David Banning wrote: >> That would seem to suggest that the spam is being sent using an authorized >> account, however, is it possible that a host inside your network is >> sending the spam? > > Thanks for that test Paul. I do believe that it could have been a virus > infected windows box. I am not convinced now. I -do- know that I have > had crackers attempting access via SSH and I did not have anything to > stop them from trying every possible configuration. Eventually they > may have gotten a usable login and password. I now have them blocked > after 5 failed attempts but still there could be someone spamming using > the login and password obtained previously. Before getting -everyone- > to change thier password I am wondering if there isn't a way to log > who is sending via what login authentication. I could then just > setup a new password for that user only.
You can make the logging more verbose at the SASL level. You should have a file /usr/local/lib/sasl2/Sendmail.conf which contains sendmail specific bits of the SASL configuration. (just create it if you don't already have it). You can add to that a log_level: 6 parameter, which should cause enough logging to be generated that you can tell who was logging in and where from, without logging passwords or other sensitive stuff. You might want to follow the instructions in /etc/syslog.conf for enabling the all.log. For more info on the sort of stuff you can put in the various SASL config files see: http://www.sendmail.org/~ca/email/cyrus2/options.html The available levels (from sasl.h) are: /* Logging levels for use with the logging callback function. */ #define SASL_LOG_NONE 0 /* don't log anything */ #define SASL_LOG_ERR 1 /* log unusual errors (default) */ #define SASL_LOG_FAIL 2 /* log all authentication failures */ #define SASL_LOG_WARN 3 /* log non-fatal warnings */ #define SASL_LOG_NOTE 4 /* more verbose than LOG_WARN */ #define SASL_LOG_DEBUG 5 /* more verbose than LOG_NOTE */ #define SASL_LOG_TRACE 6 /* traces of internal protocols */ #define SASL_LOG_PASS 7 /* traces of internal protocols, including Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
Description: OpenPGP digital signature