Page 1 of 1

Forgery or What is going on

Posted: 2012-04-08 01:13
by bescher
Well after allmost ten years I have done away with ewall and am strictly using Hmail for everything
Since I have done this I am getting nailed with the below. I am not a open relay
So I can't figure out what is going on. I have SPF records (not DKIM though - don't understand it)
Authentication is required

Any ideas?
Thanks
Bob
Servers are pop.rsegroup.com 63.131.81.207 and private.rsegroup.com 98.103.208.195




X-Vipre-Scanned: 2040D0B0002DF52040D1FD
Return-Path:
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Return-Path: <>
Message-ID: <CDD50CA3-6D77-4DC5-835E-4DD14D8FA470@pop.rsegroup.com>
Date: Sat, 7 Apr 2012 18:04:47 -0500
From: mailer-daemon@pop.rsegroup.com
To: bescher@rsegroup.com
Subject: Undeliverable: You in fancy moms panties?
Content-Transfer-Encoding: quoted-printable
X-hMailServer-LoopCount: 1



Your message did not reach some or all of the intended recipients.

Sent: Sun, 8 Apr 2012 00:02:22 +0100
Subject: You in fancy moms panties?

The following recipient(s) could not be reached:

edielou@verizon.net
Error Type: SMTP
Remote server (206.46.232.11) issued an error.
hMailServer sent: RCPT TO:<edielou@verizon.net>
Remote server replied: 550 5.1.1 unknown or illegal alias: edielou@verizon.net

nnikitinova@ssd.com
Error Type: SMTP
Remote server (206.18.127.87) issued an error.
hMailServer sent: RCPT TO:<nnikitinova@ssd.com>
Remote server replied: 550 5.1.1 <nnikitinova@ssd.com>: Recipient address rejected: User unknown in relay recipient table

clarkb@cedarhomes.com
Error Type: SMTP
Remote server (50.76.177.18) issued an error.
hMailServer sent: RCPT TO:<clarkb@cedarhomes.com>
Remote server replied: 550 No such user (clarkb@cedarhomes.com)



hMailServer

Re: Forgery or What is going on

Posted: 2012-04-08 03:15
by Bill48105
Seeing the log entries for the suspect messages would be helpful. Possible you have a web form that is being abused? Infected server or computer on your network? User account login guessed? (Again logs should narrow those down..)

You might consider making note of current ip ranges & clicking default to see if that helps in case you accidentally have something bad set.
Bill

Re: Forgery or What is going on

Posted: 2012-04-09 13:37
by dzekas
Wrong headers. Trace email source and path in Received:

