Date: Sat, 13 Jan 2007 14:17:58 -0600 From: Paul Schmehl <pauls@utdallas.edu> To: David Banning <david+dated+1169143698.53a39d@skytracker.ca>, questions@freebsd.org Subject: Re: question on smtp AUTH Message-ID: <9F7B3DEC0E5C38DF44E9AE3A@paul-schmehls-powerbook59.local> In-Reply-To: <20070113180815.GA7980@skytracker.ca> References: <20070113180815.GA7980@skytracker.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--==========C6F0692ED5C65B562C00========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On January 13, 2007 1:08:17 PM -0500 David Banning=20 <david+dated+1169143698.53a39d@skytracker.ca> wrote: > I am still pouring over logs to check how my server has been spamming. > > I am wondering about the possibility of someone using a working login > and password to send spam through my server. So here is my question; > > I look at my maillog and see the following spam; > > maillog.0:Jan 11 02:14:17 3s1 sm-mta[3540]: l0B7EGO6003540: > from=3D<www@3s1.com>, size=3D478, class=3D0, nrcpts=3D1, = msgid=3D<200701110714.l0B7 > EGMu003539@3s1.com>, proto=3DESMTP, daemon=3DMTA, relay=3D3s1.com > [209.161.205.12] > > www@3s1.com does not exist as a user on my system, but the relay is mine > (3s1.com), and 209.161.205.12 is mine. > Your system appears to be working as expected: telnet 209.161.205.12 25 Trying 209.161.205.12... Connected to 3s1.com. Escape character is '^]'. EHL220 3s1.com ESMTP Sendmail 8.13.6/8.13.6; Sat, 13 Jan 2007 14:51:12=20 -0500 (EST) ^R EHLO testing 250-3s1.com Hello www.stovebolt.com [66.221.101.248], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN 250-DELIVERBY 250 HELP MAIL FROM: testing@bogus.com 250 2.1.0 testing@bogus.com... Sender ok RCPT TO: pauls@utdallas.edu 550 5.7.1 pauls@utdallas.edu... Relaying denied. Proper authentication=20 required. That would seem to suggest that the spam is being sent using an authorized = account, however, is it possible that a host inside your network is=20 sending the spam? Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========C6F0692ED5C65B562C00==========--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9F7B3DEC0E5C38DF44E9AE3A>