I've got a problem....
We suddenly getting a influx of NDR's on a exchange account (hundreds) from e-mail addresses we never heard of.
At first I thought someone is using us as a relay -but I have the server locked down tight and it can't be used as a open relay.
I then wondered if someone had hacked said exchange account and sending the spam that way? So I've reset the users password. I'm still getting NDR's but they might just be delayed NDR's.
Below is a log of out SMTP server:
2008-03-28 13:13:54 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 EHLO - +mail1.skycable.com 250 0 287 23 0 SMTP - - - -
2008-03-28 13:13:54 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 MAIL - +FROM:<> 250 0 27 22 0 SMTP - - - -
2008-03-28 13:13:59 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 RCPT - +TO:<11marketing2@quintdown.co.uk> 550 0 0 38 5063 SMTP - - - -
2008-03-28 13:13:59 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 DATA - - 503 0 0 4 0 SMTP - - - -
2008-03-28 13:14:05 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 MAIL - +FROM:<> 250 0 27 22 0 SMTP - - - -
2008-03-28 13:14:10 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 RCPT - +TO:<ymarketing2@quintdown.co.uk> 550 0 0 37 5000 SMTP - - - -
2008-03-28 13:14:10 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 DATA - - 503 0 0 4 0 SMTP - - - -
2008-03-28 13:14:16 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 QUIT - mail1.skycable.com 240 22297 68 4 0 SMTP - - - -
2008-03-28 13:14:23 81.7.95.170 static-81-7-95-170.zebra.lt SMTPSVC1 QDPSERVER 217.39.172.29 0 EHLO - +static-81-7-95-170.zebra.lt 250 0 286 32 0 SMTP - - - -
2008-03-28 13:14:23 81.7.95.170 static-81-7-95-170.zebra.lt SMTPSVC1 QDPSERVER 217.39.172.29 0 MAIL - +From:<xfjoel.guillen@gstautoleather.com> 250 0 58 45 0 SMTP - - - -
2008-03-28 13:14:23 81.7.95.170 static-81-7-95-170.zebra.lt SMTPSVC1 QDPSERVER 217.39.172.29 0 RCPT - +To:<marketing@quintdown.co.uk> 250 0 0 35 16 SMTP - - - -
2008-03-28 13:14:23 81.7.95.170 static-81-7-95-170.zebra.lt SMTPSVC1 QDPSERVER 217.39.172.29 0 DATA - +<000801c890d5$07abec38$36ab1c8a@tnmpscm> 250 0 124 2196 593 SMTP - - - -
2008-03-28 13:14:23 81.7.95.170 static-81-7-95-170.zebra.lt SMTPSVC1 QDPSERVER 217.39.172.29 0 QUIT - static-81-7-95-170.zebra.lt 240 890 68 4 0 SMTP - - - -
---------------------------------------------------------------------
Any ideas?
We suddenly getting a influx of NDR's on a exchange account (hundreds) from e-mail addresses we never heard of.
At first I thought someone is using us as a relay -but I have the server locked down tight and it can't be used as a open relay.
I then wondered if someone had hacked said exchange account and sending the spam that way? So I've reset the users password. I'm still getting NDR's but they might just be delayed NDR's.
Below is a log of out SMTP server:
2008-03-28 13:13:54 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 EHLO - +mail1.skycable.com 250 0 287 23 0 SMTP - - - -
2008-03-28 13:13:54 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 MAIL - +FROM:<> 250 0 27 22 0 SMTP - - - -
2008-03-28 13:13:59 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 RCPT - +TO:<11marketing2@quintdown.co.uk> 550 0 0 38 5063 SMTP - - - -
2008-03-28 13:13:59 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 DATA - - 503 0 0 4 0 SMTP - - - -
2008-03-28 13:14:05 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 MAIL - +FROM:<> 250 0 27 22 0 SMTP - - - -
2008-03-28 13:14:10 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 RCPT - +TO:<ymarketing2@quintdown.co.uk> 550 0 0 37 5000 SMTP - - - -
2008-03-28 13:14:10 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 DATA - - 503 0 0 4 0 SMTP - - - -
2008-03-28 13:14:16 202.78.64.80 mail1.skycable.com SMTPSVC1 QDPSERVER 217.39.172.29 0 QUIT - mail1.skycable.com 240 22297 68 4 0 SMTP - - - -
2008-03-28 13:14:23 81.7.95.170 static-81-7-95-170.zebra.lt SMTPSVC1 QDPSERVER 217.39.172.29 0 EHLO - +static-81-7-95-170.zebra.lt 250 0 286 32 0 SMTP - - - -
2008-03-28 13:14:23 81.7.95.170 static-81-7-95-170.zebra.lt SMTPSVC1 QDPSERVER 217.39.172.29 0 MAIL - +From:<xfjoel.guillen@gstautoleather.com> 250 0 58 45 0 SMTP - - - -
2008-03-28 13:14:23 81.7.95.170 static-81-7-95-170.zebra.lt SMTPSVC1 QDPSERVER 217.39.172.29 0 RCPT - +To:<marketing@quintdown.co.uk> 250 0 0 35 16 SMTP - - - -
2008-03-28 13:14:23 81.7.95.170 static-81-7-95-170.zebra.lt SMTPSVC1 QDPSERVER 217.39.172.29 0 DATA - +<000801c890d5$07abec38$36ab1c8a@tnmpscm> 250 0 124 2196 593 SMTP - - - -
2008-03-28 13:14:23 81.7.95.170 static-81-7-95-170.zebra.lt SMTPSVC1 QDPSERVER 217.39.172.29 0 QUIT - static-81-7-95-170.zebra.lt 240 890 68 4 0 SMTP - - - -
---------------------------------------------------------------------
Any ideas?