Re: Forgery or What is going on

Posted: 2012-04-11 15:41
by bescher
Here are some log snippets
I had to put ewall back in because of this forgery
"SMTPC" 3728 8992 "2012-04-11 08:37:59.992" "63.252.23.233" "RECEIVED: 220 *********************************************************************************************************************"
"SMTPC" 3728 8992 "2012-04-11 08:37:59.992" "63.252.23.233" "SENT: HELO pop.rsegroup.com"
"SMTPC" 3748 8989 "2012-04-11 08:37:59.992" "65.207.58.229" "RECEIVED: 250 OK E2/C1-05978-8C8858F4"
"SMTPC" 3748 8989 "2012-04-11 08:37:59.992" "65.207.58.229" "SENT: QUIT"
"SMTPC" 3728 8992 "2012-04-11 08:38:00.039" "63.252.23.233" "RECEIVED: 250 molovsmail.molo.local Hello [63.131.81.207]"
"SMTPC" 3728 8992 "2012-04-11 08:38:00.039" "63.252.23.233" "SENT: MAIL FROM:<bescher@rsegroup.com>"
"SMTPC" 3748 8989 "2012-04-11 08:38:00.039" "65.207.58.229" "RECEIVED: 221 mail14.mailrooter.com closing connection"
"SMTPC" 3728 8992 "2012-04-11 08:38:00.070" "63.252.23.233" "RECEIVED: 250 2.1.0 bescher@rsegroup.com....Sender OK"
"SMTPC" 3728 8992 "2012-04-11 08:38:00.070" "63.252.23.233" "SENT: RCPT TO:<nyjwc@molocompanies.com>"
"SMTPD" 3676 0 "2012-04-11 08:38:00.070" "TCP" "DNS - MX Lookup: hds.com"
"SMTPC" 3728 8992 "2012-04-11 08:38:00.102" "63.252.23.233" "RECEIVED: 250 2.1.5 nyjwc@molocompanies.com "
"SMTPC" 3728 8992 "2012-04-11 08:38:00.102" "63.252.23.233" "SENT: DATA"
"SMTPC" 3732 8992 "2012-04-11 08:38:00.102" "63.252.23.233" "RECEIVED: 354 Ready, steady, go"
"SMTPC" 3732 8992 "2012-04-11 08:38:00.102" "63.252.23.233" "SENT: [nl]."
"SMTPC" 3732 8992 "2012-04-11 08:38:00.320" "63.252.23.233" "RECEIVED: 250 2.6.0 <098CE70E-4F1D-4300-8044-736DA9BBA8F2@pop.rsegroup.com> Queued mail for delivery"
"SMTPC" 3732 8992 "2012-04-11 08:38:00.320" "63.252.23.233" "SENT: QUIT"
"SMTPC" 3732 8992 "2012-04-11 08:38:00.352" "63.252.23.233" "RECEIVED: 221 2.0.0 molovsmail.molo.local Service closing transmission channel"
"APPLICATION" 3000 "2012-04-11 08:38:00.445" "SMTPDeliverer - Message 603791: Message delivery thread completed."
"SMTPD" 3676 0 "2012-04-11 08:38:00.774" "TCP" "DNS - MX Result: 7 IP addresses were found."
"TCPIP" 3676 "2012-04-11 08:38:00.774" "Connecting to 207.126.252.19..."
"SMTPD" 3540 8976 "2012-04-11 08:38:00.789" "62.201.140.5" "SENT: 250 Queued (4.125 seconds)"
"SMTPD" 3708 8976 "2012-04-11 08:38:00.899" "62.201.140.5" "RECEIVED: RSET"
"SMTPD" 3708 8976 "2012-04-11 08:38:00.899" "62.201.140.5" "SENT: 250 OK"
"APPLICATION" 304 "2012-04-11 08:38:00.899" "SMTPDeliverer - Message 603793: Delivering message from to bescher@rsegroup.com. File: C:\Program Files\hMailServer\Data\{6B1DEC41-3E23-42C2-B2B8-AFF733AFB3E2}.eml"
"SMTPD" 3304 0 "2012-04-11 08:38:00.961" "TCP" "DNS - MX Result: 0 IP addresses were found."
"APPLICATION" 3304 "2012-04-11 08:38:00.961" "SMTPDeliverer - Message 603789: No mail servers could be found for the address nyhalicechrissig@alicechris.com."
"APPLICATION" 3000 "2012-04-11 08:38:00.961" "SMTPDeliverer - Message 603794: Delivering message from to bescher@rsegroup.com. File: C:\Program Files\hMailServer\Data\{0A4440E7-3E38-4559-8289-84ECB3BFA4E5}.eml"
"SMTPD" 3756 8976 "2012-04-11 08:38:01.008" "62.201.140.5" "RECEIVED: MAIL FROM:<> SIZE=3072"
"SMTPD" 3756 0 "2012-04-11 08:38:01.024" "TCP" "DNS lookup: 5.140.201.62.pbl.spamhaus.org, 0 addresses found: (none), Match: False"
"SMTPD" 3756 0 "2012-04-11 08:38:01.024" "TCP" "DNS lookup: 5.140.201.62.sbl-xbl.spamhaus.org, 0 addresses found: (none), Match: False"
"SMTPD" 3756 0 "2012-04-11 08:38:01.024" "TCP" "DNS lookup: 5.140.201.62.bb.barracudacentral.org, 0 addresses found: (none), Match: False"
"SMTPD" 3756 0 "2012-04-11 08:38:01.024" "TCP" "DNS lookup: 5.140.201.62.bl.score.senderscore.com, 0 addresses found: (none), Match: False"
"SMTPD" 3756 0 "2012-04-11 08:38:01.024" "TCP" "DNS lookup: 5.140.201.62.bl.spameatingmonkey.net, 0 addresses found: (none), Match: False"
"SMTPD" 3756 0 "2012-04-11 08:38:01.024" "TCP" "DNS lookup: 5.140.201.62.bl.spamcop.net, 0 addresses found: (none), Match: False"
"SMTPD" 3756 0 "2012-04-11 08:38:01.024" "TCP" "DNS lookup: 5.140.201.62.dnsbl.sorbs.net, 0 addresses found: (none), Match: False"
"SMTPD" 3756 8976 "2012-04-11 08:38:01.024" "62.201.140.5" "SENT: 250 OK"
"SMTPD" 3304 0 "2012-04-11 08:38:01.055" "TCP" "DNS - MX Lookup: aliceafamily.us"
