[CentOS] SMTP Auth Spam Mail Attack

Sat Oct 5 19:39:45 UTC 2013
Paul Shuttleworth <centos at aqualec.co.uk>

> Baseline is, there is or has been a user "jon" usable for SMTP AUTH as
> you have shown by the log entry:
>
> Oct  5 15:17:53 www sendmail[6972]: AUTH=server,
> relay=pppoe9.net109-120-27.se1.omkc.ru [109.120.27.9] (may be forged),
> authid=jon, mech=LOGIN, bits=0
>
> Alexander
>

Hi Alexander

well the user jon has been deleted along with the entire domain the user
was in, and they are still relaying, also how is the user jon at xxxxx.co.uk
getting Authorised when that user does not exist. These are a couple of
the latest successful relays from the logs.

Oct  5 17:45:51 www sendmail[32567]: AUTH=server,
relay=31-202-20-171-kh.maxnet.ua [31.202.20.171] (may be forged),
authid=jon, mech=LOGIN, bits=0
Oct  5 19:47:23 www sendmail[20547]: AUTH=server, relay=[178.126.88.216],
authid=jon at xxxxxxx.co.uk, mech=LOGIN, bits=0

it shows an example of both of the users that are being accepted.
I just am not sure how, when I am fairly sure they don't actually exist.

Paul.