Re: How did this spammer get through?

Thu, 08 Feb 2007 07:08:49 -0800

At 9:53 AM -0500 2/8/07, Anibal Escobar imposed structure on a stream of electrons, yielding:
Hi, right now the logging level is "Problems". Should I go to "Low level" or "all info"? 


I go 'all info' on all modules except HTTP. Anything deeper than 
"Problems" there makes using the web interface a log DoS.



Having everything logged may even point out an alternative 
explanation for thje relaying.




Is there anyway to isolate the user that has been compromised?


Not retrospectively without deep logging.


I'd look first at 'postmaster' and any other common-name role 
account. Changing the passwords on such accounts to very strong ones 
is a must. If postmaster has a dictionary word as a password, you can 
bet on it being the problem.




Thanks, Anibal

On Feb 8, 2007, at 9:44 AM, Bill Cole wrote:


At 6:35 AM -0800 2/8/07, Anibal Escobar  imposed structure on a 
stream of electrons, yielding:

Hello everyone, I have a Sims 1.8b9d14 running with Relay for 
Clients only checked.  A couple of days, someone sent out a lot of 
spam through my server.  Here's a snippet from the log:



06:37:45 3 SMTP-658(User) Failed to verify. Real address is 
[89.38.185.95:3052]

06:38:05 2 SMTP-658([89.38.185.95]) {S.0005385044} received, 7094 bytes

06:38:05 2 SYSTEM [S.0005385044] S.0005385044 50+0 
From:[EMAIL PROTECTED]

06:38:05 3 SMTP [S.0005385044] dequeueing

Any thoughts on how this could have happened?  Thanks, Anibal Escobar




If you are not logging any deeper than that, any response is 
theoretical and unverifiable.



The most likely thing is that you have a compromised user account, 
and the spammer has used POP-before-SMTP or SMTP AUTH  with some 
user's weak password.



--

Bill Cole                                  
[EMAIL PROTECTED]



#############################################################
This message is sent to you because you are subscribed to
 the mailing list <[email protected]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>























					Reply via email to