"APPLICATION" 4688 "2012-04-11 08:38:01.055" "SMTPDeliverer - Message 603795: Delivering message from to bescher@rsegroup.com. File: C:\Program Files\hMailServer\Data\{CE4BD80D-59CE-4366-A3FD-B4A95FFC79BA}.eml"
"SMTPD" 3304 0 "2012-04-11 08:38:01.117" "TCP" "DNS - MX Result: 4 IP addresses were found."
"TCPIP" 3304 "2012-04-11 08:38:01.117" "Connecting to 74.6.140.31..."
"SMTPD" 3756 8976 "2012-04-11 08:38:01.133" "62.201.140.5" "RECEIVED: RCPT TO:<bescher@rsegroup.com>"
"SMTPD" 3756 8976 "2012-04-11 08:38:01.133" "62.201.140.5" "SENT: 250 OK"
"APPLICATION" 304 "2012-04-11 08:38:01.149" "SMTPDeliverer - Message 603793: Message delivery thread completed."
"APPLICATION" 4688 "2012-04-11 08:38:01.149" "SMTPDeliverer - Message 603795: Message deleted (contained virus INetMsg.SpamDomain-2w.tecnorobotix_com.UNOFFICIAL)."
"SMTPC" 3748 8991 "2012-04-11 08:38:01.195" "205.188.190.1" "RECEIVED: 220-mtain-de03.r1000.mx.aol.com ESMTP Internet Inbound"
"SMTPC" 3728 8991 "2012-04-11 08:38:01.195" "205.188.190.1" "RECEIVED: 220-AOL and its affiliated companies do not"
"SMTPC" 3748 8991 "2012-04-11 08:38:01.211" "205.188.190.1" "RECEIVED: 220-authorize the use of its proprietary computers and computer"
"SMTPC" 3728 8991 "2012-04-11 08:38:01.211" "205.188.190.1" "RECEIVED: 220-networks to accept, transmit, or distribute unsolicited bulk"
"SMTPC" 3732 8991 "2012-04-11 08:38:01.211" "205.188.190.1" "RECEIVED: 220-e-mail sent from the internet."
"SMTPC" 3748 8991 "2012-04-11 08:38:01.211" "205.188.190.1" "RECEIVED: 220-Effective immediately:"
"SMTPC" 3728 8991 "2012-04-11 08:38:01.211" "205.188.190.1" "RECEIVED: 220-AOL may no longer accept connections from IP addresses"
"SMTPC" 3748 8991 "2012-04-11 08:38:01.211" "205.188.190.1" "RECEIVED: 220 which no do not have reverse-DNS (PTR records) assigned."
"SMTPC" 3748 8991 "2012-04-11 08:38:01.211" "205.188.190.1" "SENT: HELO pop.rsegroup.com"
"SMTPC" 3748 8991 "2012-04-11 08:38:01.242" "205.188.190.1" "RECEIVED: 250 mtain-de03.r1000.mx.aol.com"
"SMTPC" 3748 8991 "2012-04-11 08:38:01.242" "205.188.190.1" "SENT: MAIL FROM:<bescher@rsegroup.com>"
"SMTPD" 3756 8976 "2012-04-11 08:38:01.258" "62.201.140.5" "RECEIVED: DATA"
"SMTPC" 3728 8994 "2012-04-11 08:38:01.258" "74.6.140.31" "RECEIVED: 220 mta1012.biz.mail.sk1.yahoo.com ESMTP YSmtp service ready"
"SMTPD" 3756 8976 "2012-04-11 08:38:01.258" "62.201.140.5" "SENT: 354 OK, send."
"SMTPC" 3728 8994 "2012-04-11 08:38:01.258" "74.6.140.31" "SENT: HELO pop.rsegroup.com"
"SMTPC" 3728 8994 "2012-04-11 08:38:01.320" "74.6.140.31" "RECEIVED: 250 mta1012.biz.mail.sk1.yahoo.com"
"SMTPC" 3728 8994 "2012-04-11 08:38:01.320" "74.6.140.31" "SENT: MAIL FROM:<bescher@rsegroup.com>"
"APPLICATION" 3000 "2012-04-11 08:38:01.367" "SMTPDeliverer - Message 603794: Message delivery thread completed."
"TCPIP" 3540 "2012-04-11 08:38:01.570" "Connecting to 63.131.81.208..."
"SMTPC" 3748 8991 "2012-04-11 08:38:01.570" "205.188.190.1" "RECEIVED: 250 2.1.0 Ok"
"SMTPC" 3748 8991 "2012-04-11 08:38:01.570" "205.188.190.1" "SENT: RCPT TO:<nunzio1513@aol.com>"
"SMTPC" 3748 8991 "2012-04-11 08:38:01.617" "205.188.190.1" "RECEIVED: 250 2.1.5 Ok"
"SMTPC" 3748 8991 "2012-04-11 08:38:01.617" "205.188.190.1" "SENT: DATA"
"SMTPC" 3700 8991 "2012-04-11 08:38:01.617" "205.188.190.1" "RECEIVED: 354 Ready, steady, go"
"SMTPC" 3700 8991 "2012-04-11 08:38:01.617" "205.188.190.1" "SENT: [nl]."
"SMTPC" 3700 8991 "2012-04-11 08:38:01.805" "205.188.190.1" "RECEIVED: 250 2.0.0 Ok: queued as BBE91380000EB"
"SMTPC" 3700 8991 "2012-04-11 08:38:01.805" "205.188.190.1" "SENT: QUIT"
"SMTPC" 3756 8991 "2012-04-11 08:38:01.836" "205.188.190.1" "RECEIVED: 221 2.0.0 Bye"
"APPLICATION" 5108 "2012-04-11 08:38:01.852" "SMTPDeliverer - Message 603787: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"APPLICATION" 5108 "2012-04-11 08:38:01.930" "SMTPDeliverer - Message 603787: Message delivery thread completed."
"SMTPC" 3716 8994 "2012-04-11 08:38:01.945" "74.6.140.31" "RECEIVED: 250 sender <bescher@rsegroup.com> ok"
"SMTPC" 3716 8994 "2012-04-11 08:38:01.945" "74.6.140.31" "SENT: RCPT TO:<nyhaliceafamilysig@aliceafamily.us>"
"SMTPC" 3716 8994 "2012-04-11 08:38:02.024" "74.6.140.31" "RECEIVED: 250 recipient <nyhaliceafamilysig@aliceafamily.us> ok"
"SMTPC" 3716 8994 "2012-04-11 08:38:02.024" "74.6.140.31" "SENT: DATA"
"SMTPC" 3716 8994 "2012-04-11 08:38:02.024" "74.6.140.31" "RECEIVED: 354 Ready, steady, go"
"SMTPC" 3716 8994 "2012-04-11 08:38:02.024" "74.6.140.31" "SENT: [nl]."
"SMTPC" 3716 8994 "2012-04-11 08:38:02.195" "74.6.140.31" "RECEIVED: 554 delivery error: dd This user doesn't have a aliceafamily.us account (nyhaliceafamilysig@aliceafamily.us) [0] - mta1012.biz.mail.sk1.yahoo.com"
"SMTPC" 3736 8993 "2012-04-11 08:38:03.977" "207.126.252.19" "RECEIVED: 220 usindpps06 ESMTP Wed, 11 Apr 2012 09:36:13 -0400"
"SMTPC" 3716 8994 "2012-04-11 08:38:04.258" "74.6.140.31" "SENT: QUIT"
"SMTPC" 3736 8993 "2012-04-11 08:38:04.258" "207.126.252.19" "SENT: HELO pop.rsegroup.com"
"SMTPC" 3736 8993 "2012-04-11 08:38:04.289" "207.126.252.19" "RECEIVED: 250 usindpps06 Hello pop.rsegroup.com [63.131.81.207], pleased to meet you"
"SMTPC" 3736 8993 "2012-04-11 08:38:04.289" "207.126.252.19" "SENT: MAIL FROM:<bescher@rsegroup.com>"
"SMTPC" 3716 8994 "2012-04-11 08:38:04.321" "74.6.140.31" "RECEIVED: 221 mta1012.biz.mail.sk1.yahoo.com"
"SMTPC" 3716 8993 "2012-04-11 08:38:04.336" "207.126.252.19" "RECEIVED: 250 2.1.0 <bescher@rsegroup.com>... Sender ok"
"SMTPC" 3716 8993 "2012-04-11 08:38:04.336" "207.126.252.19" "SENT: RCPT TO:<nyirzq@hds.com>"
"SMTPC" 3716 8993 "2012-04-11 08:38:04.367" "207.126.252.19" "RECEIVED: 250 2.1.5 <nyirzq@hds.com>... Recipient ok"
"SMTPC" 3716 8993 "2012-04-11 08:38:04.367" "207.126.252.19" "SENT: DATA"
"SMTPC" 3756 8993 "2012-04-11 08:38:04.367" "207.126.252.19" "RECEIVED: 354 Ready, steady, go"
"SMTPC" 3756 8993 "2012-04-11 08:38:04.367" "207.126.252.19" "SENT: [nl]."
"APPLICATION" 3304 "2012-04-11 08:38:04.461" "SMTPDeliverer - Message 603789: Message delivery thread completed."
"SMTPC" 3756 8993 "2012-04-11 08:38:04.461" "207.126.252.19" "RECEIVED: 250 2.0.0 q3BDaDIl022942 Message accepted for delivery"
"SMTPC" 3756 8993 "2012-04-11 08:38:04.461" "207.126.252.19" "SENT: QUIT"
"SMTPC" 3756 8993 "2012-04-11 08:38:04.492" "207.126.252.19" "RECEIVED: 221 2.0.0 usindpps06 closing connection"
"APPLICATION" 3676 "2012-04-11 08:38:04.586" "SMTPDeliverer - Message 603790: Message delivery thread completed."
"SMTPD" 3540 8976 "2012-04-11 08:38:05.805" "62.201.140.5" "SENT: 250 Queued (4.484 seconds)"
"APPLICATION" 3304 "2012-04-11 08:38:05.821" "SMTPDeliverer - Message 603796: Delivering message from to bescher@rsegroup.com. File: C:\Program Files\hMailServer\Data\{6C7B2CF0-EF3B-4035-B115-A2661B6D2800}.eml"
"APPLICATION" 304 "2012-04-11 08:38:05.836" "SMTPDeliverer - Message 603797: Delivering message from to bescher@rsegroup.com. File: C:\Program Files\hMailServer\Data\{6D3F87CF-5B63-4BEC-B4F9-CD01E82D391E}.eml"
"APPLICATION" 3676 "2012-04-11 08:38:05.852" "SMTPDeliverer - Message 603798: Delivering message from to bescher@rsegroup.com. File: C:\Program Files\hMailServer\Data\{2A319F41-6554-48DF-B7A7-B0048C588984}.eml"
"APPLICATION" 5108 "2012-04-11 08:38:05.867" "SMTPDeliverer - Message 603799: Delivering message from to bescher@rsegroup.com. File: C:\Program Files\hMailServer\Data\{4AE6F43D-3AAB-4727-B963-9BC3BDE43CC5}.eml"
"TCPIP" 3724 "2012-04-11 08:38:05.899" "TCP - 74.203.57.166 connected to 63.131.81.207:25."
"SMTPD" 3724 8996 "2012-04-11 08:38:05.899" "74.203.57.166" "SENT: 220 Welcome to RSEGroup Mail Server"
"APPLICATION" 3304 "2012-04-11 08:38:05.914" "SMTPDeliverer - Message 603796: Message delivery thread completed."
"APPLICATION" 5108 "2012-04-11 08:38:05.961" "SMTPDeliverer - Message 603799: Message deleted (contained virus INetMsg.SpamDomain-2w.tecnorobotix_com.UNOFFICIAL)."
"SMTPD" 3724 8976 "2012-04-11 08:38:05.961" "62.201.140.5" "RECEIVED: RSET"
"SMTPD" 3724 8976 "2012-04-11 08:38:05.977" "62.201.140.5" "SENT: 250 OK"
"SMTPD" 3704 8996 "2012-04-11 08:38:05.992" "74.203.57.166" "RECEIVED: EHLO tippit2.wc09.net"
"SMTPD" 3704 8996 "2012-04-11 08:38:05.992" "74.203.57.166" "SENT: 250-pop.rsegroup.com[nl]250-SIZE[nl]250 AUTH LOGIN"
"APPLICATION" 3676 "2012-04-11 08:38:06.071" "SMTPDeliverer - Message 603798: Message delivery thread completed."
"SMTPD" 3712 8996 "2012-04-11 08:38:06.102" "74.203.57.166" "RECEIVED: MAIL FROM:<bouncemail_5E0C6878496B084D3D211B1338508CE433707EBA22DA30CB@response.whatcounts.com>"
"SMTPD" 3752 8976 "2012-04-11 08:38:06.133" "62.201.140.5" "RECEIVED: MAIL FROM:<> SIZE=3072"
