Re: Spam on my server

[Bill Cole]

At 6:24 AM -0700 8/29/07, Clive Bruton  imposed 
structure on a stream of electrons, yielding:
I seem to have managed to get spam relayed 
through my server. I've no idea how this 
happened, but here is the source of one of the 
messages.

**********
Received: from [211.158.162.250] (HELO expire)
  by mail.indx.co.uk (Stalker SMTP Server 1.8b9d14)
  with ESMTP id S.0002872782 for 
<[EMAIL PROTECTED]>; Thu, 23 Aug 2007 12:54:44 
+0000
From: "Ruby Quan"<[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: D0N°Øt import from China with0ut Magbazer
Date: Thu, 23 Aug 2007 12:54:46 GMT
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

[...]


************

I'm surmising from this that the header is not 
faked, and somehow my host accepted this mail in 
order that it relay the mail.

Yes. There's no way for a spammer to fake your 
Received header. That mail was handed to your 
machine from 211.158.162.250, which looks like a 
PC in Chongqing, China.


The only hosts allowed to relay to this host are 
in the 192.168.*.* range, and it obviously 
didn't come from them.

Any clues? My only guess is that someone got in 
through a pop account, but there's nothing in 
the logs for POP, I had logging on "problems", 
just switched it to "low-level".


If you have SMTP AUTH or POP-before-SMTP enabled, 
it is likely that this is the result of the 
spammer guessing the password of some account and 
using that to open up relay access. 
Unfortunately, the most commonly guessed 
passwords are those of common accounts, e.g. 
'postmaster'  for a SIMS system.

Without deep logging, it is impossible to know 
for sure why SIMS let that mail through. I always 
recommend setting logging for every piece other 
than the HTTP module in SIMS to "All" but I'm a 
log fetishist. Having full logs is only 
problematic if you are  short on disk space 
and/or lack good tools for examining them, two 
problems that are readily fixed. Lacking full 
logs means you lack necessary data to be able to 
figure out unexpected events, and that missing 
information is gone for good.


--
Bill Cole
[EMAIL PROTECTED]


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <SIMS@mail.stalker.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>