--On January 13, 2007 1:08:17 PM -0500 David Banning
<[EMAIL PROTECTED]> wrote:
I am still pouring over logs to check how my server has been spamming.
I am wondering about the possibility of someone using a working login
and password to send spam through my server. So here is my question;
I look at my maillog and see the following spam;
maillog.0:Jan 11 02:14:17 3s1 sm-mta[3540]: l0B7EGO6003540:
from=<[EMAIL PROTECTED]>, size=478, class=0, nrcpts=1, msgid=<200701110714.l0B7
[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=3s1.com
[209.161.205.12]
[EMAIL PROTECTED] does not exist as a user on my system, but the relay is mine
(3s1.com), and 209.161.205.12 is mine.
Your system appears to be working as expected:
telnet 209.161.205.12 25
Trying 209.161.205.12...
Connected to 3s1.com.
Escape character is '^]'.
EHL220 3s1.com ESMTP Sendmail 8.13.6/8.13.6; Sat, 13 Jan 2007 14:51:12
-0500 (EST)
^R
EHLO testing
250-3s1.com Hello www.stovebolt.com [66.221.101.248], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
MAIL FROM: [EMAIL PROTECTED]
250 2.1.0 [EMAIL PROTECTED] Sender ok
RCPT TO: [EMAIL PROTECTED]
550 5.7.1 [EMAIL PROTECTED] Relaying denied. Proper authentication
required.
That would seem to suggest that the spam is being sent using an authorized
account, however, is it possible that a host inside your network is
sending the spam?
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