"SMTPD" 3752 0 "2012-04-11 08:38:06.133" "TCP" "DNS lookup: 5.140.201.62.pbl.spamhaus.org, 0 addresses found: (none), Match: False"
"SMTPD" 3752 0 "2012-04-11 08:38:06.133" "TCP" "DNS lookup: 5.140.201.62.sbl-xbl.spamhaus.org, 0 addresses found: (none), Match: False"
"SMTPD" 3752 0 "2012-04-11 08:38:06.133" "TCP" "DNS lookup: 5.140.201.62.bb.barracudacentral.org, 0 addresses found: (none), Match: False"
"SMTPD" 3752 0 "2012-04-11 08:38:06.133" "TCP" "DNS lookup: 5.140.201.62.bl.score.senderscore.com, 0 addresses found: (none), Match: False"
"SMTPD" 3752 0 "2012-04-11 08:38:06.133" "TCP" "DNS lookup: 5.140.201.62.bl.spameatingmonkey.net, 0 addresses found: (none), Match: False"
"SMTPD" 3752 0 "2012-04-11 08:38:06.133" "TCP" "DNS lookup: 5.140.201.62.bl.spamcop.net, 0 addresses found: (none), Match: False"
"SMTPD" 3752 0 "2012-04-11 08:38:06.133" "TCP" "DNS lookup: 5.140.201.62.dnsbl.sorbs.net, 0 addresses found: (none), Match: False"
"SMTPD" 3752 8976 "2012-04-11 08:38:06.133" "62.201.140.5" "SENT: 250 OK"
"APPLICATION" 304 "2012-04-11 08:38:06.196" "SMTPDeliverer - Message 603797: Message delivery thread completed."
"SMTPD" 3712 0 "2012-04-11 08:38:06.274" "TCP" "DNS lookup: 166.57.203.74.pbl.spamhaus.org, 0 addresses found: (none), Match: False"
"SMTPD" 3752 8976 "2012-04-11 08:38:06.274" "62.201.140.5" "RECEIVED: RCPT TO:<bescher@rsegroup.com>"
"SMTPD" 3752 8976 "2012-04-11 08:38:06.274" "62.201.140.5" "SENT: 250 OK"
"SMTPD" 3752 8976 "2012-04-11 08:38:06.414" "62.201.140.5" "RECEIVED: DATA"
"SMTPD" 3752 8976 "2012-04-11 08:38:06.414" "62.201.140.5" "SENT: 354 OK, send."
"SMTPD" 3712 0 "2012-04-11 08:38:06.446" "TCP" "DNS lookup: 166.57.203.74.sbl-xbl.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP" 3540 "2012-04-11 08:38:06.555" "Connecting to 63.131.81.208..."
"SMTPD" 3712 0 "2012-04-11 08:38:07.211" "TCP" "DNS lookup: 166.57.203.74.bb.barracudacentral.org, 0 addresses found: (none), Match: False"
"SMTPD" 3712 0 "2012-04-11 08:38:07.258" "TCP" "DNS lookup: 166.57.203.74.bl.score.senderscore.com, 0 addresses found: (none), Match: False"
"SMTPD" 3712 0 "2012-04-11 08:38:07.477" "TCP" "DNS lookup: 166.57.203.74.bl.spameatingmonkey.net, 0 addresses found: (none), Match: False"
"SMTPD" 3712 0 "2012-04-11 08:38:07.524" "TCP" "DNS lookup: 166.57.203.74.bl.spamcop.net, 0 addresses found: (none), Match: False"
"SMTPD" 3712 0 "2012-04-11 08:38:07.774" "TCP" "DNS lookup: 166.57.203.74.dnsbl.sorbs.net, 0 addresses found: (none), Match: False"
"SMTPD" 3712 8996 "2012-04-11 08:38:07.946" "74.203.57.166" "SENT: 250 OK"
"SMTPD" 3712 8996 "2012-04-11 08:38:08.024" "74.203.57.166" "RECEIVED: RCPT TO:<lkaptur@hospitalitymarketers.com>"
"SMTPD" 3712 8996 "2012-04-11 08:38:08.071" "74.203.57.166" "SENT: 451 Please try again later."
"SMTPD" 3712 8996 "2012-04-11 08:38:08.164" "74.203.57.166" "RECEIVED: QUIT"
"SMTPD" 3712 8996 "2012-04-11 08:38:08.164" "74.203.57.166" "SENT: 221 goodbye"
"SMTPD" 3540 8976 "2012-04-11 08:38:10.571" "62.201.140.5" "SENT: 250 Queued (4.078 seconds)"
"APPLICATION" 3304 "2012-04-11 08:38:10.602" "SMTPDeliverer - Message 603800: Delivering message from to bescher@rsegroup.com. File: C:\Program Files\hMailServer\Data\{BDC8CFAD-F5A2-41B6-88AF-8C599B389B41}.eml"
"APPLICATION" 3304 "2012-04-11 08:38:12.665" "SMTPDeliverer - Message 603800: Message deleted (contained virus INetMsg.SpamDomain-2w.tecnorobotix_com.UNOFFICIAL)."
"SMTPD" 3704 8976 "2012-04-11 08:38:12.696" "62.201.140.5" "RECEIVED: QUIT"
"SMTPD" 3704 8976 "2012-04-11 08:38:12.696" "62.201.140.5" "SENT: 221 goodbye"
"TCPIP" 3724 "2012-04-11 08:38:14.102" "TCP - 64.120.228.93 connected to 63.131.81.207:25."
"SMTPD" 3724 8998 "2012-04-11 08:38:14.102" "64.120.228.93" "SENT: 220 Welcome to RSEGroup Mail Server"
"SMTPD" 3756 8998 "2012-04-11 08:38:14.165" "64.120.228.93" "RECEIVED: EHLO aio93.anbaskusa.com"
"SMTPD" 3756 8998 "2012-04-11 08:38:14.165" "64.120.228.93" "SENT: 250-pop.rsegroup.com[nl]250-SIZE[nl]250 AUTH LOGIN"
"SMTPD" 3756 8998 "2012-04-11 08:38:14.227" "64.120.228.93" "RECEIVED: MAIL FROM:<creditreportoptions@anbaskusa.com>"
"SMTPD" 3756 0 "2012-04-11 08:38:14.243" "TCP" "DNS lookup: 93.228.120.64.pbl.spamhaus.org, 0 addresses found: (none), Match: False"
"SMTPD" 3756 0 "2012-04-11 08:38:14.243" "TCP" "DNS lookup: 93.228.120.64.sbl-xbl.spamhaus.org, 0 addresses found: (none), Match: False"
