On Saturday 13 January 2007 12:08, David Banning wrote: > I am still pouring over logs to check how my server has been spamming. > > I am wondering about the possibility of someone using a working login and > password to send spam through my server. So here is my question; > > I look at my maillog and see the following spam; > > maillog.0:Jan 11 02:14:17 3s1 sm-mta[3540]: l0B7EGO6003540: > from=<[EMAIL PROTECTED]>, size=478, class=0, nrcpts=1, > msgid=<200701110714.l0B7 > [EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=3s1.com > [209.161.205.12] > > [EMAIL PROTECTED] does not exist as a user on my system, but the relay is mine > (3s1.com), and 209.161.205.12 is mine. > > How can I find out or log when a user sends mail, what authentication was > used? If they have to login to send through my server, who did they login > as? - how would I find that out?
well, on my sendmail, which i know to be authing correctly.. i see an line with an authid and the originating server. here is what i see in my sendmail logs when i send an email thru my server: Jan 13 21:09:03 regulus sm-mta[1295]: AUTH=server, relay=athena.dfwlp.com [192.168.125.83], authid=jhorne, mech=PLAIN, bits=0 Jan 13 21:09:03 regulus sm-mta[1295]: l0E393ZZ001295: from=<[EMAIL PROTECTED]>, size=340, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=IPv4, relay=athena.dfwlp.com [192.168.125.83] Jan 13 21:09:03 regulus spamd[778]: spamd: connection from localhost [127.0.0.1] at port 52812 Jan 13 21:09:03 regulus spamd[778]: spamd: processing message <[EMAIL PROTECTED]> for root:58 Jan 13 21:09:04 regulus spamd[778]: spamd: clean message (-4.4/3.6) for root:58 in 1.3 seconds, 634 bytes. Jan 13 21:09:04 regulus spamd[778]: spamd: result: . -4 - ALL_TRUSTED,BAYES_00 scantime=1.3,size=634,user=root,uid=58,required_score=3.6,rhost=localhost,raddr=127.0.0.1,rport=52812,mid=<[EMAIL PROTECTED]>,bayes=1.98407501539322e-09,autolearn=ham Jan 13 21:09:04 regulus sm-mta[1295]: l0E393ZZ001295: Milter add: header: X-Spam-Status: No, score=-4.4 required=3.6 tests=ALL_TRUSTED,BAYES_00 \n\tautolearn=ham version=3.1.7 Jan 13 21:09:04 regulus sm-mta[1295]: l0E393ZZ001295: Milter add: header: X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on regulus.dfwlp.com Jan 13 21:09:04 regulus spamd[648]: prefork: child states: II Jan 13 21:09:12 regulus sm-mta[1298]: l0E393ZZ001295: to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (1001/1001), delay=00:00:09, xdelay=00:00:08, mailer=esmtp, pri=30340, relay=gmail-smtp-in.l.google.com. [64.233.163.27], dsn=2.0.0, stat=Sent (OK 1168744152 18si11823416nzo) another very archaic test, and this is not so much a definitive test anymore, but it might not hurt to try the open relay test from mail-abuse.org. just type: telnet relay-test.mail-abuse.org and it should at least be able to withstand those 19 simple relay checks. what authmethod are you using on your sendmail, and did you make the appropriate changes in your .mc files? finally, when someone who tried to relay who is not authorized, your sendmail logs should produce lines like this: Jan 12 10:15:05 regulus sm-mta[28559]: l0CGEDDv028559: ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, relay=VG-4-52.dialup.access.telecore.net.ru [213.135.65.54], reject=550 5.7.1 <[EMAIL PROTECTED]>... Relaying denied. Proper authentication required. do a: cat /var/log/maillog*|grep Proper and see what you turn up. hth, jonathan _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"