Date: Sat, 13 Jan 2007 21:19:16 -0600 From: Jonathan Horne <freebsd@dfwlp.com> To: freebsd-questions@freebsd.org Subject: Re: question on smtp AUTH Message-ID: <200701132119.16596.freebsd@dfwlp.com> In-Reply-To: <20070113180815.GA7980@skytracker.ca> References: <20070113180815.GA7980@skytracker.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday 13 January 2007 12:08, David Banning wrote: > I am still pouring over logs to check how my server has been spamming. > > I am wondering about the possibility of someone using a working login and > password to send spam through my server. So here is my question; > > I look at my maillog and see the following spam; > > maillog.0:Jan 11 02:14:17 3s1 sm-mta[3540]: l0B7EGO6003540: > from=<www@3s1.com>, size=478, class=0, nrcpts=1, msgid=<200701110714.l0B7 > EGMu003539@3s1.com>, proto=ESMTP, daemon=MTA, relay=3s1.com > [209.161.205.12] > > www@3s1.com does not exist as a user on my system, but the relay is mine > (3s1.com), and 209.161.205.12 is mine. > > How can I find out or log when a user sends mail, what authentication was > used? If they have to login to send through my server, who did they login > as? - how would I find that out? well, on my sendmail, which i know to be authing correctly.. i see an line with an authid and the originating server. here is what i see in my sendmail logs when i send an email thru my server: Jan 13 21:09:03 regulus sm-mta[1295]: AUTH=server, relay=athena.dfwlp.com [192.168.125.83], authid=jhorne, mech=PLAIN, bits=0 Jan 13 21:09:03 regulus sm-mta[1295]: l0E393ZZ001295: from=<free@dfwlp.com>, size=340, class=0, nrcpts=1, msgid=<200701132109.03067.free@dfwlp.com>, proto=ESMTP, daemon=IPv4, relay=athena.dfwlp.com [192.168.125.83] Jan 13 21:09:03 regulus spamd[778]: spamd: connection from localhost [127.0.0.1] at port 52812 Jan 13 21:09:03 regulus spamd[778]: spamd: processing message <200701132109.03067.free@dfwlp.com> for root:58 Jan 13 21:09:04 regulus spamd[778]: spamd: clean message (-4.4/3.6) for root:58 in 1.3 seconds, 634 bytes. Jan 13 21:09:04 regulus spamd[778]: spamd: result: . -4 - ALL_TRUSTED,BAYES_00 scantime=1.3,size=634,user=root,uid=58,required_score=3.6,rhost=localhost,raddr=127.0.0.1,rport=52812,mid=<200701132109.03067.freebsd@dfwlp.com>,bayes=1.98407501539322e-09,autolearn=ham Jan 13 21:09:04 regulus sm-mta[1295]: l0E393ZZ001295: Milter add: header: X-Spam-Status: No, score=-4.4 required=3.6 tests=ALL_TRUSTED,BAYES_00 \n\tautolearn=ham version=3.1.7 Jan 13 21:09:04 regulus sm-mta[1295]: l0E393ZZ001295: Milter add: header: X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on regulus.dfwlp.com Jan 13 21:09:04 regulus spamd[648]: prefork: child states: II Jan 13 21:09:12 regulus sm-mta[1298]: l0E393ZZ001295: to=<sha@gmail.com>, ctladdr=<free@dfwlp.com> (1001/1001), delay=00:00:09, xdelay=00:00:08, mailer=esmtp, pri=30340, relay=gmail-smtp-in.l.google.com. [64.233.163.27], dsn=2.0.0, stat=Sent (OK 1168744152 18si11823416nzo) another very archaic test, and this is not so much a definitive test anymore, but it might not hurt to try the open relay test from mail-abuse.org. just type: telnet relay-test.mail-abuse.org and it should at least be able to withstand those 19 simple relay checks. what authmethod are you using on your sendmail, and did you make the appropriate changes in your .mc files? finally, when someone who tried to relay who is not authorized, your sendmail logs should produce lines like this: Jan 12 10:15:05 regulus sm-mta[28559]: l0CGEDDv028559: ruleset=check_rcpt, arg1=<hotpostprobe1@yahoo.com>, relay=VG-4-52.dialup.access.telecore.net.ru [213.135.65.54], reject=550 5.7.1 <hotpostprobe1@yahoo.com>... Relaying denied. Proper authentication required. do a: cat /var/log/maillog*|grep Proper and see what you turn up. hth, jonathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701132119.16596.freebsd>