From owner-freebsd-questions@FreeBSD.ORG Sat Jan 13 19:05:06 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ADF6016A47B for ; Sat, 13 Jan 2007 19:05:06 +0000 (UTC) (envelope-from david+dated+1169143698.53a39d@skytracker.ca) Received: from keymaster.look.ca (delta2.look.ca [207.136.100.5]) by mx1.freebsd.org (Postfix) with ESMTP id 75D2713C45B for ; Sat, 13 Jan 2007 19:05:06 +0000 (UTC) (envelope-from david+dated+1169143698.53a39d@skytracker.ca) Received: from 3s1.com ([209.161.205.12]) by keymaster.look.ca with esmtp (Exim 4.20) id 1H5nIg-0008Fa-FW for questions@freebsd.org; Sat, 13 Jan 2007 18:08:18 +0000 Received: (from david@localhost) by 3s1.com (8.13.6/8.13.6/Submit) id l0DI8IxF010209 for questions@freebsd.org; Sat, 13 Jan 2007 13:08:18 -0500 (EST) (envelope-from david+dated+1169143698.53a39d@skytracker.ca) X-Authentication-Warning: 3s1.com: david set sender to david+dated+1169143698.53a39d@skytracker.ca using -f Received: by 3s1.com (tmda-sendmail, from uid 1000); Sat, 13 Jan 2007 13:08:18 -0500 Date: Sat, 13 Jan 2007 13:08:17 -0500 To: questions@freebsd.org Message-ID: <20070113180815.GA7980@skytracker.ca> Mime-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Delivery-Agent: TMDA/1.1.5 (Fettercairn) From: David Banning X-SA-Exim-Mail-From: david+dated+1169143698.53a39d@skytracker.ca Content-Type: text/plain; charset=us-ascii X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on chi.look.ca X-Spam-Level: X-Spam-Status: No, hits=0.6 required=8.0 tests=FROM_HAS_MIXED_NUMS, MAILTO_TO_SPAM_ADDR autolearn=no version=2.63 X-SA-Exim-Version: 3.1 (built Tue Feb 24 05:09:27 GMT 2004) X-SA-Exim-Scanned: Yes Cc: Subject: question on smtp AUTH X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jan 2007 19:05:06 -0000 I am still pouring over logs to check how my server has been spamming. I am wondering about the possibility of someone using a working login and password to send spam through my server. So here is my question; I look at my maillog and see the following spam; maillog.0:Jan 11 02:14:17 3s1 sm-mta[3540]: l0B7EGO6003540: from=, size=478, class=0, nrcpts=1, msgid=<200701110714.l0B7 EGMu003539@3s1.com>, proto=ESMTP, daemon=MTA, relay=3s1.com [209.161.205.12] www@3s1.com does not exist as a user on my system, but the relay is mine (3s1.com), and 209.161.205.12 is mine. How can I find out or log when a user sends mail, what authentication was used? If they have to login to send through my server, who did they login as? - how would I find that out?