On Monday 28 June 2004 02:13 pm, Kit Halsted wrote:
> Hey folks:
>
> Looks like spam is being relayed through my big server. Not sure how
> they're doing it; I'm using SMTP-AUTH (0.4.2) & it seems to work
> properly. Any clues would be appreciated & I'm happy to show whatever
> files people want to see, but for now I'm going on the assumption
> that someone has gotten a password & is authenticating. So, my
> question for this list is: is there a way to add an auth header to
> outgoing messages so I can see which account was used? Or is it
> logged somewhere by default? My apologies, I'm sure this is
> documented somewhere, but I'm not sure where & my priority right now
> is closing this hole.
if the server in question is the MX for kithalsted.com, it appears to be fine,
so I'm assuming a weak password. stop qmail-send, look at the headers of one
of the mails in the queue. it should have the username they authenticated
with, and you should be able to look at that user and see if there's a weak
password.
Either that, or you'll see "invoked by uid XX" where XX is a uid. grep
XX /etc/passwd and see who is doing it. If it's the 'apache' or 'nobody'
user (depending on your setup) then most likely it's a formmail script.
-Jeremy
--
Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc.
[EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l
kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
