From owner-freebsd-questions@FreeBSD.ORG Sat Jan 13 20:18:08 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5567016A40F for ; Sat, 13 Jan 2007 20:18:08 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from mail.stovebolt.com (mail.stovebolt.com [66.221.101.249]) by mx1.freebsd.org (Postfix) with ESMTP id 3064313C467 for ; Sat, 13 Jan 2007 20:18:08 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from [192.168.2.102] (adsl-65-69-140-8.dsl.rcsntx.swbell.net [65.69.140.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stovebolt.com (Postfix) with ESMTP id F0E75114333; Sat, 13 Jan 2007 14:12:30 -0600 (CST) Date: Sat, 13 Jan 2007 14:17:58 -0600 From: Paul Schmehl To: David Banning , questions@freebsd.org Message-ID: <9F7B3DEC0E5C38DF44E9AE3A@paul-schmehls-powerbook59.local> In-Reply-To: <20070113180815.GA7980@skytracker.ca> References: <20070113180815.GA7980@skytracker.ca> X-Mailer: Mulberry/4.0.7b1 (Mac OS X) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========C6F0692ED5C65B562C00==========" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: question on smtp AUTH X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jan 2007 20:18:08 -0000 --==========C6F0692ED5C65B562C00========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On January 13, 2007 1:08:17 PM -0500 David Banning=20 wrote: > I am still pouring over logs to check how my server has been spamming. > > I am wondering about the possibility of someone using a working login > and password to send spam through my server. So here is my question; > > I look at my maillog and see the following spam; > > maillog.0:Jan 11 02:14:17 3s1 sm-mta[3540]: l0B7EGO6003540: > from=3D, size=3D478, class=3D0, nrcpts=3D1, = msgid=3D<200701110714.l0B7 > EGMu003539@3s1.com>, proto=3DESMTP, daemon=3DMTA, relay=3D3s1.com > [209.161.205.12] > > www@3s1.com does not exist as a user on my system, but the relay is mine > (3s1.com), and 209.161.205.12 is mine. > Your system appears to be working as expected: telnet 209.161.205.12 25 Trying 209.161.205.12... Connected to 3s1.com. Escape character is '^]'. EHL220 3s1.com ESMTP Sendmail 8.13.6/8.13.6; Sat, 13 Jan 2007 14:51:12=20 -0500 (EST) ^R EHLO testing 250-3s1.com Hello www.stovebolt.com [66.221.101.248], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN 250-DELIVERBY 250 HELP MAIL FROM: testing@bogus.com 250 2.1.0 testing@bogus.com... Sender ok RCPT TO: pauls@utdallas.edu 550 5.7.1 pauls@utdallas.edu... Relaying denied. Proper authentication=20 required. That would seem to suggest that the spam is being sent using an authorized = account, however, is it possible that a host inside your network is=20 sending the spam? Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========C6F0692ED5C65B562C00==========--