[cobalt-users] RAQ3 - Baffling SPAM Message Relay

["Efrem Habteselassie" <efrem@xxxxxxxxxxxxxxxxxx>]

Hello All;
Our server is being used to relay Spam messages to hundreds of addresses.

Have been working to try and fix this for two weeks now.
We tried all of the following:
- Read a lot of (very helpful) advice on this forum.
- Have installed all of the latest RPMs on Cobalt site.
- Found the T0RN rootkit and deleted and replaced all of affected files.
- Installed POP b4 Relay
- Switched to SSH and killed telnet

SPAM still continuing!
The emails appear to be originating from=admin
I also see relay=admin@localhost

Questions:
1) How do I turn off ALL relaying? Simply using the UI panels does not seem
to work.
2) Any suggestions as to what might this be?

Any comments welcome!

Efrem H.
ACIS Consulting

Here is a snippet from our mail log this morning:

Oct 19 11:02:31 www sendmail[2754]: NOQUEUE: Null connection from
209-213-220-199.edirectnetwork.net [209.213.220.199] (may be forged)
Oct 19 11:05:15 www sendmail[2908]: LAA02908: from=admin, size=1147,
class=0, pri=751147, nrcpts=25,
msgid=<200110191505.LAA02908@www.***mydomain***.com>, relay=admin@localhost
Oct 19 11:05:17 www sendmail[2910]: LAA02908:
to=khepkk@xxxxxxx,lobox27@xxxxxxx,kheppe@xxxxxxx,katesplace@xxxxxxx,lavito@a
ol.c
om,khepren@xxxxxxx,katesplce@xxxxxxx,lieuduke@xxxxxxx,khepri06@xxxxxxx,jsmit
h9408@xxxxxxx,katesport8@xxxxxxx,katesportgrl@aol.
com,jsmith9410@xxxxxxx,jminz@xxxxxxx,khepri986@xxxxxxx,marc0815@xxxxxxx,lieu
elle@xxxxxxx,jsmith945@xxxxxxx,lobox2amor@xxxxxxx,
khepri@xxxxxxx,katespuzzl@xxxxxxx,krv213@xxxxxxx,luvsaqua@xxxxxxx,jminzi@aol
.com,katesq34@xxxxxxx, ctladdr=admin (110/27), del
ay=00:00:02, xdelay=00:00:02, mailer=esmtp, relay=mailin-03.mx.aol.com.
[205.188.156.186], stat=Sent (OK)
Oct 19 11:10:53 www sendmail[3144]: LAA03144: from=admin, size=1187,
class=0, pri=751187, nrcpts=25,
msgid=<200110191510.LAA03144@www.***mydomain***.com>, relay=admin@localhost

Thanks for reading...!