I got a report of someone spamming from my server, I was unable to find any insecure scripts or anything in the logs that would help me.
I have two servers:
Server one runs ns1/ns2.mydomains.com
Server two runs ns3/ns4.mydomains.com
The reports are coming from server two but when I look at the maillog grepping for the email address in the reported emails and found they are somehow originating from my server one, or at least it looks like that.. Here is an example of what I am seeing in the exim_rejectlog
2006-11-25 01:47:21 H=ns1.mydomain.com (localhost.localhost) [xx.xx.xx.xxx] F=<[email protected]> rejected RCPT <[email protected]>: ns1.mydomain.com (localhost.localhost) [xx.xxx.xxx.xxx] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication
My confusion is that ns1.mydomain.com is not even on server two which is getting the complaints it is on server one.
Both servers are fairly old, I keep them updated and pretty secure and it is mostly freinds on both these servers so there have been no new people on either server in a few years so I do not think it is an issue with a freind of mine having an insecure script or something, but probably something I have not secured properly.
Any help would be greatly appreciated.
I have two servers:
Server one runs ns1/ns2.mydomains.com
Server two runs ns3/ns4.mydomains.com
The reports are coming from server two but when I look at the maillog grepping for the email address in the reported emails and found they are somehow originating from my server one, or at least it looks like that.. Here is an example of what I am seeing in the exim_rejectlog
2006-11-25 01:47:21 H=ns1.mydomain.com (localhost.localhost) [xx.xx.xx.xxx] F=<[email protected]> rejected RCPT <[email protected]>: ns1.mydomain.com (localhost.localhost) [xx.xxx.xxx.xxx] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication
My confusion is that ns1.mydomain.com is not even on server two which is getting the complaints it is on server one.
Both servers are fairly old, I keep them updated and pretty secure and it is mostly freinds on both these servers so there have been no new people on either server in a few years so I do not think it is an issue with a freind of mine having an insecure script or something, but probably something I have not secured properly.
Any help would be greatly appreciated.