Focus on Linux
Spam sent through server using authid=apache or mysql May 30 2008 04:49PM
Stephen Pusey (scp stjohn gmail com) (2 replies)
Re: Spam sent through server using authid=apache or mysql May 30 2008 06:44PM
John Jasen (jjasen realityfailure org)
Re: Spam sent through server using authid=apache or mysql May 30 2008 05:45PM
Mark Frey (markfrey extendcomm com)
On 5/30/2008 12:49 PM, Stephen Pusey wrote:
> I'm new to this mailing list - but I am hoping that someone out there
> may bring light to a problem I am having recently with spammers. I do
> not allow relaying through the server and external tests have
> confirmed that there are no open relays. I have also run a test for
> open ports with pxytest - and none were found. Email can only be
> relayed by users logged on through SASL etc. I have checked all the
> user directories for old formmail programs and disabled any that I
> found - but the apache logs do not show the spammer using POST or
> formmail. The record of the spam only appears in the maillog. Here
> is an example (I have changed the server name and the spammers
> ipaddress):
>
> May 21 08:12:32 thismachine sendmail[16842]: AUTH=server,
> relay=ip68-92-154-163.z154-92-62.customer.algz.net [68.92.154.163],
> authid=apache, mech=LOGIN, bits=0

Looks like they guessed the password for your 'apache' user.

>
> spammers have also used authid=mysql

Same for mysql user. Except neither of these users should have valid
password entries.

Or, something's wrong with your SASL so that it's authenticating valid
user names with non-existant passwords?

Try sending email yourself with SASL, username apache and blank password?

Mark.
>
> Y'awl probably think I am an idiot for not figuring this out - but I
> would really appreciate your help - or direction to the right place.
>
> Thanks,
>
> SCP
>

--
Mark Frey
IT Manager
Extend Communications Inc
49 Charlotte St
Brantford ON N3T 2W4
519 759-6820
800 265-9975
Fax: 519 751-5701

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus