[BlueOnyx:01523] Re: Spammers

Steve Davis steve at zio.com
Sun Jun 28 15:47:05 -05 2009 



I found an IP in a mqueue file and did a grep to find that IP in the  
maillog. Below is 1 of 12 of those messages. Does not say how the user  
logged in. If they did at all.

Jun 28 05:48:50 raq1 sendmail[23368]: n5SAmkLY023368: from=<ifdfgbniiqxlxqhpwl at alibaba.com.cn 
 >, size=1083, class=0, nrcpts=13, msgid=<JKKTRSOILLBECPMSEFVT at anime.adsldns.org 
 >, bodytype=8BITMIME, proto=SMTP, daemon=MTA,  
relay=124-11-194-186.dynamic.tfn.net.tw [124.11.194.186]


It looks more like this is just an attack on my server, flooding the  
mail queue,. I dont see where there have been attempts to hack in, or  
even log in.

How is this possible?

Steve







>
> Look carefully at the one of the spam mail files in /var/spool/mqueue
> You will either see the username or at least the IP.
>
> If you know the IP, then just  check the mail log for a login with  
> that IP.
> E.g if the IP was  123.456.789.10 then
>
> cat /var/log/maillog | grep  ogin | grep   123.456.789.10
>
>
>
> ----
> Ken Marcus
> Ecommerce Web Hosting by
> Precision Web Hosting, Inc.
> http://www.precisionweb.net
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 28 Jun 2009 05:42:35 -0500
> From: Steve Davis <steve at zio.com>
> Subject: [BlueOnyx:01521] Re: [Spam?]  Blueonyx Digest, Vol 6, Issue
> 	36
> To: blueonyx at blueonyx.it
> Message-ID: <504CC412-4E06-4FF9-B86A-EC21E9AE643C at zio.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
> I wanted to thank everyone for the suggestions and guidance.
>
> Did find some holes, like legacy .openwebmail files, that i removed.
>
> The secure and http log files provided some insight. Apparently I need
> more help from some program that can scrub the system.
>
> Most of the attack is coming from 219.0.0.0 addresses, so i have
> blocked that part of China from the router.
>
> Michael, the parse command did not work on this server, i modified but
> did not get the full effect
> the is no "AUTH=server" on this server. There is "AUTH Server" within
> the log, but there is no 'authid' not sure if that was placeholder.
>
> Chuck, I am reviewing your solutions and will apply it to my CM here
> very soon.
>
> Thanks, all
>
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 28 Jun 2009 17:52:44 +0200
> From: Michael Stauber <mstauber at blueonyx.it>
> Subject: [BlueOnyx:01522] Re: [Spam?]  Blueonyx Digest, Vol 6, Issue
> 	36
> To: BlueOnyx General Mailing List <blueonyx at blueonyx.it>
> Message-ID: <200906281752.44799.mstauber at blueonyx.it>
> Content-Type: text/plain;  charset="utf-8"
>
> Hi Steve,
>
>> Michael, the parse command did not work on this server, i modified  
>> but
>> did not get the full effect
>> the is no "AUTH=server" on this server. There is "AUTH Server" within
>> the log, but there is no 'authid' not sure if that was placeholder.
>
> Very well. Then it appears as if the attackers weren't using SMTP- 
> Auth,
> because then the "authid" would reveal the username they used.
>
> -- 
> With best regards
>
> Michael Stauber
>
>
>
> ------------------------------
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx
>
>
> End of Blueonyx Digest, Vol 6, Issue 37
> ***************************************
>

More information about the Blueonyx mailing list