question on smtp AUTH
Paul Schmehl
pauls at utdallas.edu
Sun Jan 14 00:02:32 UTC 2007
--On January 13, 2007 6:34:17 PM -0500 David Banning <david at skytracker.ca>
wrote:
>> That would seem to suggest that the spam is being sent using an
>> authorized account, however, is it possible that a host inside your
>> network is sending the spam?
>
> Thanks for that test Paul. I do believe that it could have been a virus
> infected windows box. I am not convinced now. I -do- know that I have
> had crackers attempting access via SSH and I did not have anything to
> stop them from trying every possible configuration. Eventually they
> may have gotten a usable login and password. I now have them blocked
> after 5 failed attempts but still there could be someone spamming using
> the login and password obtained previously. Before getting -everyone-
> to change thier password I am wondering if there isn't a way to log
> who is sending via what login authentication. I could then just
> setup a new password for that user only.
I'm not that knowledgeable of sendmail. (One of the first things I do on
every install is install postfix and disable sendmail.) I sent a test
message, and here's what I see in the logs:
Jan 13 14:12:30 mail postfix/smtpd[55000]: F0E75114333:
client=adsl-65-69-140-8.dsl.rcsntx.swbell.
net[65.69.140.8], sasl_method=PLAIN, sasl_username=geek at mail.stovebolt.com
Jan 13 14:12:31 mail postfix/smtp[55003]: 845B811431A:
to=<pauls at utdallas.edu>, relay=mx2.utdallas
.edu[129.110.10.17]:25, delay=0.6, delays=0.34/0/0.13/0.13, dsn=2.0.0,
status=sent (250 Ok: queued
as 261313392)
I don't know if sendmail logs those. If not, maybe a higher debug level
would help?
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
More information about the freebsd-questions
mailing list