From owner-freebsd-questions@FreeBSD.ORG Sun Jan 14 03:19:21 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A4F0616A403 for ; Sun, 14 Jan 2007 03:19:21 +0000 (UTC) (envelope-from freebsd@dfwlp.com) Received: from regulus.dfwlp.com (rrcs-64-183-212-244.sw.biz.rr.com [64.183.212.244]) by mx1.freebsd.org (Postfix) with ESMTP id 7CEC613C441 for ; Sun, 14 Jan 2007 03:19:21 +0000 (UTC) (envelope-from freebsd@dfwlp.com) Received: from athena.dfwlp.com (athena.dfwlp.com [192.168.125.83]) (authenticated bits=0) by regulus.dfwlp.com (8.13.8/8.13.8) with ESMTP id l0E3JGAW001403 for ; Sat, 13 Jan 2007 21:19:16 -0600 (CST) (envelope-from freebsd@dfwlp.com) From: Jonathan Horne To: freebsd-questions@freebsd.org Date: Sat, 13 Jan 2007 21:19:16 -0600 User-Agent: KMail/1.9.5 References: <20070113180815.GA7980@skytracker.ca> In-Reply-To: <20070113180815.GA7980@skytracker.ca> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200701132119.16596.freebsd@dfwlp.com> X-Spam-Status: No, score=-4.4 required=3.6 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on regulus.dfwlp.com Subject: Re: question on smtp AUTH X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 03:19:21 -0000 On Saturday 13 January 2007 12:08, David Banning wrote: > I am still pouring over logs to check how my server has been spamming. > > I am wondering about the possibility of someone using a working login and > password to send spam through my server. So here is my question; > > I look at my maillog and see the following spam; > > maillog.0:Jan 11 02:14:17 3s1 sm-mta[3540]: l0B7EGO6003540: > from=, size=478, class=0, nrcpts=1, msgid=<200701110714.l0B7 > EGMu003539@3s1.com>, proto=ESMTP, daemon=MTA, relay=3s1.com > [209.161.205.12] > > www@3s1.com does not exist as a user on my system, but the relay is mine > (3s1.com), and 209.161.205.12 is mine. > > How can I find out or log when a user sends mail, what authentication was > used? If they have to login to send through my server, who did they login > as? - how would I find that out? well, on my sendmail, which i know to be authing correctly.. i see an line with an authid and the originating server. here is what i see in my sendmail logs when i send an email thru my server: Jan 13 21:09:03 regulus sm-mta[1295]: AUTH=server, relay=athena.dfwlp.com [192.168.125.83], authid=jhorne, mech=PLAIN, bits=0 Jan 13 21:09:03 regulus sm-mta[1295]: l0E393ZZ001295: from=, size=340, class=0, nrcpts=1, msgid=<200701132109.03067.free@dfwlp.com>, proto=ESMTP, daemon=IPv4, relay=athena.dfwlp.com [192.168.125.83] Jan 13 21:09:03 regulus spamd[778]: spamd: connection from localhost [127.0.0.1] at port 52812 Jan 13 21:09:03 regulus spamd[778]: spamd: processing message <200701132109.03067.free@dfwlp.com> for root:58 Jan 13 21:09:04 regulus spamd[778]: spamd: clean message (-4.4/3.6) for root:58 in 1.3 seconds, 634 bytes. Jan 13 21:09:04 regulus spamd[778]: spamd: result: . -4 - ALL_TRUSTED,BAYES_00 scantime=1.3,size=634,user=root,uid=58,required_score=3.6,rhost=localhost,raddr=127.0.0.1,rport=52812,mid=<200701132109.03067.freebsd@dfwlp.com>,bayes=1.98407501539322e-09,autolearn=ham Jan 13 21:09:04 regulus sm-mta[1295]: l0E393ZZ001295: Milter add: header: X-Spam-Status: No, score=-4.4 required=3.6 tests=ALL_TRUSTED,BAYES_00 \n\tautolearn=ham version=3.1.7 Jan 13 21:09:04 regulus sm-mta[1295]: l0E393ZZ001295: Milter add: header: X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on regulus.dfwlp.com Jan 13 21:09:04 regulus spamd[648]: prefork: child states: II Jan 13 21:09:12 regulus sm-mta[1298]: l0E393ZZ001295: to=, ctladdr= (1001/1001), delay=00:00:09, xdelay=00:00:08, mailer=esmtp, pri=30340, relay=gmail-smtp-in.l.google.com. [64.233.163.27], dsn=2.0.0, stat=Sent (OK 1168744152 18si11823416nzo) another very archaic test, and this is not so much a definitive test anymore, but it might not hurt to try the open relay test from mail-abuse.org. just type: telnet relay-test.mail-abuse.org and it should at least be able to withstand those 19 simple relay checks. what authmethod are you using on your sendmail, and did you make the appropriate changes in your .mc files? finally, when someone who tried to relay who is not authorized, your sendmail logs should produce lines like this: Jan 12 10:15:05 regulus sm-mta[28559]: l0CGEDDv028559: ruleset=check_rcpt, arg1=, relay=VG-4-52.dialup.access.telecore.net.ru [213.135.65.54], reject=550 5.7.1 ... Relaying denied. Proper authentication required. do a: cat /var/log/maillog*|grep Proper and see what you turn up. hth, jonathan