[BlueOnyx:01700] Re: Sendmail attack, again

Gerald Waugh gwaugh at frontstreetnetworks.com
Wed Jul 15 10:36:29 PET 2009


Michael Stauber wrote
> Hi Gerald,
>
>> I see things like this in the maillog, how do they do this, and how to 
>> stop
>> Note that all the email's  18333 had one from
>
> Ok, let us take a look at the first logged line:
>
>> Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333:
>> from=<vitaly at ihome.net.ua>, size=2749, class=0, nrcpts=49,
>> msgid=<200907151305.n6FD4mxh018333 at msi1.portage.net>, proto=ESMTP,
>> daemon=MTA, relay=[82.128.35.90]
>
> We have the sender <vitaly at ihome.net.ua> (probably faked) comming from 
> the IP
> 82.128.35.90.
>
> The line " size=2749, class=0, nrcpts=49" tells us that the email was 2749
> bytes long and "nrcpts=49" means: This email had 49 individual recipients 
> (To,
> CC or BCC). So once this email got accepted by your mailserver, your 
> Sendmail
> attempted to deliver it to all 49 recipients - regardless if they were 
> local
> accounts or not.
>
> Now the question is: Why was this box relaying for 82.128.35.90?
>
> Is that IP in the Sendmail access list and allowed to relay? It is 
> probably
> not, but it's worth checking.
>
> Did the sender use SMTP-Auth? If *that* is the case, check the log entry 
> right
> before that line in question. There should be something like this there:
>
> sendmail[5204]: AUTH=server, relay=ihome.net.ua [82.128.35.90], 
> authid=tom,
> mech=PLAIN, bits=0
>
> In that case the "authid=tom" would tell us that user "tom" used SMTP-Auth 
> to
> authenticate against SMTP.
>
> That would then point the blame to user tom either being the spammer, or 
> him
> having used a weak and guesable password that got exploited by a spammer.
>
Yep, found the culprit,
   user info
I suggest not having a user info, maybe OK as an alias.
Else give user info a strong password

Thanks for the help, I'll remember this one!

Gerald 




More information about the Blueonyx mailing list