OOPS - almost as soon as I sent this, I realized that authlib is
authenticating IMAP connections, not SMTP
So, I'm looking in my SMTP logs (submission, actually) and was able to
find the offending user (dumbass had a password of "123" -- another
reason for KEEPING the plaintext passwords available, just limited access!
Dan
On 3/27/2014 7:45 PM, Dan McAllister wrote:
OK, here's a known security issue, but now that I'm being exploited, I
don't know how to debug.
It appears (see quoted log file entries below) that someone is logging
in as a valid user, then sending messages with OTHER mail addresses in
the FROM section.
In the log entry below, this is just 1 of HUNDREDS of messages that
are now flooding my mail server. There are no .ru domains on my
server, so the FROM section is clearly being generated AFTER a
successful SMTP login.
What I can't figure is how to determine the ID being used. Surely
there is a way to increase the logging level of authlib so I can
capture EVERY login (not just the failed ones)... if there is, I don't
know how...
Ideas??
Dan
03-27 00:08:35 new msg 81400826
03-27 00:08:35 info msg 81400826: bytes 9543 from
<cerenovzosim...@lenta.ru> qp 17999 uid 89
03-27 00:08:35 starting delivery 964666: msg 81400826 to remote
s...@21dveri.ru
03-27 00:08:35 starting delivery 964667: msg 81400826 to remote
i...@sms-yandex.ru
03-27 00:08:35 starting delivery 964668: msg 81400826 to remote
kris...@werewolfsurvival.com
03-27 00:08:35 starting delivery 964669: msg 81400826 to remote
i...@compulog.ru
03-27 00:08:35 starting delivery 964670: msg 81400826 to remote
paramo...@npo-nauka.ru
03-27 00:08:38 delivery 964670: success:
User_and_password_not_set,_continuing_without_authentication./<paramonov@
npo-nauka.ru>_193.35.98.6_accepted_message./Remote_host_said:_250_2.0.0_OK_20/C4-28032-57EC3335/
03-27 00:08:40 delivery 964669: success:
User_and_password_not_set,_continuing_without_authentication./<info@compu
log.ru>_78.24.218.162_accepted_message./Remote_host_said:_250_OK_id=1WT4QZ-000N2d-7C/
03-27 00:08:41 delivery 964666: success:
User_and_password_not_set,_continuing_without_authentication./<sale@21dve
ri.ru>_188.40.59.87_accepted_message./Remote_host_said:_250_OK_id=1WT4Sg-00080u-R6/
03-27 00:08:41 delivery 964668: success:
User_and_password_not_set,_continuing_without_authentication./<kristal@we
rewolfsurvival.com>_69.36.165.41_accepted_message./Remote_host_said:_250_OK_id=1WT4Q2-0007ET-C2/
03-27 00:08:50 delivery 964667: deferral:
User_and_password_not_set,_continuing_without_authentication./<info@sms-
yandex.ru>_62.213.111.109_failed_after_I_sent_the_message./Remote_host_said:_451_qq_trouble_in_home_directory_(#4.
3.0)/
03-27 00:15:15 starting delivery 965119: msg 81400826 to remote
i...@sms-yandex.ru
03-27 00:15:25 delivery 965119: success:
User_and_password_not_set,_continuing_without_authentication./<info@sms-y
andex.ru>_62.213.111.109_accepted_message./Remote_host_said:_250_ok_1395904509_qp_10255/
03-27 00:15:25 end msg 81400826
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
