question on smtp AUTH

Jonathan Horne freebsd at
Sun Jan 14 03:19:21 UTC 2007

On Saturday 13 January 2007 12:08, David Banning wrote:
> I am still pouring over logs to check how my server has been spamming.
> I am wondering about the possibility of someone using a working login and
> password to send spam through my server. So here is my question;
> I look at my maillog and see the following spam;
> maillog.0:Jan 11 02:14:17 3s1 sm-mta[3540]: l0B7EGO6003540:
> from=<www at>, size=478, class=0, nrcpts=1, msgid=<200701110714.l0B7
> EGMu003539 at>, proto=ESMTP, daemon=MTA,
> []
> www at does not exist as a user on my system, but the relay is mine
> (, and is mine.
> How can I find out or log when a user sends mail, what authentication was
> used? If they have to login to send through my server, who did they login
> as? - how would I find that out?

well, on my sendmail, which i know to be authing correctly.. i see an line 
with an authid and the originating server.  here is what i see in my sendmail 
logs when i send an email thru my server:

Jan 13 21:09:03 regulus sm-mta[1295]: AUTH=server, 
[], authid=jhorne, mech=PLAIN, bits=0
Jan 13 21:09:03 regulus sm-mta[1295]: l0E393ZZ001295: from=<free at>, 
size=340, class=0, nrcpts=1, msgid=< at>, 
proto=ESMTP, daemon=IPv4, []
Jan 13 21:09:03 regulus spamd[778]: spamd: connection from localhost 
[] at port 52812
Jan 13 21:09:03 regulus spamd[778]: spamd: processing message 
< at> for root:58
Jan 13 21:09:04 regulus spamd[778]: spamd: clean message (-4.4/3.6) for 
root:58 in 1.3 seconds, 634 bytes.
Jan 13 21:09:04 regulus spamd[778]: spamd: result: . -4 - ALL_TRUSTED,BAYES_00 
scantime=1.3,size=634,user=root,uid=58,required_score=3.6,rhost=localhost,raddr=,rport=52812,mid=<200701132109.03067.freebsd at>,bayes=1.98407501539322e-09,autolearn=ham
Jan 13 21:09:04 regulus sm-mta[1295]: l0E393ZZ001295: Milter add: header: 
X-Spam-Status: No, score=-4.4 required=3.6 tests=ALL_TRUSTED,BAYES_00 
\n\tautolearn=ham version=3.1.7
Jan 13 21:09:04 regulus sm-mta[1295]: l0E393ZZ001295: Milter add: header: 
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
Jan 13 21:09:04 regulus spamd[648]: prefork: child states: II
Jan 13 21:09:12 regulus sm-mta[1298]: l0E393ZZ001295: to=<sha at>, 
ctladdr=<free at> (1001/1001), delay=00:00:09, xdelay=00:00:08, 
mailer=esmtp, pri=30340, [], 
dsn=2.0.0, stat=Sent (OK 1168744152 18si11823416nzo)

another very archaic test, and this is not so much a definitive test anymore, 
but it might not hurt to try the open relay test from  just 


and it should at least be able to withstand those 19 simple relay checks.  
what authmethod are you using on your sendmail, and did you make the 
appropriate changes in your .mc files?

finally, when someone who tried to relay who is not authorized, your sendmail 
logs should produce lines like this:

Jan 12 10:15:05 regulus sm-mta[28559]: l0CGEDDv028559: ruleset=check_rcpt, 
arg1=<hotpostprobe1 at>, 
[], reject=550 5.7.1 <hotpostprobe1 at>... Relaying 
denied. Proper authentication required.

do a:
cat /var/log/maillog*|grep Proper

and see what you turn up.


More information about the freebsd-questions mailing list