question on smtp AUTH
pauls at utdallas.edu
Sat Jan 13 20:18:08 UTC 2007
--On January 13, 2007 1:08:17 PM -0500 David Banning
<david+dated+1169143698.53a39d at skytracker.ca> wrote:
> I am still pouring over logs to check how my server has been spamming.
> I am wondering about the possibility of someone using a working login
> and password to send spam through my server. So here is my question;
> I look at my maillog and see the following spam;
> maillog.0:Jan 11 02:14:17 3s1 sm-mta: l0B7EGO6003540:
> from=<www at 3s1.com>, size=478, class=0, nrcpts=1, msgid=<200701110714.l0B7
> EGMu003539 at 3s1.com>, proto=ESMTP, daemon=MTA, relay=3s1.com
> www at 3s1.com does not exist as a user on my system, but the relay is mine
> (3s1.com), and 22.214.171.124 is mine.
Your system appears to be working as expected:
telnet 126.96.36.199 25
Connected to 3s1.com.
Escape character is '^]'.
EHL220 3s1.com ESMTP Sendmail 8.13.6/8.13.6; Sat, 13 Jan 2007 14:51:12
250-3s1.com Hello www.stovebolt.com [188.8.131.52], pleased to meet you
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
MAIL FROM: testing at bogus.com
250 2.1.0 testing at bogus.com... Sender ok
RCPT TO: pauls at utdallas.edu
550 5.7.1 pauls at utdallas.edu... Relaying denied. Proper authentication
That would seem to suggest that the spam is being sent using an authorized
account, however, is it possible that a host inside your network is
sending the spam?
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
More information about the freebsd-questions