[cobalt-security] Chinese mail relay hacker ?

["Malcolm Wild" <cobaltsec@xxxxxxxxxxx>]

while monitoring my logs and RaQ2 OS3 I notice a users attempting to relay from mail.163bj.com (a chinese based webmail service) the logs show that they were able to relay mail however I have since added to mail.163bj.com to reject list, which appears to have stopped it

As my server was only set to relay mail for 127.0.0.1 and domain names that are listed on it. how have they been able to relay??????


Feb  9 17:47:20 dns sendmail[22253]: RAA22253: from=<saohua@xxxxxxxxx>, size=14209, class=0, pri=44209, nrcpts=1, msgid=<005f01c092c0$6c9a46c0$5824873d@saohua>, proto=ESMTP, relay=mail.163bj.com [202.106.196.67]
Feb  9 17:48:00 dns sendmail[22259]: RAA22257: to=saohua@xxxxxxxxx, ctladdr=mail (8/12), delay=00:00:38, xdelay=00:00:38, mailer=esmtp, relay=mail.163bj.com. [202.106.196.67], stat=Sent (Message received: 20010209175616.CVBI27364.mail.163bj.com@xxxxxxxxxxxxxx)
Feb  9 18:09:07 dns sendmail[22425]: NOQUEUE: Null connection from mail.163bj.com [202.106.196.67]
Feb  9 18:16:57 dns sendmail[22468]: NOQUEUE: Null connection from mail.163bj.com [202.106.196.67]
Feb  9 18:45:20 dns sendmail[22756]: SAA22756: collect: unexpected close on connection from mail.163bj.com, sender=<saohua@xxxxxxxxx>: Error 0
Feb  9 18:45:20 dns sendmail[22756]: SAA22756: from=<saohua@xxxxxxxxx>, size=10896, class=0, pri=0, nrcpts=1, proto=ESMTP, relay=mail.163bj.com [202.106.196.67]
Feb  9 19:30:25 dns sendmail[23332]: TAA23332: collect: unexpected close on connection from mail.163bj.com, sender=<saohua@xxxxxxxxx>: Error 0
Feb  9 19:30:25 dns sendmail[23332]: TAA23332: from=<saohua@xxxxxxxxx>, size=0, class=0, pri=0, nrcpts=1, proto=ESMTP, relay=mail.163bj.com [202.106.196.67]
Feb  9 19:56:15 dns sendmail[23598]: TAA23598: lost input channel from mail.163bj.com [202.106.196.67]
Feb  9 19:56:15 dns sendmail[23598]: TAA23598: from=<saohua@xxxxxxxxx>, size=2323180, class=0, pri=0, nrcpts=1, proto=ESMTP, relay=mail.163bj.com [202.106.196.67]
Feb  9 20:37:31 dns sendmail[24096]: UAA24096: lost input channel from mail.163bj.com [202.106.196.67]
Feb  9 20:37:31 dns sendmail[24096]: UAA24096: from=<saohua@xxxxxxxxx>, size=2323180, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail.163bj.com [202.106.196.67]
Feb  9 21:55:55 dns sendmail[24912]: VAA24912: collect: unexpected close on connection from mail.163bj.com, sender=<saohua@xxxxxxxxx>: Error 0
Feb  9 21:55:55 dns sendmail[24912]: VAA24912: from=<saohua@xxxxxxxxx>, size=17855, class=0, pri=0, nrcpts=1, proto=ESMTP, relay=mail.163bj.com [202.106.196.67]
Feb  9 22:20:59 dns sendmail[25311]: WAA25311: lost input channel from mail.163bj.com [202.106.196.67]
Feb  9 22:20:59 dns sendmail[25311]: WAA25311: from=<saohua@xxxxxxxxx>, size=2323180, class=0, pri=0, nrcpts=1, proto=ESMTP, relay=mail.163bj.com [202.106.196.67]
Feb  9 22:44:10 dns sendmail[25504]: WAA25504: collect: unexpected close on connection from mail.163bj.com, sender=<saohua@xxxxxxxxx>: Error 0
Feb  9 22:44:10 dns sendmail[25504]: WAA25504: from=<saohua@xxxxxxxxx>, size=10896, class=0, pri=0, nrcpts=1, proto=ESMTP, relay=mail.163bj.com [202.106.196.67]
Feb  9 23:09:50 dns sendmail[25838]: XAA25838: lost input channel from mail.163bj.com [202.106.196.67]
Feb  9 23:09:50 dns sendmail[25838]: XAA25838: from=<saohua@xxxxxxxxx>, size=2323180, class=0, pri=0, nrcpts=1, proto=ESMTP, relay=mail.163bj.com [202.106.196.67]
Feb  9 23:26:49 dns sendmail[26127]: NOQUEUE: ruleset=check_relay, arg1=mail.163bj.com, arg2=202.106.196.67, relay=mail.163bj.com [202.106.196.67], reject=550 Mail rejected due to possible SPAM
Feb  9 23:27:16 dns sendmail[26127]: NOQUEUE: Null connection from mail.163bj.com [202.106.196.67]

 

I await your reply