It looks like someone is attempting to use one of our RAQS (this one is an XTR) to send SPAM. We caught them using someone's FormMail.pl script the other day so we killed that script.

But someone is STILL trying to send SPAM through our server!

When I do a tail -f /var/log/maillog, here's a sample of what I'm getting:

Nov 22 12:42:41 xtr1 sendmail[5765]: gAK8NGf20429: to=<custrav@domain.net>.www.hosteddomain.com, delay=2+10:19:25, xdelay=00:00:00, mailer=esmtp, pri=2220818, relay=domain.net. [XXX.XXX.XXX.XXX], dsn=4.0.0, stat=Deferred: Connection refused by domain.net.

The hosteddomain.com part is the domain that had the FormMail.pl script on their site.

I *think* I understand that the mail is NOT being sent because, if it were, the log would say stat=SENT instead of stat=Deferred: Connection refused by domain.net

Is there a way to prevent these attempts? We have Check Mail before SMTP Relay checked under the email server settings on the server but that doesn't seem to help.

Could be wrong, but looks to me like this was a message that was sent from your server and is now being bounced back to you as undeliverable/refused. In other words, this could have been sent before you found the formmail exploit, but is just now being bounced back. If formmail has been removed, they can't send mail through your server anymore. Your Apache logs should confirm this as you'll see lots of matching invalid HTTP requests for the old formmail URL.

The more important question is, why was the message delivery refused? Are you listed on a SPEWS type blacklist somewhere, or did the receiving SMTP server just catch a forged header?

Better check.

Brandon