we had a similar problem this morning - a spammer at ya.ru apparently got hold of an account's password and opened several smtp sessions using 5 different spoofed - we think - ip addresses. the reason we believe they were spoofed is that entering them into iptables did not stop the traffic. since the sessions were already authenticated, changing the account password and restarting didn't help. adding the domain name into the g_ban_from list and restarting didn't help either. ultimately, we added an mfilter rule: if (rexp(from,'HIDDEN@u')) then drop "Spammer Address in From" end if which seemed to work. seems to me there's got to be a better way to kill smtp connections that are known to be 'bad.' david camm advanced web systems keller, tx On 5/5/2015 4:14 PM, Frank Bulk wrote: Chris, Thanks, that’s good to know. Today we move the files out as the file system level, and then restart Surgemail so that if there any SMPT sessions in progress those are close and if there are any authenticated SMTP sessions those are gone. We found that just changing the password using tellmail was insufficient. Are we getting closer to the point where we can deal with a spammer who has one of our customer’s compromised credentials and not have to stop and then start Surgemail? Frank *From:*Surgemail Support [mailto:surgemail-support@netwinsite.com] *Sent:* Sunday, May 03, 2015 6:00 PM *To:* surgemail-list@netwinsite.com *Subject:* Re: [SurgeMail List] Suspended account still sending mail Just re-posting this response to get it in the archive. This turned out to be an issue with messages currently being sent being 'locked' in future builds it will correctly delete messages which are being 'sent' when the tellmail delete_contains command is used. ChrisP. On 4/15/2015 8:03 PM, Tom Cross wrote: Hi A customer had a virus sending 100's of emails out. I suspended the account, deleted the mail queue for the user and restarted the service. I go into the Mail queue and there they are again 79 mails. Delete again. 10 min later they are back. Help please. tom cross Partner Synergist 0418 295 336 tomc@html.net.au <mailto:tomc@html.net.au>
Chris, Thanks, that’s good to know. Today we move the files out as the file system level, and then restart Surgemail so that if there any SMPT sessions in progress those are close and if there are any authenticated SMTP sessions those are gone. We found that just changing the password using tellmail was insufficient. Are we getting closer to the point where we can deal with a spammer who has one of our customer’s compromised credentials and not have to stop and then start Surgemail? Frank *From:*Surgemail Support [mailto:surgemail-support@netwinsite.com] *Sent:* Sunday, May 03, 2015 6:00 PM *To:* surgemail-list@netwinsite.com *Subject:* Re: [SurgeMail List] Suspended account still sending mail Just re-posting this response to get it in the archive. This turned out to be an issue with messages currently being sent being 'locked' in future builds it will correctly delete messages which are being 'sent' when the tellmail delete_contains command is used. ChrisP. On 4/15/2015 8:03 PM, Tom Cross wrote: Hi A customer had a virus sending 100's of emails out. I suspended the account, deleted the mail queue for the user and restarted the service. I go into the Mail queue and there they are again 79 mails. Delete again. 10 min later they are back. Help please. tom cross Partner Synergist 0418 295 336 tomc@html.net.au <mailto:tomc@html.net.au>
Last Message | Next Message