Hey Guys,

I run a tiny BBS ( http://goobee.org/bbs if you need to see it) where the damn spammers seem to have gotten access to my goobee.org smtp server to relay spam out. I checked my logs and nothing seems unusual. I only caught it because I've been receiving some of the spam as well and the header information showed that the mail was received via local host instead of a sender's IP. I can't figure how they're doing it, any suggestions?

(Note: I rent shared server space, this is not my server)

Also, my IP is now blacklisted by various known spammer lists which is affecting my personal e-mail. My personal e-mails are being returned by ISPs with messages saying that my IP has been banned from their servers. Incoming mail is not a problem but outgoing is affected. If I route my mail through another smtp server instead of my own, will it be OK or will they still reject it be cause of my goobee.org e-mail address?

Thanks.

Set the SMTP server to require login for outgoing mail (or/and you can limit access by IP range). How to do that varies depending on the server. This should pretty much stop them... You can test your server with some of those: http://spamlinks.net/prevent-secure-relay-test.htm#web

It is possible that someone else on the same server is sending out spam, and the IP has been blacklisted. Blacklisted IPs can only be cleaned by your ISP, don't even bother contacting the databses. You should request a clean IP address from your ISP, explain that the one they've provided you is blacklisted.

I hope this helps some

According to dnsstuff.com, the MX DNS record (mail server) for your domain is the same as the A record, your main domain IP... 72.232.75.135 ( http://www.dnsreport.com/tools/dnsreport.ch?domain=goobee.org ). You might want to add a SPF record (http://www.openspf.org/), it might help with outgoing mail somewhat.

Checked this IP and it only appears to be in one spam database ( http://www.us.sorbs.net ), which is actually pretty good: http://www.dnsstuff.com/tools/ip4r.ch?ip=72.232.75.135


Also, by telnetting to port 25, it doesn't seem to be an open relay (oh, and port 125 and 2525 appear closed too ;) ):

telnet 72.232.75.135 25
Trying 72.232.75.135...
Connected to 72.232.75.135.
Escape character is '^]'.
hello220-paris.dnstraffic.net ESMTP Exim 4.52 #1 Sun, 25 Jun 2006 18:57:44 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
quit
Connection closed by foreign host.

I'm assuming it's an open relay because of how the spam is propagating. Note the header of this spam received yesterday:

Return-path: <kjAFX@goobee.org>
Envelope-to: goobee@goobee.org
Delivery-date: Thu, 29 Jun 2006 07:09:14 -0500
Received: from goobee
by paris.dnstraffic.net
with local-bsmtp (Exim 4.52) id 1FvvKZ-0004OS-Pf for goobee@goobee.org;
Thu, 29 Jun 2006 07:09:14 -0500
Received: from localhost
by paris.dnstraffic.net
with SpamAssassin (version 3.1.3);
Thu, 29 Jun 2006 07:09:14 -0500
From: "Alana" <kjAFX@goobee.org>
To: goobee@goobee.org
Subject: Try our pills. Interesting offers
Date: Thu, 29 Jun 2006 07:54:33 +0700
Message-Id: <41634919.20060629075433@goobee.org>