Results 1 to 3 of 3
  1. #1

    Ongoing blacklisting issue

    For the last month I've had problems with my VPS being blacklisted, and it always seems to be around the same time of day.

    Anyway, the VPS is managed, but it's a right pain the backside getting support to deal with the problem for me and sort it out. I get answers like "Its a PHP script", and when I ask which script they say they can't find out.

    After getting advice from people on this forum, I asked support to setup exim so that it recorded the folder of any scripts sending out mail, but when I run grep so show any exim_mainlog entries with cwd= there is very little appearing appart from genuine mails being sent by contact forms on websites.

    I managed to get evidence of a mail which caused the server to be blacklisted and sent this to support, who said the mails are being send via header injection on contact scripts, so I've got through the contact scripts and changed them, but again, still blacklisted.

    I may be wrong here, but surely if someone was doing mail injection then I would be receiving copies of the mail myself as the website mails me with the enquiry, and also surely the exim_mainlog would so the folder containing the script as sending mails...but it doesnt.

    I'm completely lost here, somehow mail is being sent from the server, whether it be via a script or what, but I can't(and neither can support) determine the exact script that is sending mail.

    Here is a snippet of the exim_mainlog from around the time the evidence mail was sent.

    Code:
    Aug 25 21:59:40 awt spamd[5164]: spamd: checking message <16291601c7e75a$d5a016e0$0d4cb34c@ALLEN> for thegran:32010
    Aug 25 21:59:46 awt spamd[23731]: spamd: connection from localhost [127.0.0.1] at port 47366
    Aug 25 21:59:46 awt spamd[23731]: spamd: setuid to libraifa succeeded
    Aug 25 21:59:46 awt spamd[23731]: spamd: checking message <494307824222.548029453854@flcjn.net> for libraifa:32006
    Aug 25 21:59:48 awt spamd[5164]: spamd: identified spam (17.1/5.0) for thegran:32010 in 7.7 seconds, 1050 bytes.
    Aug 25 21:59:48 awt spamd[5164]: spamd: result: Y 17 - BAYES_99,DATE_IN_PAST_06_12,FORGED_MUA_OUTLOOK,INVALID_MSGID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_DYNAMIC,STOX_REPLY_TYPE,URIBL_BLACK,URIBL_RHS_DOB,URIBL_SBL scantime=7.7,size=1050,user=thegran,uid=32010,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=47347,mid=<16291601c7e75a$d5a016e0$0d4cb34c@ALLEN>,bayes=1.000000,autolearn=spam
    Aug 25 21:59:48 awt spamd[28500]: prefork: child states: IB
    Aug 25 21:59:52 awt spamd[23731]: spamd: identified spam (12.3/2.5) for libraifa:32006 in 6.4 seconds, 6742 bytes.
    Aug 25 21:59:52 awt spamd[23731]: spamd: result: Y 12 - AXB_XMID_1212,BAYES_60,EXTRA_MPART_TYPE,HTML_IMAGE_ONLY_04,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE scantime=6.4,size=6742,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=47366,mid=<494307824222.548029453854@flcjn.net>,bayes=0.654621,autolearn=no
    Aug 25 21:59:52 awt spamd[28500]: prefork: child states: II
    Aug 25 21:59:53 awt pop3d: LOGIN, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86]
    Aug 25 21:59:56 awt pop3d: LOGOUT, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86], top=0, retr=39944, rcvd=56, sent=40746, time=3
    Aug 25 22:04:12 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 48176
    Aug 25 22:04:12 awt spamd[5164]: spamd: setuid to libraifa succeeded
    Aug 25 22:04:12 awt spamd[5164]: spamd: checking message <E1IP2ng-0002eI-Eg@wear.readytogo.net> for libraifa:32006
    Aug 25 22:04:20 awt spamd[5164]: spamd: clean message (-2.6/2.5) for libraifa:32006 in 7.6 seconds, 1827 bytes.
    Aug 25 22:04:20 awt spamd[5164]: spamd: result: . -2 - AWL,BAYES_00 scantime=7.6,size=1827,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=48176,mid=<E1IP2ng-0002eI-Eg@wear.readytogo.net>,bayes=0.000000,autolearn=ham
    Aug 25 22:04:20 awt spamd[28500]: prefork: child states: II
    Aug 25 22:09:29 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 49145
    Aug 25 22:09:29 awt spamd[5164]: spamd: setuid to gbtravel succeeded
    Aug 25 22:09:29 awt spamd[5164]: spamd: checking message <putcgcbfbhamfer@fruitpads.com> for gbtravel:32017
    Aug 25 22:09:39 awt spamd[5164]: spamd: identified spam (12.6/5.0) for gbtravel:32017 in 10.2 seconds, 5003 bytes.
    Aug 25 22:09:39 awt spamd[5164]: spamd: result: Y 12 - BAYES_99,HTML_IMAGE_ONLY_32,HTML_MESSAGE,LOCALPART_IN_SUBJECT,MSGID_SPAM_LETTERS,SPF_PASS,TVD_RATWARE_MSGID_02,URIBL_BLACK,URI_NOVOWEL scantime=10.2,size=5003,user=gbtravel,uid=32017,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=49145,mid=<putcgcbfbhamfer@fruitpads.com>,bayes=1.000000,autolearn=no
    Aug 25 22:09:39 awt spamd[28500]: prefork: child states: II
    Aug 25 22:10:06 awt pop3d: LOGIN, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86]
    Aug 25 22:10:07 awt pop3d: LOGOUT, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86], top=0, retr=0, rcvd=12, sent=39, time=1
    Aug 25 22:11:27 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 49520
    Aug 25 22:11:27 awt spamd[5164]: spamd: setuid to libraifa succeeded
    Aug 25 22:11:27 awt spamd[5164]: spamd: checking message <000601c7e75c$894ed180$0100007f@fpviosw> for libraifa:32006
    Aug 25 22:11:36 awt spamd[5164]: spamd: identified spam (16.3/2.5) for libraifa:32006 in 8.5 seconds, 19328 bytes.
    Aug 25 22:11:36 awt spamd[5164]: spamd: result: Y 16 - BAYES_60,HTML_IMAGE_ONLY_12,HTML_MESSAGE,HTML_SHORT_LINK_IMG_2,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_WEB,RCVD_IN_XBL,RDNS_NONE,SHORT_HELO_AND_INLINE_IMAGE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL,URIBL_SC_SURBL scantime=8.5,size=19328,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=49520,mid=<000601c7e75c$894ed180$0100007f@fpviosw>,bayes=0.726583,autolearn=spam
