Security Basics mailing list archives
Qmail + SMTP Auth - Auth being bypassed?
From: "Andrew Aris" <andrew () dev bigfishinternet co uk>
Date: Wed, 5 Jul 2006 09:18:46 +0100
Hi all, Am running several Debian Sarge servers with qmail + smtp auth. However I am seeing large amounts of spam mail passing through the servers that appears to be coming via SMTP. So far the only characteristic I've found in common with the mails is that they all use a spoofed FROM: address using one of the IP addresses for that server. So far the angles I've covered are that its not using the server's address as a spoofed IP (have blocked this at the F/W), it's not being injected locally (as far as I can tell), i think the idea that the there is a compromised mail account and that's being used to send via the auth is unlikely since its affecting ALL our servers including our storemail server which has no mail accounts. Really starting to run out of ideas on how this is getting into the MTA! I've included a header of one such mail below (have edited our server ip out) regards, Andrew Received: (qmail 27535 invoked by uid 1008); 5 Jul 2006 05:33:30 -0000 Received: from 202.8.87.185 by bfb001 (envelope-from <a214g326pp@[server ip here]>, uid 1002) with qmail-scanner-1.25st (clamdscan: 0.84/1539. spamassassin: 3.0.3. perlscan: 1.25st. Clear:RC:0(202.8.87.185):SA:1(6.8/5.0):. Processed in 4.327631 secs); 05 Jul 2006 05:33:30 -0000 X-Spam-Status: Yes, hits=6.8 required=5.0 X-Spam-Level: ++++++ X-Qmail-Scanner-Mail-From: a214g326pp@[server ip here] via bfb001 X-Qmail-Scanner: 1.25st (Clear:RC:0(202.8.87.185):SA:1(6.8/5.0):. Processed in 4.327631 secs Process 27505) Received: from ppp-202.8.87.185.revip.proen.co.th (HELO ameillpu-7jat6i) (webmaster@202.8.87.185) by bfb001.bfhosting.co.uk with SMTP; 5 Jul 2006 05:33:26 -0000 From: "mojxks" <A214G326pp@[server ip here]> Subject: SPAM *** =?GB2312?B?usNfzsRfubJfyc0=?= To: xudidan () yeah net Content-Type: TEXT/HTML Date: Wed, 5 Jul 2006 13:33:50 +0800 X-Mailer: Microsoft Outlook, Build 10.0.2616 X-Qmail-Scanner-1.25st: added fake MIME-Version header MIME-Version: 1.0 X-Qmail-Scanner-Message-ID: <115207760789427505@bfb001> --------------------------------------------------------------------------- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html ---------------------------------------------------------------------------
Current thread:
- Qmail + SMTP Auth - Auth being bypassed? Andrew Aris (Jul 05)