[BlueOnyx:01711] Re: Subject: Re: Sendmail attack, again
Gerald Waugh
gwaugh at frontstreetnetworks.com
Wed Jul 15 15:26:43 -05 2009
Did you see Michael's post
also I used this command to clear mqueue of all email 1 day orld of more
/var/spool/mqueue/ -type f -mtime +1 -ls -exec rm {} \;
and
/var/spool/mqueue.in/ -type f -mtime +1 -ls -exec rm {} \;
Gerald
> Ok, let us take a look at the first logged line:
>
>> Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333:
>> from=<vitaly at ihome.net.ua>, size=2749, class=0, nrcpts=49,
>> msgid=<200907151305.n6FD4mxh018333 at msi1.portage.net>, proto=ESMTP,
>> daemon=MTA, relay=[82.128.35.90]
>
> We have the sender <vitaly at ihome.net.ua> (probably faked) comming from
> the IP
> 82.128.35.90.
>
> The line " size=2749, class=0, nrcpts=49" tells us that the email was 2749
> bytes long and "nrcpts=49" means: This email had 49 individual recipients
> (To,
> CC or BCC). So once this email got accepted by your mailserver, your
> Sendmail
> attempted to deliver it to all 49 recipients - regardless if they were
> local
> accounts or not.
>
> Now the question is: Why was this box relaying for 82.128.35.90?
>
> Is that IP in the Sendmail access list and allowed to relay? It is
> probably
> not, but it's worth checking.
>
> Did the sender use SMTP-Auth? If *that* is the case, check the log entry
> right
> before that line in question. There should be something like this there:
>
> sendmail[5204]: AUTH=server, relay=ihome.net.ua [82.128.35.90],
> authid=tom,
> mech=PLAIN, bits=0
>
> In that case the "authid=tom" would tell us that user "tom" used SMTP-Auth
> to
> authenticate against SMTP.
>
> That would then point the blame to user tom either being the spammer, or
> him
> having used a weak and guesable password that got exploited by a spammer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20090715/b815311e/attachment.html>
More information about the Blueonyx
mailing list