From owner-freebsd-questions@FreeBSD.ORG Sun Jan 14 00:02:32 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ACE1216A407 for ; Sun, 14 Jan 2007 00:02:32 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from mail.stovebolt.com (mail.stovebolt.com [66.221.101.249]) by mx1.freebsd.org (Postfix) with ESMTP id 6E1E713C457 for ; Sun, 14 Jan 2007 00:02:32 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from [192.168.2.102] (adsl-65-69-140-8.dsl.rcsntx.swbell.net [65.69.140.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stovebolt.com (Postfix) with ESMTP id ED38C114307; Sat, 13 Jan 2007 17:56:53 -0600 (CST) Date: Sat, 13 Jan 2007 18:02:30 -0600 From: Paul Schmehl To: David Banning , questions@freebsd.org Message-ID: <8D5664DAA70E55928D71AC6C@paul-schmehls-powerbook59.local> In-Reply-To: <20070113233415.GA20356@skytracker.ca> References: <20070113180815.GA7980@skytracker.ca> <9F7B3DEC0E5C38DF44E9AE3A@paul-schmehls-powerbook59.local> <20070113233415.GA20356@skytracker.ca> X-Mailer: Mulberry/4.0.7b1 (Mac OS X) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========3E986FBD222B85B530F4==========" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: question on smtp AUTH X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 00:02:32 -0000 --==========3E986FBD222B85B530F4========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On January 13, 2007 6:34:17 PM -0500 David Banning = wrote: >> That would seem to suggest that the spam is being sent using an >> authorized account, however, is it possible that a host inside your >> network is sending the spam? > > Thanks for that test Paul. I do believe that it could have been a virus > infected windows box. I am not convinced now. I -do- know that I have > had crackers attempting access via SSH and I did not have anything to > stop them from trying every possible configuration. Eventually they > may have gotten a usable login and password. I now have them blocked > after 5 failed attempts but still there could be someone spamming using > the login and password obtained previously. Before getting -everyone- > to change thier password I am wondering if there isn't a way to log > who is sending via what login authentication. I could then just > setup a new password for that user only. I'm not that knowledgeable of sendmail. (One of the first things I do on=20 every install is install postfix and disable sendmail.) I sent a test=20 message, and here's what I see in the logs: Jan 13 14:12:30 mail postfix/smtpd[55000]: F0E75114333:=20 client=3Dadsl-65-69-140-8.dsl.rcsntx.swbell. net[65.69.140.8], sasl_method=3DPLAIN, = sasl_username=3Dgeek@mail.stovebolt.com Jan 13 14:12:31 mail postfix/smtp[55003]: 845B811431A:=20 to=3D, relay=3Dmx2.utdallas .edu[129.110.10.17]:25, delay=3D0.6, delays=3D0.34/0/0.13/0.13, = dsn=3D2.0.0,=20 status=3Dsent (250 Ok: queued as 261313392) I don't know if sendmail logs those. If not, maybe a higher debug level=20 would help? Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========3E986FBD222B85B530F4==========--