Hi All
I have a server which seems to be getting spam relayed through it.
The story is this.....
User reported loads of undeliverables being received so I had a trawl
through the logs.
So the attacker connects to our server using SMTP AUTH........
Oct 5 15:17:53 www sendmail[6972]: AUTH=server,
relay=pppoe9.net109-120-27.se1.omkc.ru [109.120.27.9] (may be forged),
authid=jon, mech=LOGIN, bits=0
This then seemingly passes the AUTH for the user jon and allows the system
to send e-mails such as the following.
Oct 5 15:17:58 www sendmail[6982]: r95EHqoc006972:
to=<qqueenllouise at aol.com>, ctladdr=<jon at xxxxxxxx.co.uk>
(516/100),
delay=00:00:05, xdelay=00:00:02, mailer=esmtp, pri=300552,
relay=mailin-03.mx.aol.com. [205.188.156.193], dsn=2.0.0, stat=Sent (2.0.0
Ok: queued as B648F3800008D)
Now there seem to be 2 user names that appear in the logs with the authid
one is jon as above and the other is jon at xxxxx.co.uk (obviously I have
replaced the real domain with xxxxx)
Now the interesting thing is that there are only a handful of sites on the
server and they are set up so the site has a main username and any other
addresses that need to accept mail are set as aliases.
So in effect there is only one user per domain with one email account.
So despite the main account not being "jon" or "jon at
xxxxx.co.uk" and there
are no users on the domain with those usernames, SMTP auth accepets the
user and authenticates correctly to allow the relay through.
I have checked the server with an external SMTP checker, and it is not an
open relay.
I have changed the password on the domain in question and they are still
getting in.
I have tried changing the password and sending mail with the old password,
this gets .. relying denied, so SMTP auth is working ok.
I have been through the server and looked at each domain for these users,
I did find one called jon on an old domain which I have now deleted, just
in case this was accepting the SMTP auth.
Has anyone any idea how they can be authenticating against SMTP auth with
a username that does not exist on the server ?
Any pointers towards next steps appreciated, as I am running out of ideas
to try and lock this server down.
Cheers
Paul.
--
There are only 10 types of people in the world..
Those who understand binary and those who don't