"SMTPD" 3756 0 "2012-04-11 08:38:14.243" "TCP" "DNS lookup: 93.228.120.64.bb.barracudacentral.org, 1 addresses found: 127.0.0.2, Match: True"
"SMTPD" 3756 0 "2012-04-11 08:38:14.243" "TCP" "DNS lookup: 93.228.120.64.bl.score.senderscore.com, 0 addresses found: (none), Match: False"
"SMTPD" 3756 0 "2012-04-11 08:38:14.243" "TCP" "DNS lookup: 93.228.120.64.bl.spameatingmonkey.net, 0 addresses found: (none), Match: False"
"SMTPD" 3756 0 "2012-04-11 08:38:14.243" "TCP" "DNS lookup: 93.228.120.64.bl.spamcop.net, 0 addresses found: (none), Match: False"
"SMTPD" 3756 0 "2012-04-11 08:38:14.243" "TCP" "DNS lookup: 93.228.120.64.dnsbl.sorbs.net, 0 addresses found: (none), Match: False"
"SMTPD" 3756 8998 "2012-04-11 08:38:14.383" "64.120.228.93" "SENT: 250 OK"
"SMTPD" 3756 8998 "2012-04-11 08:38:14.446" "64.120.228.93" "RECEIVED: RCPT TO:<puddles@kurtstaxservice.com>"
"SMTPD" 3756 8998 "2012-04-11 08:38:14.508" "64.120.228.93" "SENT: 451 Please try again later."
"TCPIP" 3724 "2012-04-11 08:38:14.555" "TCP - 109.123.123.68 connected to 63.131.81.207:25."
"SMTPD" 3724 8999 "2012-04-11 08:38:14.555" "109.123.123.68" "SENT: 220 Welcome to RSEGroup Mail Server"
"SMTPD" 3756 8998 "2012-04-11 08:38:14.571" "64.120.228.93" "RECEIVED: QUIT"
"SMTPD" 3756 8998 "2012-04-11 08:38:14.571" "64.120.228.93" "SENT: 221 goodbye"
"SMTPD" 3724 8999 "2012-04-11 08:38:14.649" "109.123.123.68" "RECEIVED: EHLO robbed.cactbus.com"
"SMTPD" 3724 8999 "2012-04-11 08:38:14.649" "109.123.123.68" "SENT: 250-pop.rsegroup.com[nl]250-SIZE[nl]250 AUTH LOGIN"
"SMTPD" 3756 8999 "2012-04-11 08:38:14.758" "109.123.123.68" "RECEIVED: MAIL FROM:<your-updated-credit@cactbus.com>"
"SMTPD" 3756 0 "2012-04-11 08:38:14.883" "TCP" "DNS lookup: 68.123.123.109.pbl.spamhaus.org, 0 addresses found: (none), Match: False"
"SMTPD" 3756 0 "2012-04-11 08:38:14.915" "TCP" "DNS lookup: 68.123.123.109.sbl-xbl.spamhaus.org, 0 addresses found: (none), Match: False"
"SMTPD" 3756 0 "2012-04-11 08:38:14.946" "TCP" "DNS lookup: 68.123.123.109.bb.barracudacentral.org, 0 addresses found: (none), Match: False"
"SMTPD" 3756 0 "2012-04-11 08:38:15.024" "TCP" "DNS lookup: 68.123.123.109.bl.score.senderscore.com, 0 addresses found: (none), Match: False"
"TCPIP" 3724 "2012-04-11 08:38:15.415" "TCP - 216.163.188.210 connected to 63.131.81.207:25."
"SMTPD" 3724 9000 "2012-04-11 08:38:15.415" "216.163.188.210" "SENT: 220 Welcome to RSEGroup Mail Server"
"SMTPD" 3724 9000 "2012-04-11 08:38:15.477" "216.163.188.210" "RECEIVED: EHLO c9mailgw01.amadis.com"
"SMTPD" 3724 9000 "2012-04-11 08:38:15.477" "216.163.188.210" "SENT: 250-pop.rsegroup.com[nl]250-SIZE[nl]250 AUTH LOGIN"
"SMTPD" 3728 9000 "2012-04-11 08:38:15.555" "216.163.188.210" "RECEIVED: MAIL FROM:<>"
"SMTPD" 3728 0 "2012-04-11 08:38:15.743" "TCP" "DNS lookup: 210.188.163.216.pbl.spamhaus.org, 0 addresses found: (none), Match: False"
"SMTPD" 3728 0 "2012-04-11 08:38:15.790" "TCP" "DNS lookup: 210.188.163.216.sbl-xbl.spamhaus.org, 0 addresses found: (none), Match: False"
"SMTPD" 3728 0 "2012-04-11 08:38:15.790" "TCP" "DNS lookup: 210.188.163.216.bb.barracudacentral.org, 0 addresses found: (none), Match: False"
"SMTPD" 3728 0 "2012-04-11 08:38:15.790" "TCP" "DNS lookup: 210.188.163.216.bl.score.senderscore.com, 0 addresses found: (none), Match: False"
"SMTPD" 3728 0 "2012-04-11 08:38:15.790" "TCP" "DNS lookup: 210.188.163.216.bl.spameatingmonkey.net, 0 addresses found: (none), Match: False"
"SMTPD" 3728 0 "2012-04-11 08:38:15.790" "TCP" "DNS lookup: 210.188.163.216.bl.spamcop.net, 0 addresses found: (none), Match: False"
"SMTPD" 3728 0 "2012-04-11 08:38:15.805" "TCP" "DNS lookup: 210.188.163.216.dnsbl.sorbs.net, 0 addresses found: (none), Match: False"
"SMTPD" 3728 9000 "2012-04-11 08:38:15.805" "216.163.188.210" "SENT: 250 OK"
"SMTPD" 3728 9000 "2012-04-11 08:38:15.883" "216.163.188.210" "RECEIVED: RCPT TO:<bescher@rsegroup.com>"
"SMTPD" 3728 9000 "2012-04-11 08:38:15.883" "216.163.188.210" "SENT: 250 OK"
"SMTPD" 3756 0 "2012-04-11 08:38:15.915" "TCP" "DNS lookup: 68.123.123.109.bl.spameatingmonkey.net, 0 addresses found: (none), Match: False"
"SMTPD" 3700 9000 "2012-04-11 08:38:15.946" "216.163.188.210" "RECEIVED: DATA"
"SMTPD" 3700 9000 "2012-04-11 08:38:15.946" "216.163.188.210" "SENT: 354 OK, send."
"SMTPD" 3756 0 "2012-04-11 08:38:15.962" "TCP" "DNS lookup: 68.123.123.109.bl.spamcop.net, 0 a

