Hi
My server has reported that unusual amounts of emails are being sent...(spam)
checked the qpsmtpd/current log which gives me this...
2014-12-17 08:10:46.382241500 12290 Accepted connection 0/40 from 103.225.130.213 / Unknown
2014-12-17 08:10:46.382379500 12290 Connection from Unknown [103.225.130.213]
2014-12-17 08:10:46.383769500 12290 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2014-12-17 08:10:46.386196500 12290 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2014-12-17 08:10:46.396003500 12290 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2014-12-17 08:10:46.396281500 12291 Accepted connection 1/40 from 103.225.130.238 / Unknown
2014-12-17 08:10:46.396379500 12291 Connection from Unknown [103.225.130.238]
2014-12-17 08:10:46.397447500 12291 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2014-12-17 08:10:46.399443500 12291 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2014-12-17 08:10:46.407701500 12291 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2014-12-17 08:10:47.400816500 12290 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2014-12-17 08:10:47.401829500 12290 220 bluelake.glaslyn.com ESMTP
2014-12-17 08:10:47.412462500 12291 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2014-12-17 08:10:47.413470500 12291 220 bluelake.glaslyn.com ESMTP
2014-12-17 08:10:47.577263500 12290 dispatching EHLO cool19.tdpthom.org
2014-12-17 08:10:47.578442500 12290 250-glaslyn.com Hi Unknown [103.225.130.213]
2014-12-17 08:10:47.578466500 12290 250-PIPELINING
2014-12-17 08:10:47.578486500 12290 250-8BITMIME
2014-12-17 08:10:47.578509500 12290 250-SIZE 15000000
2014-12-17 08:10:47.578530500 12290 250 STARTTLS
2014-12-17 08:10:47.590004500 12291 dispatching EHLO cool44.tdpthom.org
2014-12-17 08:10:47.591021500 12291 250-glaslyn.com Hi Unknown [103.225.130.238]
2014-12-17 08:10:47.591044500 12291 250-PIPELINING
2014-12-17 08:10:47.591065500 12291 250-8BITMIME
2014-12-17 08:10:47.591088500 12291 250-SIZE 15000000
2014-12-17 08:10:47.591108500 12291 250 STARTTLS
2014-12-17 08:10:47.755579500 12290 dispatching QUIT
2014-12-17 08:10:47.755673500 12290 221 glaslyn.com closing connection. Have a wonderful day.
2014-12-17 08:10:47.755713500 12290 click, disconnecting
2014-12-17 08:10:47.768251500 12291 dispatching QUIT
2014-12-17 08:10:47.768398500 12291 221 glaslyn.com closing connection. Have a wonderful day.
2014-12-17 08:10:47.768449500 12291 click, disconnecting
2014-12-17 08:10:48.390285500 2324 cleaning up after 12290
2014-12-17 08:10:48.390310500 2324 cleaning up after 12291
it seems ip address 103.225.130.213 and 103.225.130.238 are using my server to relay or send spam out
not sure what course of action to take from here really, other posts with this problem refer to blocking the IPs (not sure how to do that) or even understand how the spammers are using my server to start with.
As with other posts, all workstations are shut down at night, usually by 5.30 / 6 pm gmt leaving just the server running. I have traced the IPs to a spammer site.(
http://103.225.130.213) ...
other posts also refer to blocking emails on port 25 but will that also block my emails? are they using my website to connect to the server?
if i change emails from smtp to smtps and use port 465 instead of 25 (as per howto info) would that have the desired effect?
very worried...