Re: spammer cracking authentication

Tue, 02 Sep 2003 02:05:52 +0000

At 11:20 AM +1000 9/2/03, Nick Quinn's list address imposed structure on a stream of electrons, yielding:
Bill,

Thus spoke Bill Cole <[EMAIL PROTECTED]> on Monday, 1 September 2003
at 11:08 AM +1000:

I getting a spammer cracking authentication:

10:51:53 1 SMTP-170([211.158.32.247]) SPAM? Host is blacklisted per RBL
sbl.spamhaus.org with result [127.0.0.2]
10:51:53 1 SMTP-171([211.158.32.247]) SPAM? Host is blacklisted per RBL
sbl.spamhaus.org with result [127.0.0.2]
10:51:53 3 SMTP-170(actinometer) Failed to verify. Real address is
[211.158.32.247:3174]
10:51:54 3 SMTP-171(expectantly) Failed to verify. Real address is
[211.158.32.247:3175]
10:51:57 2 SMTP-170([211.158.32.247]) {S.0001570181} received, 997 bytes

will the log "all info" tell me which account that they are logging in on? 

I'm not clear on why you are convinced that they are 'cracking
authentication' but turning up the logging to 'all info' in the SMTP,
General, and Router settings will show you precisely what is
happening.

The first two line says that the ip# 211.158.32.247 is blacklisted, ok?

Yes.

The third and forth show account we don't have

No, they show names that the sending side claimed in a HELO. Note also that these are 2 distinct sessions.

and the fifth looks like we have just accepted email from 211.158.32.247

Yes.


and we relayed it later:

10:51:57 2 SYSTEM [S.0001570181] S.0001570181 1+0 From:[EMAIL PROTECTED]
10:51:57 4 SYSTEM [S.0001570181] submitted
10:53:52 4 SYSTEM(SMTP) [S.0001570181] opened, count=1
10:53:54 2 SMTP-196(202.129.103.11) [S.0001570181] sent, 903 bytes
10:53:54 4 SYSTEM(SMTP) [S.0001570181] closed, count=0
10:53:54 2 SYSTEM(SMTP) [S.0001570181] sent to (hotmail.com)baxaxa
10:54:09 2 SYSTEM [S.0001570181] deleted

That is indeed disturbing.

2 things to check:

1. Is 'relay for clients only' on?
2. Was there any other traffic from that IP address, particularly POP traffic?


--
Bill Cole
[EMAIL PROTECTED]


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Reply via email to