Stefano Bagnara schrieb:
Maybe I found an answer to this looking at source code.
AuthCmdHandler logs at INFO level the "AUTH method PLAIN succeded" but
only at DEBUG level an "AUTH method LOGIN succeded".
So maybe your client is using the LOGIN style to auth.
You probably want to increase your log level for SMTPServer to DEBUG...
I did take a look at the AuthCmdHandler myself, but missed the fact that
the LOGIN authentication was logged at debug level. I've patched
AuthCmdHandler to log the username as well and changed the log level to
DEBUG. I can of course not guarantee that noone has managed to
compromise a password and is abusing an existing account for relaying
spam, but I ruled that out, since the lack of log output made me believe
that the client was not authenticated.
I've tried to find any kind of information in the other log files and
found lots of POP3 connections from a similar IP address (same hosting
company) a few days earlier. It might be possible that someone has
managed to find a POP3 password with a dictionary attack and used it
later to get authenticated SMTP access. It's not clear to me however
from the POP3 log if a login was successful or failed, as it only logs
"connection from ..." and then "connection for <user name> ... closed".
I'll leave it with that for the moment and "hope" that I'll experience a
similar attack soon and get some more information out of the SMTP log.
Many thanks to you and David for helping me out!
Regards,
Tor
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
