I have a server which seems to be getting spam relayed through it.
The story is this…..
User reported loads of undeliverables being received so I had a trawl through the logs.
So the attacker connects to our server using SMTP auth……..
Oct 5 15:17:53 www sendmail: AUTH=server, relay=pppoe9.net109-120-27.se1.omkc.ru [188.8.131.52] (may be forged), authid=jon, mech=LOGIN, bits=0
This then seemingly passes the AUTH for the user jon and allows the system to send e-mails such as the following.
Oct 5 15:17:58 www sendmail: r95EHqoc006972:
to=, ctladdr= (516/100), delay :00:05, xdelay :00:02, mailer=esmtp, pri00552, relay=mailin-03.mx.aol.com. [184.108.40.206], dsn=2.0.0, stat=Sent (2.0.0
Ok: queued as B648F3800008D)
Now there seem to be 2 user names that appear in the logs with the authid one is jon as above and the other is email@example.com (obviously I have replaced the real domain with xxxxx)
Now the interesting thing is that there are only a handful of sites on the server and they are set up so the site has a main username and any other addresses that need to accept mail are set as aliases.
So in effect there is only one user per domain with one email account.
So despite the main account not being “jon” or “firstname.lastname@example.org” and there are no users on the domain with those usernames, SMTP auth accepets the user and authenticates correctly to allow the relay through.
I have checked the server with an external SMTP checker, and it is not an open relay. I have changed the password on the domain in question and they are still getting in. I have tried changing the password and sending mail with the old password, this gets .. relying denied, so SMTP auth is working ok. I have been through the server and looked at each domain for these users, I did find one called jon on an old domain which I have now deleted, just in case this was accepting the SMTP auth.
Has anyone any idea how they can be authenticating against SMTP auth with a username that does not exist on the server ?
Any pointers towards next steps appreciated, as I am running out of ideas to try and lock this server down.