    Aug 25 22:11:36 awt spamd[28500]: prefork: child states: II
    Aug 25 22:16:17 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 50217
    Aug 25 22:16:17 awt spamd[5164]: spamd: setuid to sr8 succeeded
    Aug 25 22:16:17 awt spamd[5164]: spamd: checking message <984907979.55364767348457@utsc.utoronto.ca> for sr8:32004
    Aug 25 22:16:26 awt spamd[5164]: spamd: identified spam (12.9/5.0) for sr8:32004 in 9.3 seconds, 9431 bytes.
    Aug 25 22:16:26 awt spamd[5164]: spamd: result: Y 12 - DATE_IN_FUTURE_03_06,FH_HELO_EQ_D_D_D_D,FUZZY_CREDIT,HELO_DYNAMIC_IPADDR2,HTML_MESSAGE,HTML_OBFUSCATE_10_20,MIME_HTML_ONLY,RCVD_IN_PBL,RDNS_DYNAMIC,TVD_RCVD_IP scantime=9.3,size=9431,user=sr8,uid=32004,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=50217,mid=<984907979.55364767348457@utsc.utoronto.ca>,autolearn=spam
    Aug 25 22:16:26 awt spamd[28500]: prefork: child states: II
    Aug 25 22:19:29 awt pop3d: LOGIN, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86]
    Aug 25 22:19:29 awt pop3d: LOGOUT, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86], top=0, retr=0, rcvd=12, sent=39, time=0
    Aug 25 22:20:33 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 51016
    Aug 25 22:20:33 awt spamd[5164]: spamd: setuid to thegran succeeded
    Aug 25 22:20:33 awt spamd[5164]: spamd: checking message <21ecc01c7e75d$bbd32420$2f01a8c0@windowsa607f1d> for thegran:32010
    Aug 25 22:20:41 awt spamd[5164]: spamd: identified spam (17.5/5.0) for thegran:32010 in 8.1 seconds, 1174 bytes.
    Aug 25 22:20:41 awt spamd[5164]: spamd: result: Y 17 - BAYES_99,DATE_IN_PAST_06_12,FH_HOST_EQ_VERIZON_P,FORGED_MUA_OUTLOOK,INVALID_MSGID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_DYNAMIC,STOX_REPLY_TYPE,URIBL_RED,URIBL_RHS_DOB scantime=8.1,size=1174,user=thegran,uid=32010,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=51016,mid=<21ecc01c7e75d$bbd32420$2f01a8c0@windowsa607f1d>,bayes=0.999360,autolearn=spam
    Aug 25 22:20:41 awt spamd[28500]: prefork: child states: II
    Aug 25 22:26:21 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 51946
    Aug 25 22:26:21 awt spamd[5164]: spamd: setuid to gbtravel succeeded
    Aug 25 22:26:21 awt spamd[5164]: spamd: checking message <264166.236793146.1188032962@ourfirststep.net> for gbtravel:32017
    Aug 25 22:26:30 awt spamd[5164]: spamd: identified spam (7.1/5.0) for gbtravel:32017 in 9.2 seconds, 6091 bytes.
    Aug 25 22:26:30 awt spamd[5164]: spamd: result: Y 7 - AWL,BAYES_50,HTML_IMAGE_RATIO_04,HTML_MESSAGE,HTML_TAG_BALANCE_HEAD,MPART_ALT_DIFF,SPF_PASS,URIBL_BLACK,URIBL_JP_SURBL scantime=9.2,size=6091,user=gbtravel,uid=32017,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=51946,mid=<264166.236793146.1188032962@ourfirststep.net>,bayes=0.592462,autolearn=no
    Aug 25 22:26:30 awt spamd[28500]: prefork: child states: II
    Aug 25 22:34:09 awt pop3d: LOGIN, user=mike@camberleydrivingschool.co.uk, ip=[::ffff:86.13.153.74]
    Aug 25 22:34:10 awt pop3d: LOGOUT, user=mike@camberleydrivingschool.co.uk, ip=[::ffff:86.13.153.74], top=0, retr=2252, rcvd=50, sent=2521, time=1
    Aug 25 22:51:28 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 55911
    Aug 25 22:51:28 awt spamd[5164]: spamd: setuid to libraifa succeeded
    Aug 25 22:51:28 awt spamd[5164]: spamd: checking message <3235985408.20070825170556@qmuqybrxw> for libraifa:32006
    Aug 25 22:51:35 awt spamd[5164]: spamd: identified spam (9.8/2.5) for libraifa:32006 in 7.2 seconds, 836 bytes.
    Aug 25 22:51:35 awt spamd[5164]: spamd: result: Y 9 - BAYES_99,RDNS_NONE,SPF_HELO_NEUTRAL,SPF_NEUTRAL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL scantime=7.2,size=836,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=55911,mid=<3235985408.20070825170556@qmuqybrxw>,bayes=1.000000,autolearn=no
    Aug 25 22:51:35 awt spamd[28500]: prefork: child states: II
    Aug 25 22:54:30 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 56343
    Aug 25 22:54:30 awt spamd[5164]: spamd: setuid to sr8 succeeded
    Aug 25 22:54:30 awt spamd[5164]: spamd: checking message <8678967196.190217665470@yahoo.com> for sr8:32004
    Aug 25 22:54:37 awt spamd[5164]: spamd: identified spam (14.0/5.0) for sr8:32004 in 6.9 seconds, 847 bytes.
    Aug 25 22:54:37 awt spamd[5164]: spamd: result: Y 14 - FORGED_YAHOO_RCVD,RCVD_IN_PBL,RCVD_IN_SORBS_WEB,RCVD_IN_XBL,RDNS_NONE,REPTO_QUOTE_YAHOO,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL scantime=6.9,size=847,user=sr8,uid=32004,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=56343,mid=<8678967196.190217665470@yahoo.com>,autolearn=spam
    Aug 25 22:54:37 awt spamd[28500]: prefork: child states: II
    Aug 25 22:57:06 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 56732
    Aug 25 22:57:06 awt spamd[5164]: spamd: setuid to thegran succeeded
    Aug 25 22:57:06 awt spamd[5164]: spamd: checking message <1IP4?n-000NOC-YL@pool-72-82-6-40.prvdri.east.verizon.net> for thegran:32010
    Aug 25 22:57:14 awt spamd[5164]: spamd: identified spam (13.8/5.0) for thegran:32010 in 8.3 seconds, 1185 bytes.
    Aug 25 22:57:14 awt spamd[5164]: spamd: result: Y 13 - BAYES_99,FH_HELO_EQ_D_D_D_D,FH_HOST_EQ_VERIZON_P,HELO_DYNAMIC_IPADDR,HTML_MESSAGE,INVALID_MSGID,MIME_HTML_ONLY,NORMAL_HTTP_TO_IP,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,SPF_FAIL,URIBL_BLACK,WHOIS_NETSOLPR scantime=8.3,size=1185,user=thegran,uid=32010,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=56732,mid=<1IP4?n-000NOC-YL@pool-72-82-6-40.prvdri.east.verizon.net>,bayes=0.998838,autolearn=spam
    Aug 25 22:57:14 awt spamd[28500]: prefork: child states: II
    Aug 25 22:57:25 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 56778
    Aug 25 22:57:25 awt spamd[5164]: spamd: setuid to gbtravel succeeded
    Aug 25 22:57:25 awt spamd[5164]: spamd: checking message <1IP4?i-000PHR-K5@64-136-209-19.dyn.everestkc.net> for gbtravel:32017
    Aug 25 22:57:32 awt spamd[5164]: spamd: identified spam (24.6/5.0) for gbtravel:32017 in 7.1 seconds, 1128 bytes.
    Aug 25 22:57:32 awt spamd[5164]: spamd: result: Y 24 - BAYES_99,FH_HELO_EQ_D_D_D_D,HELO_DYNAMIC_IPADDR2,HTML_MESSAGE,INVALID_MSGID,MIME_HTML_ONLY,NORMAL_HTTP_TO_IP,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_DYNAMIC,SPF_SOFTFAIL,TVD_RCVD_IP,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SC_SURBL,WHOIS_NETSOLPR scantime=7.1,size=1128,user=gbtravel,uid=32017,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=56778,mid=<1IP4?i-000PHR-K5@64-136-209-19.dyn.everestkc.net>,bayes=1.000000,autolearn=spam
    Aug 25 22:57:32 awt spamd[28500]: prefork: child states: II
    Aug 25 23:02:27 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 57548
    Aug 25 23:02:27 awt spamd[5164]: spamd: setuid to gbtravel succeeded
    Aug 25 23:02:27 awt spamd[5164]: spamd: checking message <200708252202.l7PM2QvX028682@eul0000836.eu.verio.net> for gbtravel:32017
    Aug 25 23:02:35 awt spamd[5164]: spamd: clean message (-1.1/5.0) for gbtravel:32017 in 8.3 seconds, 1618 bytes.
    Aug 25 23:02:35 awt spamd[5164]: spamd: result: . -1 - BAYES_00,FORGED_HOTMAIL_RCVD2 scantime=8.3,size=1618,user=gbtravel,uid=32017,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=57548,mid=<200708252202.l7PM2QvX028682@eul0000836.eu.verio.net>,bayes=0.000000,autolearn=no
    Aug 25 23:02:35 awt spamd[28500]: prefork: child states: II
    Aug 25 23:02:50 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 57653
    Aug 25 23:02:50 awt spamd[5164]: spamd: setuid to sr8 succeeded
    Aug 25 23:02:50 awt spamd[5164]: spamd: checking message <5937741215.0503466228@pacbell.net> for sr8:32004
    Aug 25 23:02:58 awt spamd[5164]: spamd: identified spam (15.4/5.0) for sr8:32004 in 7.7 seconds, 934 bytes.
    Aug 25 23:02:58 awt spamd[5164]: spamd: result: Y 15 - FB_NUMYO,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL scantime=7.7,size=934,user=sr8,uid=32004,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=57653,mid=<5937741215.0503466228@pacbell.net>,autolearn=spam
    Aug 25 23:02:58 awt spamd[28500]: prefork: child states: II
    Aug 25 23:05:50 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 58357
    Aug 25 23:05:50 awt spamd[5164]: spamd: setuid to sr8 succeeded
    Aug 25 23:05:50 awt spamd[5164]: spamd: checking message <01c7e764$155d4b50$21cd6ad2@??[????????|p??|??????[???> for sr8:32004
    Aug 25 23:05:56 awt spamd[5164]: spamd: identified spam (19.5/5.0) for sr8:32004 in 5.4 seconds, 848 bytes.
    Aug 25 23:05:56 awt spamd[5164]: spamd: result: Y 19 - DATE_IN_PAST_06_12,FH_FROMEML_NOTLD,FROM_NO_USER,HEAD_ILLEGAL_CHARS,INVALID_DATE,INVALID_MSGID,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SPAMMY_XMAILER,UNPARSEABLE_RELAY,XMAILER_MIMEOLE_OL_7533E scantime=5.4,size=848,user=sr8,uid=32004,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=58357,mid=<01c7e764$155d4b50$21cd6ad2@??[????????|p??|??????[???>,autolearn=spam
    Aug 25 23:05:56 awt spamd[28500]: prefork: child states: II
    Aug 25 23:06:00 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 58392
    Aug 25 23:06:00 awt spamd[5164]: spamd: setuid to sr8 succeeded
    Aug 25 23:06:00 awt spamd[5164]: spamd: checking message <000301c7e764$1f07f6f0$8fd531be@pc6> for sr8:32004
    Aug 25 23:06:09 awt spamd[5164]: spamd: identified spam (19.1/5.0) for sr8:32004 in 8.3 seconds, 1881 bytes.
    Aug 25 23:06:09 awt spamd[5164]: spamd: result: Y 19 - FH_HELO_EQ_D_D_D_D,HELO_DYNAMIC_IPADDR2,HTML_MESSAGE,RCVD_IN_PBL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL scantime=8.3,size=1881,user=sr8,uid=32004,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=58392,mid=<000301c7e764$1f07f6f0$8fd531be@pc6>,autolearn=spam
    Aug 25 23:06:09 awt spamd[28500]: prefork: child states: II
    Aug 25 23:12:01 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 59786
    Aug 25 23:12:01 awt spamd[5164]: spamd: setuid to libraifa succeeded
    Aug 25 23:12:01 awt spamd[5164]: spamd: checking message <273791369226.250988857441@yahoo.co.uk> for libraifa:32006
    Aug 25 23:12:12 awt spamd[5164]: spamd: identified spam (17.5/2.5) for libraifa:32006 in 11.1 seconds, 849 bytes.
    Aug 25 23:12:12 awt spamd[5164]: spamd: result: Y 17 - AXB_XMID_1212,BAYES_99,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL scantime=11.1,size=849,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=59786,mid=<273791369226.250988857441@yahoo.co.uk>,bayes=0.999858,autolearn=spam
    Aug 25 23:12:13 awt spamd[28500]: prefork: child states: II
    Aug 25 23:15:16 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 60539
    Aug 25 23:15:16 awt spamd[5164]: spamd: setuid to gbtravel succeeded
    Aug 25 23:15:16 awt spamd[5164]: spamd: checking message <putcgcbfbhamfer@lockslimit.com> for gbtravel:32017
    Aug 25 23:15:25 awt spamd[5164]: spamd: identified spam (15.4/5.0) for gbtravel:32017 in 9.1 seconds, 3056 bytes.
    Aug 25 23:15:25 awt spamd[5164]: spamd: result: Y 15 - BAYES_99,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,HTML_TAG_BALANCE_BODY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,MSGID_SPAM_LETTERS,SPF_PASS,TVD_RATWARE_MSGID_02,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URI_NOVOWEL scantime=9.1,size=3056,user=gbtravel,uid=32017,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=60539,mid=<putcgcbfbhamfer@lockslimit.com>,bayes=1.000000,autolearn=spam
    Aug 25 23:15:25 awt spamd[28500]: prefork: child states: II
    Aug 25 23:15:49 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 60701
    Aug 25 23:15:49 awt spamd[5164]: spamd: setuid to libraifa succeeded
    Aug 25 23:15:49 awt spamd[5164]: spamd: checking message <000801c19272$fc936650$6602a8c0@footjob> for libraifa:32006
    Aug 25 23:15:57 awt spamd[5164]: spamd: identified spam (21.6/2.5) for libraifa:32006 in 8.1 seconds, 2419 bytes.
    Aug 25 23:15:57 awt spamd[5164]: spamd: result: Y 21 - BAYES_99,DATE_IN_PAST_12_24,FORGED_OUTLOOK_TAGS,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,MSGID_OUTLOOK_INVALID,RCVD_IN_DSBL,RCVD_IN_NJABL_PROXY,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,SPF_HELO_NEUTRAL,TVD_RCVD_IP,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_WS_SURBL scantime=8.1,size=2419,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=60701,mid=<000801c19272$fc936650$6602a8c0@footjob>,bayes=1.000000,autolearn=spam
    Aug 25 23:15:57 awt spamd[28500]: prefork: child states: II
    Aug 25 23:21:40 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 33744
    Aug 25 23:21:40 awt spamd[5164]: spamd: setuid to libraifa succeeded
    Aug 25 23:21:40 awt spamd[5164]: spamd: checking message <6cb7101c7e766$4ac2cf70$28e38018@cathy> for libraifa:32006
    Aug 25 23:21:48 awt spamd[5164]: spamd: identified spam (24.8/2.5) for libraifa:32006 in 8.4 seconds, 1166 bytes.
    Aug 25 23:21:48 awt spamd[5164]: spamd: result: Y 24 - BAYES_99,DATE_IN_PAST_06_12,FH_HELO_ENDS_DOT,FORGED_MUA_OUTLOOK,INVALID_MSGID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_DYNAMIC,STOX_REPLY_TYPE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_DOB scantime=8.4,size=1166,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=33744,mid=<6cb7101c7e766$4ac2cf70$28e38018@cathy>,bayes=0.995365,autolearn=spam
    Aug 25 23:21:48 awt spamd[28500]: prefork: child states: II
    Aug 25 23:27:32 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 35001
    Aug 25 23:27:32 awt spamd[5164]: spamd: setuid to libraifa succeeded
    Aug 25 23:27:32 awt spamd[5164]: spamd: checking message <01c30d14$a09c9830$e245d7d8@billywhizzo> for libraifa:32006
    Aug 25 23:27:41 awt spamd[5164]: spamd: identified spam (23.2/2.5) for libraifa:32006 in 9.8 seconds, 1035 bytes.
    Aug 25 23:27:41 awt spamd[5164]: spamd: result: Y 23 - BAYES_99,BODY_ENHANCEMENT2,DATE_IN_PAST_96_XX,HELO_DYNAMIC_IPADDR2,HELO_DYNAMIC_SPLIT_IP,RCVD_IN_XBL,RCVD_NUMERIC_HELO,RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL scantime=9.8,size=1035,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=35001,mid=<01c30d14$a09c9830$e245d7d8@billywhizzo>,bayes=0.999769,autolearn=spam
    Aug 25 23:27:41 awt spamd[28500]: prefork: child states: II
    Aug 25 23:28:34 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 35193
    Aug 25 23:28:34 awt spamd[5164]: spamd: setuid to libraifa succeeded
    Aug 25 23:28:34 awt spamd[5164]: spamd: checking message <8325616822.20070825174223@wabhwp> for libraifa:32006
    Aug 25 23:28:41 awt spamd[5164]: spamd: identified spam (17.0/2.5) for libraifa:32006 in 7.3 seconds, 949 bytes.
    Aug 25 23:28:41 awt spamd[5164]: spamd: result: Y 16 - BAYES_99,CUM_SHOT,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_WEB,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL scantime=7.3,size=949,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=35193,mid=<8325616822.20070825174223@wabhwp>,bayes=1.000000,autolearn=spam
    Aug 25 23:28:41 awt spamd[28500]: prefork: child states: II
    Aug 25 23:34:39 awt pop3d: LOGIN, user=mike@camberleydrivingschool.co.uk, ip=[::ffff:86.13.153.74]
    Aug 25 23:34:41 awt pop3d: LOGOUT, user=mike@camberleydrivingschool.co.uk, ip=[::ffff:86.13.153.74], top=0, retr=11761, rcvd=50, sent=12272, time=2
    Aug 25 23:37:19 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 36857
    Aug 25 23:37:19 awt spamd[5164]: spamd: setuid to libraifa succeeded
    Aug 25 23:37:19 awt spamd[5164]: spamd: checking message <25080700007$118599134653498$10$0@mail221.galacell.com> for libraifa:32006
    Aug 25 23:37:27 awt spamd[5164]: spamd: identified spam (8.8/2.5) for libraifa:32006 in 8.4 seconds, 5761 bytes.
    Aug 25 23:37:27 awt spamd[5164]: spamd: result: Y 8 - AWL,BAYES_50,HTML_FONT_LOW_CONTRAST,HTML_IMAGE_ONLY_28,HTML_MESSAGE,RATWARE_EFROM,RDNS_NONE,SPF_FAIL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL scantime=8.4,size=5761,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=36857,mid=<25080700007$118599134653498$10$0@mail221.galacell.com>,bayes=0.543546,autolearn=spam
    Aug 25 23:37:27 awt spamd[28500]: prefork: child states: II
    Aug 25 23:41:14 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 37651
    Aug 25 23:41:14 awt spamd[5164]: spamd: setuid to libraifa succeeded
    Aug 25 23:41:14 awt spamd[5164]: spamd: checking message <2618401c7e769$06c562d0$6601a8c0@ACS06Latitude> for libraifa:32006
    Aug 25 23:41:20 awt spamd[5164]: spamd: identified spam (17.5/2.5) for libraifa:32006 in 6.3 seconds, 1123 bytes.
    Aug 25 23:41:20 awt spamd[5164]: spamd: result: Y 17 - BAYES_99,DATE_IN_PAST_06_12,FORGED_MUA_OUTLOOK,INVALID_MSGID,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,STOX_REPLY_TYPE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_DOB scantime=6.3,size=1123,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=37651,mid=<2618401c7e769$06c562d0$6601a8c0@ACS06Latitude>,bayes=0.999956,autolearn=spam
    Aug 25 23:41:20 awt spamd[28500]: prefork: child states: II
    Aug 25 23:42:40 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 37900
    Aug 25 23:42:40 awt spamd[5164]: spamd: setuid to libraifa succeeded
    Aug 25 23:42:40 awt spamd[5164]: spamd: checking message <0183930222.491384067379@humaniq.com> for libraifa:32006
    Aug 25 23:42:47 awt spamd[5164]: spamd: identified spam (16.9/2.5) for libraifa:32006 in 7.5 seconds, 922 bytes.
    Aug 25 23:42:47 awt spamd[5164]: spamd: result: Y 16 - BAYES_99,FROM_LOCAL_DIGITS,FROM_LOCAL_HEX,FROM_STARTS_WITH_NUMS,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL scantime=7.5,size=922,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=37900,mid=<0183930222.491384067379@humaniq.com>,bayes=1.000000,autolearn=spam
    Aug 25 23:42:47 awt spamd[28500]: prefork: child states: II
    Aug 25 23:58:12 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 41258
    Aug 25 23:58:12 awt spamd[5164]: spamd: setuid to gbtravel succeeded
    Aug 25 23:58:14 awt spamd[5164]: spamd: checking message <200708252258.l7PMwCCD032007@eul0000836.eu.verio.net> for gbtravel:32017
    Aug 25 23:58:23 awt spamd[5164]: spamd: clean message (-0.7/5.0) for gbtravel:32017 in 10.4 seconds, 5938 bytes.
    Aug 25 23:58:23 awt spamd[5164]: spamd: result: . 0 - BAYES_20 scantime=10.4,size=5938,user=gbtravel,uid=32017,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=41258,mid=<200708252258.l7PMwCCD032007@eul0000836.eu.verio.net>,bayes=0.076918,autolearn=ham
    Aug 25 23:58:23 awt spamd[28500]: prefork: child states: II
    [root@awt log]# grep "Aug 25 04:" /var/log/maillog.1
    Aug 25 04:01:00 awt spamd[15526]: spamd: connection from localhost [127.0.0.1] at port 45752
    Aug 25 04:01:00 awt spamd[15526]: spamd: setuid to libraifa succeeded
    Aug 25 04:01:00 awt spamd[15526]: spamd: checking message <001c01c7e6a2$a47722b0$15a12f6c@Alex> for libraifa:32006
    Aug 25 04:01:11 awt spamd[15526]: spamd: identified spam (18.1/2.5) for libraifa:32006 in 10.9 seconds, 1534 bytes.
    Aug 25 04:01:11 awt spamd[15526]: spamd: result: Y 18 - BAYES_60,FH_HELO_EQ_D_D_D_D,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_DYNAMIC,STOX_REPLY_TYPE,SUBJECT_NEEDS_ENCODING,SUBJ_ILLEGAL_CHARS,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL scantime=10.9,size=1534,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=45752,mid=<001c01c7e6a2$a47722b0$15a12f6c@Alex>,bayes=0.617526,autolearn=spam
    Aug 25 04:01:11 awt spamd[28500]: prefork: child states: II
    Aug 25 04:04:59 awt spamd[15526]: spamd: connection from localhost [127.0.0.1] at port 46479
    Aug 25 04:04:59 awt spamd[15526]: spamd: setuid to libraifa succeeded
    Aug 25 04:04:59 awt spamd[15526]: spamd: checking message <05168r50016.300e50752080@mefound.com> for libraifa:32006
    Aug 25 04:05:03 awt spamd[19837]: spamd: connection from localhost [127.0.0.1] at port 46510
    Aug 25 04:05:03 awt spamd[19837]: spamd: setuid to libraifa succeeded
    Aug 25 04:05:03 awt spamd[19837]: spamd: checking message <734718958.34871935047797@partyallnight.net> for libraifa:32006
    Aug 25 04:05:08 awt spamd[15526]: spamd: identified spam (14.4/2.5) for libraifa:32006 in 9.4 seconds, 2807 bytes.
    Aug 25 04:05:08 awt spamd[15526]: spamd: result: Y 14 - BAYES_60,DYN_RDNS_SHORT_HELO_HTML,HTML_FONT_SIZE_LARGE,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_DYNAMIC,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=9.4,size=2807,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=46479,mid=<05168r50016.300e50752080@mefound.com>,bayes=0.743051,autolearn=spam
    Aug 25 04:05:08 awt spamd[28500]: prefork: child states: IB
    Aug 25 04:05:15 awt spamd[19837]: spamd: identified spam (22.7/2.5) for libraifa:32006 in 11.7 seconds, 2931 bytes.
    Aug 25 04:05:15 awt spamd[19837]: spamd: result: Y 22 - BAYES_99,HS_INDEX_PARAM,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_NJABL_PROXY,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL scantime=11.7,size=2931,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=46510,mid=<734718958.34871935047797@partyallnight.net>,bayes=0.999853,autolearn=spam
    Aug 25 04:05:15 awt spamd[28500]: prefork: child states: II
    Aug 25 04:54:42 awt spamd[15526]: spamd: connection from localhost [127.0.0.1] at port 56495
    Aug 25 04:54:42 awt spamd[15526]: spamd: setuid to libraifa succeeded
    Aug 25 04:54:42 awt spamd[15526]: spamd: checking message <370270355.13719951314104@flohwiese.de> for libraifa:32006
    Aug 25 04:54:52 awt spamd[15526]: spamd: identified spam (13.5/2.5) for libraifa:32006 in 9.6 seconds, 4332 bytes.
    Aug 25 04:54:52 awt spamd[15526]: spamd: result: Y 13 - BAYES_95,DATE_IN_PAST_06_12,HS_INDEX_PARAM,HTML_MESSAGE,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL scantime=9.6,size=4332,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=56495,mid=<370270355.13719951314104@flohwiese.de>,bayes=0.959286,autolearn=spam
    Aug 25 04:54:52 awt spamd[28500]: prefork: child states: II
    Aug 25 04:56:48 awt spamd[15526]: spamd: connection from localhost [127.0.0.1] at port 56783
    Aug 25 04:56:48 awt spamd[15526]: spamd: setuid to libraifa succeeded
    Aug 25 04:56:48 awt spamd[15526]: spamd: checking message <7057058211.1042549828@hotmail.com> for libraifa:32006
    Aug 25 04:56:58 awt spamd[15526]: spamd: identified spam (13.0/2.5) for libraifa:32006 in 10.0 seconds, 876 bytes.
    Aug 25 04:56:58 awt spamd[15526]: spamd: result: Y 13 - BAYES_99,FM_FAKE_HELO_HOTMAIL,RCVD_IN_XBL,RDNS_NONE,SPF_HELO_SOFTFAIL,SPF_SOFTFAIL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL scantime=10.0,size=876,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=56783,mid=<7057058211.1042549828@hotmail.com>,bayes=1.000000,autolearn=spam
    Aug 25 04:56:58 awt spamd[28500]: prefork: child states: II
    [root@awt log]# vi maillog.1
    [root@awt log]# vi exim_mainlog.1.gz
    2007-08-25 04:11:16 H=fcfnotes03.fcf.com.tw [210.244.115.9]:4789 I=[91.186.15.4]:25 F=<billy@fcf.com.tw> rejected RCPT <al-mou@hotmail.com>: fcfnotes03.fcf.com.tw [210.244.115.9]:4789 is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
    2007-08-25 04:11:16 H=fcfnotes03.fcf.com.tw [210.244.115.9]:4789 I=[91.186.15.4]:25 incomplete transaction (connection lost) from <billy@fcf.com.tw>
    2007-08-25 04:11:16 unexpected disconnection while reading SMTP command from fcfnotes03.fcf.com.tw [210.244.115.9]:4789 I=[91.186.15.4]:25
    2007-08-25 04:11:36 SMTP connection from [125.225.21.17]:2667 I=[91.186.15.4]:25 (TCP/IP connection count = 1)
    2007-08-25 04:11:36 SMTP connection from [125.225.21.17]:2669 I=[91.186.15.4]:25 (TCP/IP connection count = 2)
    2007-08-25 04:11:36 SMTP connection from [125.225.21.17]:2731 I=[91.186.15.144]:25 (TCP/IP connection count = 3)
    2007-08-25 04:11:38 H=125-225-21-17.dynamic.hinet.net (91.186.15.4) [125.225.21.17]:2667 I=[91.186.15.4]:25 F=<y1m0d5g4@yahoo.com> rejected RCPT <sr2_serch@yahoo.com.tw>: 125-225-21-17.dynamic.hinet.net (91.186.15.4) [125.225.21.17]:2667 is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
    2007-08-25 04:11:38 H=125-225-21-17.dynamic.hinet.net (91.186.15.4) [125.225.21.17]:2669 I=[91.186.15.4]:25 F=<y1m0d5g4@yahoo.com> rejected RCPT <sr2_serch@yahoo.com.tw>: 125-225-21-17.dynamic.hinet.net (91.186.15.4) [125.225.21.17]:2669 is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
    2007-08-25 04:11:38 H=125-225-21-17.dynamic.hinet.net (91.186.15.144) [125.225.21.17]:2731 I=[91.186.15.144]:25 F=<y1m0d5g4@yahoo.com> rejected RCPT <sr2_serch@yahoo.com.tw>: 125-225-21-17.dynamic.hinet.net (91.186.15.144) [125.225.21.17]:2731 is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
    2007-08-25 04:11:38 H=125-225-21-17.dynamic.hinet.net (91.186.15.4) [125.225.21.17]:2667 I=[91.186.15.4]:25 incomplete transaction (connection lost) from <y1m0d5g4@yahoo.com>
    2007-08-25 04:11:38 unexpected disconnection while reading SMTP command from 125-225-21-17.dynamic.hinet.net (91.186.15.4) [125.225.21.17]:2667 I=[91.186.15.4]:25
    2007-08-25 04:11:38 H=125-225-21-17.dynamic.hinet.net (91.186.15.4) [125.225.21.17]:2669 I=[91.186.15.4]:25 incomplete transaction (connection lost) from <y1m0d5g4@yahoo.com>
    2007-08-25 04:11:38 unexpected disconnection while reading SMTP command from 125-225-21-17.dynamic.hinet.net (91.186.15.4) [125.225.21.17]:2669 I=[91.186.15.4]:25
    2007-08-25 04:11:38 H=125-225-21-17.dynamic.hinet.net (91.186.15.144) [125.225.21.17]:2731 I=[91.186.15.144]:25 incomplete transaction (connection lost) from <y1m0d5g4@yahoo.com>
    2007-08-25 04:11:38 unexpected disconnection while reading SMTP command from 125-225-21-17.dynamic.hinet.net (91.186.15.144) [125.225.21.17]:2731 I=[91.186.15.144]:25
    2007-08-25 04:12:20 SMTP connection from [125.24.63.230]:55705 I=[91.186.15.4]:25 (TCP/IP connection count = 1)
    2007-08-25 04:12:22 ident connection to 125.24.63.230 timed out
    2007-08-25 04:12:23 H=125-24-63-230.adsl.totbb.net (myhum) [125.24.63.230]:55705 I=[91.186.15.4]:25 F=<hxo0vdv@ps.ge.com> rejected RCPT <kay@internetholidays.com>: No Such User Here
    2007-08-25 04:12:24 H=125-24-63-230.adsl.totbb.net (myhum) [125.24.63.230]:55705 I=[91.186.15.4]:25 incomplete transaction (connection lost) from <hxo0vdv@ps.ge.com>
    2007-08-25 04:12:24 unexpected disconnection while reading SMTP command from 125-24-63-230.adsl.totbb.net (myhum) [125.24.63.230]:55705 I=[91.186.15.4]:25
    2007-08-25 04:12:46 SMTP connection from [204.16.0.97]:54769 I=[91.186.15.4]:25 (TCP/IP connection count = 1)
    2007-08-25 04:12:46 SMTP connection from [204.16.0.97]:54769 I=[91.186.15.4]:25 lost
    2007-08-25 04:12:49 SMTP connection from [59.125.147.146]:4711 I=[91.186.15.4]:25 (TCP/IP connection count = 1)
    2007-08-25 04:12:51 ident connection to 59.125.147.146 timed out
    2007-08-25 04:12:52 SMTP connection from [201.51.203.234]:3345 I=[91.186.15.4]:25 (TCP/IP connection count = 2)
    2007-08-25 04:12:53 H=59-125-147-146.hinet-ip.hinet.net (khmail.teamrise.com.tw) [59.125.147.146]:4711 I=[91.186.15.4]:25 F=<mark@teamrise.com.tw> rejected RCPT <paesyth.qdzse@msa.hinet.net>: 59-125-147-146.hinet-ip.hinet.net (khmail.teamrise.com.tw) [59.125.147.146]:4711 is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
    2007-08-25 04:12:53 H=59-125-147-146.hinet-ip.hinet.net (khmail.teamrise.com.tw) [59.125.147.146]:4711 I=[91.186.15.4]:25 incomplete transaction (connection lost) from <mark@teamrise.com.tw>
    2007-08-25 04:12:53 unexpected disconnection while reading SMTP command from 59-125-147-146.hinet-ip.hinet.net (khmail.teamrise.com.tw) [59.125.147.146]:4711 I=[91.186.15.4]:25
    2007-08-25 04:12:54 ident connection to 201.51.203.234 timed out
    2007-08-25 04:12:58 H=20151203234.user.veloxzone.com.br [201.51.203.234]:3345 I=[91.186.15.4]:25 F=<corporateclients.ref5740558.gps@mibank.com> rejected RCPT <travelben@internetholidays.com>: No Such User Here
    2007-08-25 04:12:58 H=20151203234.user.veloxzone.com.br [201.51.203.234]:3345 I=[91.186.15.4]:25 incomplete transaction (QUIT) from <corporateclients.ref5740558.gps@mibank.com>
    2007-08-25 04:12:58 SMTP connection from 20151203234.user.veloxzone.com.br [201.51.203.234]:3345 I=[91.186.15.4]:25 closed by QUIT
    2007-08-25 04:19:06 SMTP connection from [125.235.53.62]:4047 I=[91.186.15.4]:25 (TCP/IP connection count = 1)
    2007-08-25 04:19:10 no IP address found for host 125.235.53.62.adsl.viettel.vn (during SMTP connection from (jqxxuqmg) [125.235.53.62]:4047 I=[91.186.15.4]:25)
    2007-08-25 04:19:10 list matching forced to fail: failed to find host name for 125.235.53.62
    "exim_mainlog.1.gz" [noeol] 5936L, 1643213C                                                                                                75139,1       85%

  2. #2
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,876
    Could you show us the headers of some of the messages that are getting you blacklisted?

  3. #3
    I've just checked the mail log and found this as well, can anyone tell anything from it?

    I've included a mail header below as well...

    Code:
    2007-08-28 14:19:55 1IQ0z5-0002dl-2f <= zmhsqmegefceyj@ms56.hinet.net H=(awt.?????.com) [127.0.0.1] P=smtp S=3266 id=HQUCIROWUQCFMYBQXKSZKTZ@msa.hinet.net T="\241i\266W\261j\261\300\274s\241j\267~.\260\310.\246\346.\276P.\303n.\245\372.\244\350.\252k"
    2007-08-28 14:19:55 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IQ0z5-0002dl-2f
    2007-08-28 14:19:56 1IQ0z5-0002dl-2f ** a196591a@tomail.com.tw R=fail_remote_domains: The mail server could not deliver mail to a196591a@tomail.com.tw.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    2007-08-28 14:19:56 1IQ0z5-0002dl-2f ** b549599@tomail.com.tw R=fail_remote_domains: The mail server could not deliver mail to b549599@tomail.com.tw.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    2007-08-28 14:19:56 1IQ0z5-0002dl-2f ** advchem@tomail.com.tw R=fail_remote_domains: The mail server could not deliver mail to advchem@tomail.com.tw.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    2007-08-28 14:19:56 1IQ0z5-0002dl-2f ** bufflin@tomail.com.tw R=fail_remote_domains: The mail server could not deliver mail to bufflin@tomail.com.tw.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    2007-08-28 14:19:56 1IQ0z5-0002dl-2f ** a123321@tomail.com.tw R=fail_remote_domains: The mail server could not deliver mail to a123321@tomail.com.tw.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    2007-08-28 14:19:56 1IQ0z5-0002dl-2f ** a1265591@tomail.com.tw R=fail_remote_domains: The mail server could not deliver mail to a1265591@tomail.com.tw.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    2007-08-28 14:19:56 1IQ0z5-0002dl-2f ** a7120122@tomail.com.tw R=fail_remote_domains: The mail server could not deliver mail to a7120122@tomail.com.tw.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    2007-08-28 14:19:56 1IQ0z5-0002dl-2f ** amean@tomail.com.tw R=fail_remote_domains: The mail server could not deliver mail to amean@tomail.com.tw.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    2007-08-28 14:19:56 1IQ0z5-0002dl-2f ** a8234224@tomail.com.tw R=fail_remote_domains: The mail server could not deliver mail to a8234224@tomail.com.tw.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    2007-08-28 14:19:56 1IQ0z5-0002dl-2f ** a620516@tomail.com.tw R=fail_remote_domains: The mail server could not deliver mail to a620516@tomail.com.tw.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    2007-08-28 14:19:56 1IQ0z5-0002dl-2f ** angus@tomail.com.tw R=fail_remote_domains: The mail server could not deliver mail to angus@tomail.com.tw.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    2007-08-28 14:19:56 1IQ0z5-0002dl-2f ** bq5286@tomail.com.tw R=fail_remote_domains: The mail server could not deliver mail to bq5286@tomail.com.tw.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    2007-08-28 14:19:56 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1IQ0z5-0002dl-2f
    2007-08-28 14:19:56 1IQ0z5-0002dl-2f Completed
    and heres a mail header for a previously blacklisted mail

