From owner-freebsd-isp@FreeBSD.ORG Tue Mar 1 22:38:05 2005 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36EAE16A4CE for ; Tue, 1 Mar 2005 22:38:05 +0000 (GMT) Received: from forty.hatvany.com (forty.hatvany.com [66.203.80.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97D5143D2F for ; Tue, 1 Mar 2005 22:38:04 +0000 (GMT) (envelope-from charles@hatvany.com) Received: from forty.hatvany.com (localhost.hatvany.com [127.0.0.1]) by forty.hatvany.com (8.12.8p1/8.12.8) with ESMTP id j21Mc2C9026132 for ; Tue, 1 Mar 2005 17:38:03 -0500 (EST) (envelope-from charles@hatvany.com) Received: from localhost (charles@localhost)j21Mc0hL026123 for ; Tue, 1 Mar 2005 17:38:00 -0500 (EST) X-Authentication-Warning: forty.hatvany.com: charles owned process doing -bs Date: Tue, 1 Mar 2005 17:37:58 -0500 (EST) From: Charles Hatvany To: freebsd-isp@freebsd.org Message-ID: <20050301173622.N26116@forty.hatvany.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Spammer on my system X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2005 22:38:05 -0000 Hi guys, This may not be the correct forum for this. My apologies if this is the wrong place - could use direction. I have someone abusing one of our servers. The mails "originate" with user "www". The log entry is like this: Feb 28 20:19:03 sixty sendmail[33993]: j211J29r033993: from=www, size=7430, class=0, nrcpts=200, msgid=<200503010119.j211J29r033993@sixty.hatvany.com>, relay=www@localhost pxytest shows open proxies at port 25 and 587. The apache config file has Order Deny,Allow Deny from all If I reject relay for 127.0.0.1 - I stop him, but also all mail originating on the server and on our web mail. Any ideas of what I should look for/do? Charles Hatvany