[BlueOnyx:01700] Re: Sendmail attack, again
gwaugh at frontstreetnetworks.com
Wed Jul 15 10:36:29 PET 2009
Michael Stauber wrote
> Hi Gerald,
>> I see things like this in the maillog, how do they do this, and how to
>> Note that all the email's 18333 had one from
> Ok, let us take a look at the first logged line:
>> Jul 15 08:08:49 msi1 sendmail: n6FD4mxh018333:
>> from=<vitaly at ihome.net.ua>, size=2749, class=0, nrcpts=49,
>> msgid=<200907151305.n6FD4mxh018333 at msi1.portage.net>, proto=ESMTP,
>> daemon=MTA, relay=[220.127.116.11]
> We have the sender <vitaly at ihome.net.ua> (probably faked) comming from
> the IP
> The line " size=2749, class=0, nrcpts=49" tells us that the email was 2749
> bytes long and "nrcpts=49" means: This email had 49 individual recipients
> CC or BCC). So once this email got accepted by your mailserver, your
> attempted to deliver it to all 49 recipients - regardless if they were
> accounts or not.
> Now the question is: Why was this box relaying for 18.104.22.168?
> Is that IP in the Sendmail access list and allowed to relay? It is
> not, but it's worth checking.
> Did the sender use SMTP-Auth? If *that* is the case, check the log entry
> before that line in question. There should be something like this there:
> sendmail: AUTH=server, relay=ihome.net.ua [22.214.171.124],
> mech=PLAIN, bits=0
> In that case the "authid=tom" would tell us that user "tom" used SMTP-Auth
> authenticate against SMTP.
> That would then point the blame to user tom either being the spammer, or
> having used a weak and guesable password that got exploited by a spammer.
Yep, found the culprit,
I suggest not having a user info, maybe OK as an alias.
Else give user info a strong password
Thanks for the help, I'll remember this one!
More information about the Blueonyx