My ASL secured server is being used to send out spam. I've caught it a couple times and am learning how to hunt. I'd appreciate any suggestions on good practices to lock down a server so it can't effectively be used as a relay.
Good info here: http://gnufreakz.wordpress.com/2010/02/ ... -in-qmail/
Here's one I tracked:
Received: (qmail 26429 invoked from network); 9 Oct 2010 04:15:39 -0400
Received: from localhost (127.0.0.1)
by localhost with SMTP; 9 Oct 2010 04:15:39 -0400
Received: from 18.104.22.168 ([22.214.171.124]) by webmail.editeddomainname.com
(Horde Framework) with HTTP; Sat, 09 Oct 2010 04:15:37 -0400
Ah ha, someone was using a crappy password on webmail. I turned off webmail for that domain.
Received: (qmail 24463 invoked from network); 15 Oct 2010 02:07:56 -0400
Received: from unknown (HELO User) (126.96.36.199) by myservers.editedreverselookup.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 15
This one is a little harder for me to decipher. Any ideas? Who is "User" to HELO? Invoked from "network"? Ideas on how to find this one?
I'm not sure if it's the right thing to do, but I went into my ASL interface today and blacklisted 188.8.131.52/16. Will that prevent any connections from them? I also geoblocked Nigeria.
I've been googling, searching the ASL docs, etc. Does anyone have a good comprehensive "lock down your email but still allow your users access" tut?