[BlueOnyx:01696] Re: Sendmail attack, again
Michael Stauber
mstauber at blueonyx.it
Wed Jul 15 09:20:08 -05 2009
Hi Gerald,
> I see things like this in the maillog, how do they do this, and how to stop
> Note that all the email's 18333 had one from
Ok, let us take a look at the first logged line:
> Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333:
> from=<vitaly at ihome.net.ua>, size=2749, class=0, nrcpts=49,
> msgid=<200907151305.n6FD4mxh018333 at msi1.portage.net>, proto=ESMTP,
> daemon=MTA, relay=[82.128.35.90]
We have the sender <vitaly at ihome.net.ua> (probably faked) comming from the IP
82.128.35.90.
The line " size=2749, class=0, nrcpts=49" tells us that the email was 2749
bytes long and "nrcpts=49" means: This email had 49 individual recipients (To,
CC or BCC). So once this email got accepted by your mailserver, your Sendmail
attempted to deliver it to all 49 recipients - regardless if they were local
accounts or not.
Now the question is: Why was this box relaying for 82.128.35.90?
Is that IP in the Sendmail access list and allowed to relay? It is probably
not, but it's worth checking.
Did the sender use SMTP-Auth? If *that* is the case, check the log entry right
before that line in question. There should be something like this there:
sendmail[5204]: AUTH=server, relay=ihome.net.ua [82.128.35.90], authid=tom,
mech=PLAIN, bits=0
In that case the "authid=tom" would tell us that user "tom" used SMTP-Auth to
authenticate against SMTP.
That would then point the blame to user tom either being the spammer, or him
having used a weak and guesable password that got exploited by a spammer.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list