Re: Forgery or What is going on

Posted: 2012-04-11 15:58
by bescher
Here is a much better log file snippet

I broke it down to message numer (9311)

"SMTPD" 4484 9311 "2012-04-11 08:53:54.735" "62.85.16.127" "SENT: 220 Welcome to RSEGroup Mail Server"
"SMTPD" 4484 9311 "2012-04-11 08:53:55.032" "62.85.16.127" "RECEIVED: EHLO rsegroup.com"
"SMTPD" 4484 9311 "2012-04-11 08:53:55.032" "62.85.16.127" "SENT: 250-pop.rsegroup.com[nl]250-SIZE[nl]250 AUTH LOGIN"
"SMTPD" 4484 9311 "2012-04-11 08:53:55.282" "62.85.16.127" "RECEIVED: AUTH LOGIN"
"SMTPD" 4484 9311 "2012-04-11 08:53:55.282" "62.85.16.127" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 4484 9311 "2012-04-11 08:53:55.532" "62.85.16.127" "RECEIVED: YmVzY2hlcg=="
"SMTPD" 4484 9311 "2012-04-11 08:53:55.532" "62.85.16.127" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 5628 9311 "2012-04-11 08:53:55.782" "62.85.16.127" "RECEIVED: ***"
"SMTPD" 5628 9311 "2012-04-11 08:53:55.798" "62.85.16.127" "SENT: 235 authenticated."
"TCPIP" 4484 "2012-04-11 08:53:55.985" "TCP - 178.195.252.165 connected to 63.131.81.207:25."
"SMTPD" 5628 9311 "2012-04-11 08:53:56.032" "62.85.16.127" "RECEIVED: RSET"
"SMTPD" 5628 9311 "2012-04-11 08:53:56.032" "62.85.16.127" "SENT: 250 OK"
"SMTPD" 3272 9311 "2012-04-11 08:53:56.298" "62.85.16.127" "RECEIVED: MAIL FROM: <bescher@rsegroup.com>"
"SMTPD" 3272 9311 "2012-04-11 08:53:56.298" "62.85.16.127" "SENT: 250 OK"
"SMTPD" 4180 0 "2012-04-11 08:53:56.360" "TCP" "DNS lookup: 165.252.195.178.pbl.spamhaus.org, 1 addresses found: 127.0.0.11, Match: True"
"SMTPD" 4180 0 "2012-04-11 08:53:56.454" "TCP" "DNS lookup: 165.252.195.178.sbl-xbl.spamhaus.org, 1 addresses found: 127.0.0.4, Match: True"
"SMTPD" 3816 9311 "2012-04-11 08:53:56.563" "62.85.16.127" "RECEIVED: RCPT TO:<kathieroyer@telus.net>"
"SMTPD" 3816 9311 "2012-04-11 08:53:56.563" "62.85.16.127" "SENT: 250 OK"
"SMTPD" 3816 9311 "2012-04-11 08:53:56.845" "62.85.16.127" "RECEIVED: RCPT TO:<<kathies@ptd.net>>"
"SMTPD" 3816 9311 "2012-04-11 08:53:56.845" "62.85.16.127" "SENT: 250 OK"
"SMTPD" 4388 9311 "2012-04-11 08:53:57.095" "62.85.16.127" "RECEIVED: RCPT TO:<<kathies_corner@yahoo.ca>>"
"SMTPD" 4388 9311 "2012-04-11 08:53:57.095" "62.85.16.127" "SENT: 250 OK"
"SMTPD" 4388 9311 "2012-04-11 08:53:57.329" "62.85.16.127" "RECEIVED: RCPT TO:<<KathieSasssamkassxbnf@samkass.com>>"
"SMTPD" 4388 9311 "2012-04-11 08:53:57.329" "62.85.16.127" "SENT: 250 OK"
"SMTPD" 4180 0 "2012-04-11 08:53:57.485" "TCP" "DNS lookup: 165.252.195.178.bb.barracudacentral.org, 1 addresses found: 127.0.0.2, Match: True"
"SMTPD" 4180 0 "2012-04-11 08:53:57.517" "TCP" "DNS lookup: 165.252.195.178.bl.score.senderscore.com, 0 addresses found: (none), Match: False"
"SMTPD" 4180 0 "2012-04-11 08:53:57.563" "TCP" "DNS lookup: 165.252.195.178.bl.spameatingmonkey.net, 0 addresses found: (none), Match: False"
"SMTPD" 4388 9311 "2012-04-11 08:53:57.563" "62.85.16.127" "RECEIVED: RCPT TO:<<KathieSchaustania.holman@arvinmeritor.com>>"
"SMTPD" 4388 9311 "2012-04-11 08:53:57.563" "62.85.16.127" "SENT: 250 OK"
"SMTPD" 4180 0 "2012-04-11 08:53:57.610" "TCP" "DNS lookup: 165.252.195.178.bl.spamcop.net, 1 addresses found: 127.0.0.2, Match: True"
"SMTPD" 4180 0 "2012-04-11 08:53:57.642" "TCP" "DNS lookup: 165.252.195.178.dnsbl.sorbs.net, 0 addresses found: (none), Match: False"
"SMTPD" 4180 9312 "2012-04-11 08:53:57.642" "178.195.252.165" "SENT: 550 Rejected by Spamcop"
"APPLICATION" 4180 "2012-04-11 08:53:57.642" "hMailServer SpamProtection rejected RCPT (Sender: footbridgefearsome@yahoo.com, IP:178.195.252.165, Reason: Rejected by Spamcop)"
"SMTPD" 4180 9312 "2012-04-11 08:53:57.798" "178.195.252.165" "RECEIVED: QUIT"
"SMTPD" 4180 9312 "2012-04-11 08:53:57.798" "178.195.252.165" "SENT: 221 goodbye"
"SMTPD" 4388 9311 "2012-04-11 08:53:57.813" "62.85.16.127" "RECEIVED: RCPT TO:<<KathieShankarjakinney@ashland.com>>"
"SMTPD" 4388 9311 "2012-04-11 08:53:57.813" "62.85.16.127" "SENT: 250 OK"
"SMTPD" 4388 9311 "2012-04-11 08:53:58.048" "62.85.16.127" "RECEIVED: RCPT TO:<<kathieshields@aol.com>>"
"SMTPD" 4388 9311 "2012-04-11 08:53:58.048" "62.85.16.127" "SENT: 250 OK"
"SMTPD" 4388 9311 "2012-04-11 08:53:58.298" "62.85.16.127" "RECEIVED: RCPT TO:<<kathieshse@yahoo.com>>"
"SMTPD" 4388 9311 "2012-04-11 08:53:58.298" "62.85.16.127" "SENT: 250 OK"
"SMTPD" 4388 9311 "2012-04-11 08:53:58.548" "62.85.16.127" "RECEIVED: DATA"
"SMTPD" 4388 9311 "2012-04-11 08:53:58.563" "62.85.16.127" "SENT: 354 OK, send."
"SMTPD" 3540 9311 "2012-04-11 08:53:59.267" "62.85.16.127" "SENT: 250 Queued (0.546 seconds)"

Re: Forgery or What is going on

Posted: 2012-04-11 16:04
by bescher
Here is a snippet of a rejected I got and obviously they are forging my domain name and email address

I have enable ewall again until I resolve this

Thank you anyone for the help
and please tell me how to fix it in plain language



User mailbox exceeds allowed size: cransclan@salisbury.net


Original message follows.

