[BlueOnyx:01696] Re: Sendmail attack, again

Michael Stauber mstauber at blueonyx.it
Wed Jul 15 09:20:08 PET 2009


Hi Gerald,

> I see things like this in the maillog, how do they do this, and how to stop
> Note that all the email's  18333 had one from

Ok, let us take a look at the first logged line:

> Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333:
> from=<vitaly at ihome.net.ua>, size=2749, class=0, nrcpts=49,
> msgid=<200907151305.n6FD4mxh018333 at msi1.portage.net>, proto=ESMTP,
> daemon=MTA, relay=[82.128.35.90]

We have the sender <vitaly at ihome.net.ua> (probably faked) comming from  the IP 
82.128.35.90.

The line " size=2749, class=0, nrcpts=49" tells us that the email was 2749 
bytes long and "nrcpts=49" means: This email had 49 individual recipients (To, 
CC or BCC). So once this email got accepted by your mailserver, your Sendmail 
attempted to deliver it to all 49 recipients - regardless if they were local 
accounts or not.

Now the question is: Why was this box relaying for 82.128.35.90? 

Is that IP in the Sendmail access list and allowed to relay? It is probably 
not, but it's worth checking.

Did the sender use SMTP-Auth? If *that* is the case, check the log entry right 
before that line in question. There should be something like this there:

sendmail[5204]: AUTH=server, relay=ihome.net.ua [82.128.35.90], authid=tom, 
mech=PLAIN, bits=0

In that case the "authid=tom" would tell us that user "tom" used SMTP-Auth to 
authenticate against SMTP.

That would then point the blame to user tom either being the spammer, or him 
having used a weak and guesable password that got exploited by a spammer.

-- 
With best regards

Michael Stauber




More information about the Blueonyx mailing list