Re: Spam on my server

Wed, 29 Aug 2007 20:56:38 -0700

At 3:37 PM +0100 8/29/07, Clive Bruton imposed structure on a stream of electrons, yielding: 
On 29 Aug 2007, at 15:06, Bill Cole wrote:
If you have SMTP AUTH or POP-before-SMTP enabled, it is likely that this is the result of the spammer guessing the password of some account and using that to open up relay access. Unfortunately, the most commonly guessed passwords are those of common accounts, e.g. 'postmaster' for a SIMS system. 

Is there SMTP auth in SIMS!?


Yes.


("Advertise AUTH capability" - I've never been able to get that to work).



It's actually always there, but that switch makes it visible to 
clients. I never had any trouble making it work.




POP-before-SMTP is the way it works right now.


Without deep logging, it is impossible to know for sure why SIMS 
let that mail through. I always recommend setting logging for every 
piece other than the HTTP module in SIMS to "All" but I'm a log 
fetishist. Having full logs is only problematic if you are  short 
on disk space and/or lack good tools for examining them, two 
problems that are readily fixed. Lacking full logs means you lack 
necessary data to be able to figure out unexpected events, and that 
missing information is gone for good.



Right, the data to track is gone. I thought I had pretty good 
passwords that weren't susceptible to dictionary-type attacks, but I 
have seen people trying these in the past. I am pretty short on disk 
space, and this (beige) G3 is overdue for retirement, so I don't 
think it's going to get upgraded. Perhaps I'll move some things 
around.


I can look through the logs with BBEdit, do you recommend something else?



BBEdit is certainly capable, particularly if you are good with 
regular expressions for searching through the logs.



I'll watch the logs over the next few weeks to see if I can find any 
repeated attempted log-ins.


Good Luck.
--

Bill Cole                                  
[EMAIL PROTECTED]



#############################################################
This message is sent to you because you are subscribed to
 the mailing list <SIMS@mail.stalker.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>























					Reply via email to