Received: from 66.187.164.115 [66.187.164.115] by Dasia.Net
(SMTPD-11.0) id 93870019f2fa6ae2; Wed, 11 Apr 2012 09:59:08 -0400
Received: from pop.rsegroup.com ([63.131.81.207] helo=pop.rsegroup.com) by
ASSP.Dasia.Net with SMTP (2.1.1); 11 Apr 2012 09:58:43 -0400
X-Vipre-Scanned: 041A1BF1002E03041A1D3E-TDI
Received: from rsegroup.com ([91.235.178.237])
by pop.rsegroup.com
; Wed, 11 Apr 2012 07:58:54 -0500
Message-ID: <2E7C71A5-D143-47F8-A9E8-3F130B41FA9A@pop.rsegroup.com>
From: "Josh Carpenter" <bescher@rsegroup.com>
Subject: Beautiful Flower, read it because it is important!
To: crannt@nf.sympatico.ca
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
Reply-To: "Josh Carpenter" <bescher@rsegroup.com>
Date: Wed, 11 Apr 2012 13:57:03 +0100
X-Assp-Version: 2.1.1(11364) on ASSP.Dasia.Net
X-Assp-Delay: delayed for 1h 1m 17s; 11 Apr 2012 09:58:51 -0400
X-Assp-Message/IP-Score: -10 (SPF pass)
X-Assp-URIBL: neutral, network21vek.ru listed in multi.surbl.org
X-Assp-ID: ASSP.Dasia.Net m1-52731-12963
X-Assp-Detected-RIP: 91.235.178.237
X-Assp-Source-IP: 91.235.178.237


Dearest!

On that weekend..
http://network21vek.ru/Jackie

Was funny ehh? :)


Josh Carpenter

Re: Forgery or What is going on

Posted: 2012-04-11 17:37
by dzekas
bescher wrote:Here is a much better log file snippet

I broke it down to message numer (9311)

"SMTPD" 4484 9311 "2012-04-11 08:53:54.735" "62.85.16.127" "SENT: 220 Welcome to RSEGroup Mail Server"
"SMTPD" 4484 9311 "2012-04-11 08:53:55.032" "62.85.16.127" "RECEIVED: EHLO rsegroup.com"
"SMTPD" 4484 9311 "2012-04-11 08:53:55.032" "62.85.16.127" "SENT: 250-pop.rsegroup.com[nl]250-SIZE[nl]250 AUTH LOGIN"
"SMTPD" 4484 9311 "2012-04-11 08:53:55.282" "62.85.16.127" "RECEIVED: AUTH LOGIN"
"SMTPD" 4484 9311 "2012-04-11 08:53:55.282" "62.85.16.127" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 4484 9311 "2012-04-11 08:53:55.532" "62.85.16.127" "RECEIVED: YmVzY2hlcg=="
"SMTPD" 4484 9311 "2012-04-11 08:53:55.532" "62.85.16.127" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 5628 9311 "2012-04-11 08:53:55.782" "62.85.16.127" "RECEIVED: ***"
"SMTPD" 5628 9311 "2012-04-11 08:53:55.798" "62.85.16.127" "SENT: 235 authenticated."
"TCPIP" 4484 "2012-04-11 08:53:55.985" "TCP - 178.195.252.165 connected to 63.131.81.207:25."
if you don't own 178.195.252.165 ip address, change your email account password. If your password was not the same as on your luggage, check your workstation for trojans and start using POP-over-SSL, IMAP-over-SSL, SMTP-over-SSL in your email account/server config.

Re: Forgery or What is going on

Posted: 2012-04-11 19:16
by bescher
I added a script from Doom which appears to be working as well
Sub OnAcceptMessage(oClient, oMessage)
If oClient.Username <> "" Then
If LCase(oClient.Username) <> LCase(oMessage.FromAddress) Then
Result.Value = 2
Result.Message = "You are only allowed to send from your own account"
End If
End If
End Sub
but will also implement your suggestions

Re: Forgery or What is going on

Posted: 2012-04-13 02:07
by ^DooM^
The account that was authenticating was bescher

Disabling default domain (Empty field and save) will help with spam attempts. They rarely use full email address to login with.

Re: Forgery or What is going on

Posted: 2012-04-13 03:52
by bescher
I require a full email address for authentication and that user name is my own account.
Due to your script it has cut down the bounce/rejected messages fro over a hundred a day to 2.
I don't have a default domain

Bob

Re: Forgery or What is going on

Posted: 2012-04-13 07:06
by dzekas
bescher wrote:I don't have a default domain
If your smtp logs were not altered, they tell us that you do have default domain set in your hmailserver configuration.

That script works only in some setups. It will cause problems for users with catchall accounts and forwarded mailboxes.

Re: Forgery or What is going on

Posted: 2012-04-13 09:18
by bescher
Duh
It was late when I replied. I forgot I thought it was in the domain names area (ewall has one like that)
Done
Thanks

Re: Forgery or What is going on

Posted: 2012-04-13 12:41
by ^DooM^
"SMTPD" 4484 9311 "2012-04-11 08:53:55.532" "62.85.16.127" "RECEIVED: YmVzY2hlcg=="
Base64decode the string that was sent here http://ion.gb.net/utils/b64.php

YmVzY2hlcg==

That clearly shows the account logged in without the full email address. The only way that happens is if default domain is set.

Re: Forgery or What is going on

Posted: 2012-04-13 13:14
by bescher
Thanks
I did disable it.