I was doing some review of my logs and stumbled upon a series of entries that has me baffled. Here is the log segment:
17:06:18 5 SMTP-947([64.242.11.10]) OT 125 of 125 bytes sent, Flags=0 17:06:18 5 SMTP-947([64.242.11.10]) *Status=22 17:06:18 5 SMTP-947([64.242.11.10]) Received 23 bytes 17:06:18 4 SMTP-947([64.242.11.10]) Input Line: EHLO idfanet.idfa.org\r 17:06:18 5 SMTP-947([64.242.11.10]) *Status=21 17:06:18 4 SMTP-947(idfanet.idfa.org) Looking for idfanet.idfa.org 17:06:19 4 SMTP-947(idfanet.idfa.org) Sending 250-bigbrother.pecandeluxe.com is pleased to meet you\r\n250-HELP\r\n250-ETRN\r\n250-AUTH=LOGIN\r\n250-AUTH LOGIN PLAIN CRAM-MD5\r\n250 EHLO\r\n 17:06:19 5 SMTP-947(idfanet.idfa.org) OT 132 of 132 bytes sent, Flags=0 17:06:19 5 SMTP-947(idfanet.idfa.org) *Status=22 17:06:19 5 SMTP-947(idfanet.idfa.org) Received 149 bytes 17:06:19 4 SMTP-947(idfanet.idfa.org) Input Line: AUTH LOGIN Y25cM0RtYWlsLWlkZmFuZXQuaWRmYS5vcmdcMkNcMjBjblwzRGlkZmFuZXQuaWRmYS5vcmdcMkN cMjBvdVwzRE5ldHNjYXBlXDIwU2VydmVyc1wyQ1wyMG9cM0RpZGZhLm9yZw==\r 17:06:19 5 SMTP-947(idfanet.idfa.org) *Status=35 17:06:19 4 SMTP-947(idfanet.idfa.org) Sending 'Password:' 17:06:19 4 SMTP-947(idfanet.idfa.org) Sending 334 UGFzc3dvcmQ6\r\n 17:06:19 5 SMTP-947(idfanet.idfa.org) OT 18 of 18 bytes sent, Flags=0 17:06:19 5 SMTP-947(idfanet.idfa.org) Received 18 bytes 17:06:19 4 SMTP-947(idfanet.idfa.org) Input Line: ZGV5enF3ZHlMZQ==\r 17:06:19 5 SMTP-947(idfanet.idfa.org) *Status=36 17:06:19 0 SYSTEM Account {cn\3Dmail-idfanet.idfa.org\2C\20cn\3Didfanet.idfa.org\2C\20ou\3DNetscape\2 0Servers\2C\20o\3Didfa.org} Resources open failed. Error Code=-43 17:06:19 1 SMTP {cn\3Dmail-idfanet.idfa.org\2C\20cn\3Didfanet.idfa.org\2C\20ou\3DNetscape\2 0Servers\2C\20o\3Didfa.org} AUTH failed: password(deyzqwdyLe) is wrong. Connection from [64.242.11.10:4461] 17:06:19 4 SMTP-947(idfanet.idfa.org) Sending 535 authentication failed\r\n 17:06:19 5 SMTP-947(idfanet.idfa.org) OT 27 of 27 bytes sent, Flags=0 17:06:19 5 SMTP-947(idfanet.idfa.org) *Status=22 17:06:19 5 SMTP-947(idfanet.idfa.org) Received 33 bytes 17:06:19 4 SMTP-947(idfanet.idfa.org) Input Line: MAIL FROM:<[EMAIL PROTECTED]>\r 17:06:19 5 SMTP-947(idfanet.idfa.org) *Status=25 17:06:19 5 SYSTEM {S.0000278177} in work, ref=742, nFresh=4 17:06:19 5 ROUTER Input: newsupdate(idfa.org) 17:06:19 5 ROUTER Parser: [EMAIL PROTECTED] -> newsupdate(idfa.org) 17:06:19 5 SMTP-947(idfanet.idfa.org) *Status=26 17:06:20 4 SMTP-947(idfanet.idfa.org) Sending 250 <[EMAIL PROTECTED]> sender accepted\r\n 17:06:20 5 SMTP-947(idfanet.idfa.org) OT 43 of 43 bytes sent, Flags=0 17:06:20 5 SMTP-947(idfanet.idfa.org) *Status=23 17:06:20 5 SMTP-947(idfanet.idfa.org) Received 39 bytes 17:06:20 4 SMTP-947(idfanet.idfa.org) Input Line: RCPT TO:<[EMAIL PROTECTED]>\r
It appears that the message from idfa.org is somehow trying to "log-in" to my SIMS server. Is that what it is doing?
Yes.
If so, why?
It looks like their MTA is set up to try AUTH all the time no matter what. Very dumb, but it does not look malicious. Note the "Resources open failed" line which indicates that they were trying to log in with a username that looks like an LDAP record. De-escaping that string results in "cn=mail-idfanet.idfa.org, cn=idfanet.idfa.org, ou=Netscape Servers, o=idfa.org"
Is there system "infected" with some sort of "probing"-virus that is trying to find a legitimate log-in?
Given what they used, I would guess not. That ID is unlikely to exist much of anywhere other than IDFA.
Should I be concerned?
Probably not.
Should I alert idfa.org (IDFA is a trade organization with whom we do have a business relationship; I expect mail from them, so it's not SPAM or anything like that).
I'd certainly try to tell them that they are sending out their unprotected authentication information to anyone they send mail to. This is very dumb. There's a good chance that they at least occasionally generate a bounce message or a response to bad actors like spammers, and in doing so send those AUTH strings. Now the spammer has a login for their server. Ooops.
-- Bill Cole [EMAIL PROTECTED]
############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
