Re: [vchkpw] Help! Spam!

Mon, 28 Jun 2004 12:41:03 -0700

At 2:21 PM -0500 6/28/04, Jeremy Kitchen wrote:
On Monday 28 June 2004 02:13 pm, Kit Halsted wrote: 
 Hey folks:

 Looks like spam is being relayed through my big server. Not sure how
 they're doing it; I'm using SMTP-AUTH (0.4.2) & it seems to work
 properly. Any clues would be appreciated & I'm happy to show whatever
 files people want to see, but for now I'm going on the assumption
 that someone has gotten a password & is authenticating. So, my
 question for this list is: is there a way to add an auth header to
 outgoing messages so I can see which account was used? Or is it
 logged somewhere by default? My apologies, I'm sure this is
 documented somewhere, but I'm not sure where & my priority right now
 is closing this hole.

if the server in question is the MX for kithalsted.com, it appears to be fine, 

It's the secondary for that domain, actually.

 so I'm assuming a weak password.  stop qmail-send, look at the headers of one
of the mails in the queue.  it should have the username they authenticated
with, and you should be able to look at that user and see if there's a weak
password.


I don't see it, am I just missing something?

Either that, or you'll see "invoked by uid XX" where XX is a uid.  grep
XX /etc/passwd and see who is doing it.  If it's the 'apache' or 'nobody'
user (depending on your setup) then most likely it's a formmail script.


Sample headers follow, uid 89 is vpopmail.

athena:domains {153} less /var/qmail/queue/mess/0/343988

Received: (qmail 8349 invoked by uid 1028); 27 Jun 2004 20:24:12 -0000
Received: from [EMAIL PROTECTED] by athena.interdyne.net by uid 89
with qmail-scanner-1.22
(clamdscan: 0.71. spamassassin: 2.63. Clear:RC:1(218.81.107.125):.
Processed in 1.224261 secs); 27 Jun 2004 20:24:12 -0000
Received: from unknown (HELO exhausted) ([EMAIL PROTECTED])
by athena.interdyne.net with SMTP; 27 Jun 2004 20:24:10 -0000
From: "Sue Fox"<[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Do you want to p|1easure your partner every time?
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Qmail-Scanner-Message-ID: <[EMAIL PROTECTED]>

<html><body ><b><font color=#FF0000>
C1AL`IS & LEV1`TRA al10ws men to achieve an ERECTION up to 36 h0urs after 1NGEST
<...>

Thanks,
-Kit
--
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

"...qui desiderat pacem, praeparet bellum"
(...if you would have peace, be prepared for war)  -Flavius Vegetius Renatus

Reply via email to