[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] RaQ3/4 - Disable Relaying

Subject: [cobalt-users] RaQ3/4 - Disable Relaying
From: Chad <chad_ny_01@xxxxxxxxx>
Date: Thu Feb 7 21:31:08 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I just disabled the "Pop before Relay" check box in
the GUI, but I noticed the script was still running
-okay to just kill off the process?

perl /usr/local/sbin/poprelayd -d

>However, be carefull, if he has ftp access, it 
>could upload a spamware cgi script and spam 
>from inside the server, that one is really nasty 
>as he has direct access to a fast connection then...

I think you're right, I'm watching his directories but
it appears he's deleting the script right after he
does his deeds. 

Everyday for the last several days I see about 1-2
dozen entries like this in my logs:

Feb  7 11:07:58 sendmail: ruleset=check_rcpt,
arg1=<hanmail@xxxxxxxxxxxx>, relay=[61.75.92.51],
reject=550 <hanmail@xxxxxxxxxxxx>... Relaying denied.

Feb  7 11:08:01 sendmail: ruleset=check_rcpt,
arg1=<hanmail@xxxxxxxxxxx>, relay=[61.75.92.51],
reject=550 <hanmail@xxxxxxxxxxx>... Relaying denied.

Feb  7 11:08:05 sendmail: ruleset=check_rcpt,
arg1=<hanmail@cupis1018621>, relay=[61.75.92.51],
reject=550 <hanmail@cupis1018621>... Relaying denied.

Feb  7 11:08:08 sendmail: ruleset=check_rcpt,
arg1=<hanmail@xxxxxxxxxxx>, relay=[61.75.92.51],
reject=550 <hanmail@xxxxxxxxxxx>... Relaying denied.

Feb  7 11:08:12 sendmail: ruleset=check_rcpt,
arg1=<hanmail@xxxxxxxxxx>, relay=[61.75.92.51],
reject=550 <hanmail@xxxxxxxxxx>... Relaying denied.

Feb  7 11:08:16 sendmail: ruleset=check_rcpt,
arg1=<hanmail@xxxxxxxxxxxx>, relay=[61.75.92.51],
reject=550 <hanmail@xxxxxxxxxxxx>... Relaying denied.

Feb  7 11:08:19 sendmail: ruleset=check_rcpt,
arg1=<hanmail@xxxxxxxxxxxx>, relay=[61.75.92.51],
reject=550 <hanmail@xxxxxxxxxxxx>... Relaying denied.

Feb  7 11:08:22 sendmail: ruleset=check_rcpt,
arg1=<hanmail@xxxxxxxxxxxxx>, relay=[61.75.92.51],
reject=550 <hanmail@xxxxxxxxxxxxx>... Relaying denied.

I then block the IP in my firewall, and also via the
reject box (for mail/hosts) in the GUI -but they're
always back the next day on another IP addy. Plus it's
always just for 1 min (the time of the open relay
window), then it stops. Then maybe a second time later
in the day.

I know it's attached to one of the user accounts on
the box, because it just started happening around week
ago -but I've been moving domains from server A over a
new server B (in groups of 5 per day), and it just
started on server B last night (and stopped on server
A). I've been able to pin it down to 1-3 domains just
moved over to server B, and I'm working on figuring
out which domain is causing all the noise (then I
close their acct).  I've checked all their directories
for formmail scripts and the like, but notta. It's
like they try and hammer away at the relay for about 1
min each day just to try and get off a few spams. It's
been my experience (and even users have commented on
this since I started requiring them to all use their
ISP's for SMTP) -that even if you don't permit
relaying on the RaQ's, if you bang on the send button
of the outgoing message long enough, the server will
eventually accept the mail for delivery (one piece at
a time).

Thanks!
Chad

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

Follow-Ups:
- Re: [cobalt-users] RaQ3/4 - Disable Relaying
  - From: David Lucas

Prev by Date: Re: [cobalt-users] Change TTL for all domains.
Next by Date: Re: [cobalt-users] RaQ3/4 - Disable Relaying
Previous by thread: Re: [cobalt-users] RaQ3/4 - Disable Relaying
Next by thread: Re: [cobalt-users] RaQ3/4 - Disable Relaying

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index