question on smtp AUTH

Paul Schmehl pauls at
Sun Jan 14 00:02:32 UTC 2007

--On January 13, 2007 6:34:17 PM -0500 David Banning <david at> 

>> That would seem to suggest that the spam is being sent using an
>> authorized  account, however, is it possible that a host inside your
>> network is  sending the spam?
> Thanks for that test Paul. I do believe that it could have been a virus
> infected windows box. I am not convinced now. I -do- know that I have
> had crackers attempting access via SSH and I did not have anything to
> stop them from trying every possible configuration. Eventually they
> may have gotten a usable login and password. I now have them blocked
> after 5 failed attempts but still there could be someone spamming using
> the login and password obtained previously. Before getting -everyone-
> to change thier password I am wondering if there isn't a way to log
> who is sending via what login authentication. I could then just
> setup a new password for that user only.

I'm not that knowledgeable of sendmail.  (One of the first things I do on 
every install is install postfix and disable sendmail.)  I sent a test 
message, and here's what I see in the logs:

Jan 13 14:12:30 mail postfix/smtpd[55000]: F0E75114333: 
net[], sasl_method=PLAIN, sasl_username=geek at
Jan 13 14:12:31 mail postfix/smtp[55003]: 845B811431A: 
to=<pauls at>, relay=mx2.utdallas
.edu[]:25, delay=0.6, delays=0.34/0/0.13/0.13, dsn=2.0.0, 
status=sent (250 Ok: queued
 as 261313392)

I don't know if sendmail logs those.  If not, maybe a higher debug level 
would help?

Paul Schmehl (pauls at
Senior Information Security Analyst
The University of Texas at Dallas

More information about the freebsd-questions mailing list