question on smtp AUTH
Paul Schmehl
pauls at utdallas.edu
Sat Jan 13 20:18:08 UTC 2007
--On January 13, 2007 1:08:17 PM -0500 David Banning
<david+dated+1169143698.53a39d at skytracker.ca> wrote:
> I am still pouring over logs to check how my server has been spamming.
>
> I am wondering about the possibility of someone using a working login
> and password to send spam through my server. So here is my question;
>
> I look at my maillog and see the following spam;
>
> maillog.0:Jan 11 02:14:17 3s1 sm-mta[3540]: l0B7EGO6003540:
> from=<www at 3s1.com>, size=478, class=0, nrcpts=1, msgid=<200701110714.l0B7
> EGMu003539 at 3s1.com>, proto=ESMTP, daemon=MTA, relay=3s1.com
> [209.161.205.12]
>
> www at 3s1.com does not exist as a user on my system, but the relay is mine
> (3s1.com), and 209.161.205.12 is mine.
>
Your system appears to be working as expected:
telnet 209.161.205.12 25
Trying 209.161.205.12...
Connected to 3s1.com.
Escape character is '^]'.
EHL220 3s1.com ESMTP Sendmail 8.13.6/8.13.6; Sat, 13 Jan 2007 14:51:12
-0500 (EST)
^R
EHLO testing
250-3s1.com Hello www.stovebolt.com [66.221.101.248], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
MAIL FROM: testing at bogus.com
250 2.1.0 testing at bogus.com... Sender ok
RCPT TO: pauls at utdallas.edu
550 5.7.1 pauls at utdallas.edu... Relaying denied. Proper authentication
required.
That would seem to suggest that the spam is being sent using an authorized
account, however, is it possible that a host inside your network is
sending the spam?
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
More information about the freebsd-questions
mailing list