[CentOS] SMTP Auth Spam Mail Attack
Paul Shuttleworth
centos at aqualec.co.ukSat Oct 5 16:19:43 UTC 2013
- Previous message: [CentOS] Is Java insecure ?
- Next message: [CentOS] SMTP Auth Spam Mail Attack
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi All I have a server which seems to be getting spam relayed through it. The story is this..... User reported loads of undeliverables being received so I had a trawl through the logs. So the attacker connects to our server using SMTP AUTH........ Oct 5 15:17:53 www sendmail[6972]: AUTH=server, relay=pppoe9.net109-120-27.se1.omkc.ru [109.120.27.9] (may be forged), authid=jon, mech=LOGIN, bits=0 This then seemingly passes the AUTH for the user jon and allows the system to send e-mails such as the following. Oct 5 15:17:58 www sendmail[6982]: r95EHqoc006972: to=<qqueenllouise at aol.com>, ctladdr=<jon at xxxxxxxx.co.uk> (516/100), delay=00:00:05, xdelay=00:00:02, mailer=esmtp, pri=300552, relay=mailin-03.mx.aol.com. [205.188.156.193], dsn=2.0.0, stat=Sent (2.0.0 Ok: queued as B648F3800008D) Now there seem to be 2 user names that appear in the logs with the authid= one is jon as above and the other is jon at xxxxx.co.uk (obviously I have replaced the real domain with xxxxx) Now the interesting thing is that there are only a handful of sites on the server and they are set up so the site has a main username and any other addresses that need to accept mail are set as aliases. So in effect there is only one user per domain with one email account. So despite the main account not being "jon" or "jon at xxxxx.co.uk" and there are no users on the domain with those usernames, SMTP auth accepets the user and authenticates correctly to allow the relay through. I have checked the server with an external SMTP checker, and it is not an open relay. I have changed the password on the domain in question and they are still getting in. I have tried changing the password and sending mail with the old password, this gets .. relying denied, so SMTP auth is working ok. I have been through the server and looked at each domain for these users, I did find one called jon on an old domain which I have now deleted, just in case this was accepting the SMTP auth. Has anyone any idea how they can be authenticating against SMTP auth with a username that does not exist on the server ? Any pointers towards next steps appreciated, as I am running out of ideas to try and lock this server down. Cheers Paul. -- There are only 10 types of people in the world.. Those who understand binary and those who don't
- Previous message: [CentOS] Is Java insecure ?
- Next message: [CentOS] SMTP Auth Spam Mail Attack
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list