    Code:
    From paul.hsin@msa.hinet.net Sat Aug 25 04:13:34 2007 
    Delivery-date: Sat, 25 Aug 2007 04:13:34 -0400 
    Received: from [2002:4a5c:3b41:1:216:3eff:fe57:7f4] (helo=shelob.surriel.com) 
    by rohan.surriel.com with esmtps (TLSv1:AES256-SHA:256) 
    (Exim 4.63) 
    (envelope-from ) 
    id 1IOqlx-0003Sj-T7 
    for victim@smtp.example; Sat, 25 Aug 2007 04:13:33 -0400 
    Received: from [??.???.??.?] (helo=awt.?????.com) 
    by shelob.surriel.com with smtp (Exim 4.63) 
    (envelope-from ) 
    id 1IOqlt-0003Sg-NC 
    for victim@smtp.example; Sat, 25 Aug 2007 04:13:31 -0400 
    Received: from 61.57.210.69 by ??.???.??.?; Wed, 29 Aug 2007 04:10:58 -0400 
    From: "ÂÇ¥ÑDVDªº±Ð¾Ç¥[²`«Ä¤lªº¦L¶H¡A¨ÃÅý®aªø¥i¥H³*«Ä¤l¤@°_°µ°Û¹C°Ê§@¡A¼W¶i¿Ë¤l¤¬°Ê¡C " 
    To: victim@smtp.example 
    Subject: ³Ìªñµo²{¦o³ßÅw°Û°Û¸õ¸õ,§Æ±æ³o¥©ªêªºDVD¯à§l¤Þ¦o¦h¤@ÂIªºª`·N¤O, 
    Date: Wed, 29 Aug 2007 05:06:58 -0300 
    MIME-Version: 1.0

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •