--On January 13, 2007 1:08:17 PM -0500 David Banning
<[EMAIL PROTECTED]> wrote:
I am still pouring over logs to check how my server has been spamming.
I am wondering about the possibility of someone using a working login
and password to send spam through my server. So here is my question;
I look at my maillog and see the following spam;
maillog.0:Jan 11 02:14:17 3s1 sm-mta: l0B7EGO6003540:
from=<[EMAIL PROTECTED]>, size=478, class=0, nrcpts=1, msgid=<200701110714.l0B7
[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=3s1.com
[EMAIL PROTECTED] does not exist as a user on my system, but the relay is mine
(3s1.com), and 126.96.36.199 is mine.
Your system appears to be working as expected:
telnet 188.8.131.52 25
Connected to 3s1.com.
Escape character is '^]'.
EHL220 3s1.com ESMTP Sendmail 8.13.6/8.13.6; Sat, 13 Jan 2007 14:51:12
250-3s1.com Hello www.stovebolt.com [184.108.40.206], pleased to meet you
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
MAIL FROM: [EMAIL PROTECTED]
250 2.1.0 [EMAIL PROTECTED] Sender ok
RCPT TO: [EMAIL PROTECTED]
550 5.7.1 [EMAIL PROTECTED] Relaying denied. Proper authentication
That would seem to suggest that the spam is being sent using an authorized
account, however, is it possible that a host inside your network is
sending the spam?
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas