LOGIN, bits=0
…..
Here it can be seen that the bad guy (here it is xxx.240.252.251) has cracked the user/pass combination for my account “user”, and is sending spam messages through him. Medicine : change the password IMMEDIATELY, and to something not easily guessed, and tell the passord to user, do not send it by mail! Also you could delete the compromised account…

So that such events do not happen again (or at least not often), you should always keep a aye on the mail messages throygh your server, and check the frequency of user loggings using a command like one in my previous post : command.

This entry was posted in Linux and tagged . Bookmark the permalink.

Comments are closed.