Mailing List SIMS@mail.stalker.com Message #14268
From: Bill Cole <listbill@scconsult.com>
Subject: Re: Spam and account problems
Date: Fri, 13 Feb 2004 19:55:26 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
At 9:18 AM -0800 2/10/04, Alex Wellerstein  imposed structure on a stream of electrons, yielding:
Hello there,

I've been reading the SIMS mailing list web digests for quite a while now to
help me solve my SIMS problems, but now I have a question that I can't seem
to resolve normally.

First, my SIM server has been under a spam barrage for awhile now. All of
the normal counter measures have been taken -- Relaying for Clients Only,
spamhaus as an RBL-blacklist, verify return paths, plus I've blacklisted
many of the 'usual suspect' IP blocks. Most of it originates from variations
on YAHOO.COM.JP and things like that, which I have a harder time blocking in
my heart because legitimate people may actually use these services, and
about a third is from KX100.NET, of course.

So, in my Router I have the entry kx100.NET = error, however messages from
them are STILL being added to my queue (and overloading it to the point of
crashing -- I had 15,000 spam messages sitting in my queue, despite telling
SIMS to delete all bad messages IMMEDIATELY). Arrggg. What's up with that?
What's up with my queue overflowing?

You are being used as a spam relay.

I noticed a few days ago in the logs that nefarious spammers were trying to
authenticate with random passwords on my Postmaster and Webmaster accounts.
"Ha," I thought, "this won't be a problem, since both of those accounts are
forwarding only and login is DISABLED." Well, it doesn't seem like that
stopped them, because somehow the webmaster account has been authenticating.
How can this be? I threw together some strong passwords for both accounts
(they had null passwords before) and things like that in the meantime
(require APOP), but how is it they can authenticate accounts with their
login disabled? This isn't making sense to me.

The 'login' field in the web interface is misleading. It controls whether the user can log into the web interface or with Communigator. It DOES NOT prevent SMTP or POP authentication.

My theory is, of course, that the queue is overflowing because of the
authentication, which is happening either because disabling an account login
doesn't work, or because I don't understand authentication well enough.

The spammer is taking advantage of the fact that you had null passwords. That makes authentication easy. SIMS is an open relay to anyone who has authenticated.

Lesson: never, for any reason, in any system, ever, leave a password null.

--
Bill Cole
bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster