[BlueOnyx:01714] Re: Sendmail attack, again

Paul paul at planetcentral.net
Wed Jul 15 17:06:26 -05 2009 

Gerald Waugh wrote:
> Michael Stauber wrote
>   
>> Hi Gerald,
>>
>>     
>>> I see things like this in the maillog, how do they do this, and how to 
>>> stop
>>> Note that all the email's  18333 had one from
>>>       
>> Ok, let us take a look at the first logged line:
>>
>>     
>>> Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333:
>>> from=<vitaly at ihome.net.ua>, size=2749, class=0, nrcpts=49,
>>> msgid=<200907151305.n6FD4mxh018333 at msi1.portage.net>, proto=ESMTP,
>>> daemon=MTA, relay=[82.128.35.90]
>>>       
>> We have the sender <vitaly at ihome.net.ua> (probably faked) comming from 
>> the IP
>> 82.128.35.90.
>>
>> The line " size=2749, class=0, nrcpts=49" tells us that the email was 2749
>> bytes long and "nrcpts=49" means: This email had 49 individual recipients 
>> (To,
>> CC or BCC). So once this email got accepted by your mailserver, your 
>> Sendmail
>> attempted to deliver it to all 49 recipients - regardless if they were 
>> local
>> accounts or not.
>>
>> Now the question is: Why was this box relaying for 82.128.35.90?
>>
>> Is that IP in the Sendmail access list and allowed to relay? It is 
>> probably
>> not, but it's worth checking.
>>
>> Did the sender use SMTP-Auth? If *that* is the case, check the log entry 
>> right
>> before that line in question. There should be something like this there:
>>
>> sendmail[5204]: AUTH=server, relay=ihome.net.ua [82.128.35.90], 
>> authid=tom,
>> mech=PLAIN, bits=0
>>
>> In that case the "authid=tom" would tell us that user "tom" used SMTP-Auth 
>> to
>> authenticate against SMTP.
>>
>> That would then point the blame to user tom either being the spammer, or 
>> him
>> having used a weak and guesable password that got exploited by a spammer.
>>
>>     
> Yep, found the culprit,
>    user info
> I suggest not having a user info, maybe OK as an alias.
> Else give user info a strong password
>
> Thanks for the help, I'll remember this one!
>
> Gerald 
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx
>   

Gerald,

This was EXACTLY the same problem as i has a week or so ago - and it was 
indeed the user "info".
Removed the user, and problem gone (blocked the spammer's ip for good 
measure)!!

Paul

More information about the Blueonyx mailing list