Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Qmail + SMTP Auth - Auth being bypassed?

From: "Andrew Aris" <andrew () dev bigfishinternet co uk>
Date: Wed, 5 Jul 2006 09:18:46 +0100
Hi all,

Am running several Debian Sarge servers with qmail + smtp auth. However I am
seeing large amounts of spam mail passing through the servers that appears
to be coming via SMTP. So far the only characteristic I've found in common
with the mails is that they all use a spoofed FROM: address using one of the
IP addresses for that server.

So far the angles I've covered are that its not using the server's address
as a spoofed IP (have blocked this at the F/W), it's not being injected
locally (as far as I can tell), i think the idea that the there is a
compromised mail account and that's being used to send via the auth is
unlikely since its affecting ALL our servers including our storemail server
which has no mail accounts. Really starting to run out of ideas on how this
is getting into the MTA!

I've included a header of one such mail below (have edited our server ip
out)

regards,

Andrew

Received: (qmail 27535 invoked by uid 1008); 5 Jul 2006 05:33:30 -0000
Received: from 202.8.87.185 by bfb001 (envelope-from <a214g326pp@[server ip
here]>, uid 1002) with qmail-scanner-1.25st
 (clamdscan: 0.84/1539. spamassassin: 3.0.3. perlscan: 1.25st.
 Clear:RC:0(202.8.87.185):SA:1(6.8/5.0):.
 Processed in 4.327631 secs); 05 Jul 2006 05:33:30 -0000
X-Spam-Status: Yes, hits=6.8 required=5.0
X-Spam-Level: ++++++
X-Qmail-Scanner-Mail-From: a214g326pp@[server ip here] via bfb001
X-Qmail-Scanner: 1.25st (Clear:RC:0(202.8.87.185):SA:1(6.8/5.0):. Processed
in 4.327631 secs Process 27505)
Received: from ppp-202.8.87.185.revip.proen.co.th (HELO ameillpu-7jat6i)
(webmaster@202.8.87.185)
  by bfb001.bfhosting.co.uk with SMTP; 5 Jul 2006 05:33:26 -0000
From: "mojxks" <A214G326pp@[server ip here]>
Subject: SPAM ***  =?GB2312?B?usNfzsRfubJfyc0=?=
To: xudidan () yeah net
Content-Type: TEXT/HTML
Date: Wed, 5 Jul 2006 13:33:50 +0800
X-Mailer: Microsoft Outlook, Build 10.0.2616
X-Qmail-Scanner-1.25st: added fake MIME-Version header
MIME-Version: 1.0
X-Qmail-Scanner-Message-ID: <115207760789427505@bfb001>



---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and  
practice to master. We can't teach you to hack. But we can teach you  
what we've learned so far. Our courses are honest, real, technical  
and practical. SensePost willl be at Black Hat Vegas in July. To see  
what we're about, visit us at: 

http://www.sensepost.com/training.html
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: