question on smtp AUTH

Jonathan Horne freebsd at dfwlp.com
Sun Jan 14 03:19:21 UTC 2007 

On Saturday 13 January 2007 12:08, David Banning wrote:
> I am still pouring over logs to check how my server has been spamming.
>
> I am wondering about the possibility of someone using a working login and
> password to send spam through my server. So here is my question;
>
> I look at my maillog and see the following spam;
>
> maillog.0:Jan 11 02:14:17 3s1 sm-mta[3540]: l0B7EGO6003540:
> from=<www at 3s1.com>, size=478, class=0, nrcpts=1, msgid=<200701110714.l0B7
> EGMu003539 at 3s1.com>, proto=ESMTP, daemon=MTA, relay=3s1.com
> [209.161.205.12]
>
> www at 3s1.com does not exist as a user on my system, but the relay is mine
> (3s1.com), and 209.161.205.12 is mine.
>
> How can I find out or log when a user sends mail, what authentication was
> used? If they have to login to send through my server, who did they login
> as? - how would I find that out?

well, on my sendmail, which i know to be authing correctly.. i see an line 
with an authid and the originating server.  here is what i see in my sendmail 
logs when i send an email thru my server:


Jan 13 21:09:03 regulus sm-mta[1295]: AUTH=server, relay=athena.dfwlp.com 
[192.168.125.83], authid=jhorne, mech=PLAIN, bits=0
Jan 13 21:09:03 regulus sm-mta[1295]: l0E393ZZ001295: from=<free at dfwlp.com>, 
size=340, class=0, nrcpts=1, msgid=<200701132109.03067.free at dfwlp.com>, 
proto=ESMTP, daemon=IPv4, relay=athena.dfwlp.com [192.168.125.83]
Jan 13 21:09:03 regulus spamd[778]: spamd: connection from localhost 
[127.0.0.1] at port 52812
Jan 13 21:09:03 regulus spamd[778]: spamd: processing message 
<200701132109.03067.free at dfwlp.com> for root:58
Jan 13 21:09:04 regulus spamd[778]: spamd: clean message (-4.4/3.6) for 
root:58 in 1.3 seconds, 634 bytes.
Jan 13 21:09:04 regulus spamd[778]: spamd: result: . -4 - ALL_TRUSTED,BAYES_00 
scantime=1.3,size=634,user=root,uid=58,required_score=3.6,rhost=localhost,raddr=127.0.0.1,rport=52812,mid=<200701132109.03067.freebsd at dfwlp.com>,bayes=1.98407501539322e-09,autolearn=ham
Jan 13 21:09:04 regulus sm-mta[1295]: l0E393ZZ001295: Milter add: header: 
X-Spam-Status: No, score=-4.4 required=3.6 tests=ALL_TRUSTED,BAYES_00 
\n\tautolearn=ham version=3.1.7
Jan 13 21:09:04 regulus sm-mta[1295]: l0E393ZZ001295: Milter add: header: 
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on regulus.dfwlp.com
Jan 13 21:09:04 regulus spamd[648]: prefork: child states: II
Jan 13 21:09:12 regulus sm-mta[1298]: l0E393ZZ001295: to=<sha at gmail.com>, 
ctladdr=<free at dfwlp.com> (1001/1001), delay=00:00:09, xdelay=00:00:08, 
mailer=esmtp, pri=30340, relay=gmail-smtp-in.l.google.com. [64.233.163.27], 
dsn=2.0.0, stat=Sent (OK 1168744152 18si11823416nzo)

another very archaic test, and this is not so much a definitive test anymore, 
but it might not hurt to try the open relay test from mail-abuse.org.  just 
type:

telnet relay-test.mail-abuse.org

and it should at least be able to withstand those 19 simple relay checks.  
what authmethod are you using on your sendmail, and did you make the 
appropriate changes in your .mc files?

finally, when someone who tried to relay who is not authorized, your sendmail 
logs should produce lines like this:

Jan 12 10:15:05 regulus sm-mta[28559]: l0CGEDDv028559: ruleset=check_rcpt, 
arg1=<hotpostprobe1 at yahoo.com>, relay=VG-4-52.dialup.access.telecore.net.ru 
[213.135.65.54], reject=550 5.7.1 <hotpostprobe1 at yahoo.com>... Relaying 
denied. Proper authentication required.

do a:
cat /var/log/maillog*|grep Proper

and see what you turn up.

hth,
jonathan

More information about the freebsd-questions mailing list