Mailing List SIMS@mail.stalker.com Message #15441
From: Anibal Escobar <anibal@styleexpo.com>
Subject: Re: How did this spammer get through?
Date: Thu, 8 Feb 2007 09:53:00 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: Apple Mail (2.624)
Hi, right now the logging level is "Problems".  Should I go to "Low level" or "all info"?
Is there anyway to isolate the user that has been compromised?

Thanks, Anibal

On Feb 8, 2007, at 9:44 AM, Bill Cole wrote:

At 6:35 AM -0800 2/8/07, Anibal Escobar  imposed structure on a stream of electrons, yielding:
Hello everyone, I have a Sims 1.8b9d14 running with Relay for Clients only checked.  A couple of days, someone sent out a lot of spam through my server.  Here's a snippet from the log:

06:37:45 3 SMTP-658(User) Failed to verify. Real address is [89.38.185.95:3052]
06:38:05 2 SMTP-658([89.38.185.95]) {S.0005385044} received, 7094 bytes
06:38:05 2 SYSTEM [S.0005385044] S.0005385044 50+0 From:Update.profile@Amazon.com
06:38:05 3 SMTP [S.0005385044] dequeueing

Any thoughts on how this could have happened?  Thanks, Anibal Escobar


If you are not logging any deeper than that, any response is theoretical and unverifiable.

The most likely thing is that you have a compromised user account, and the spammer has used POP-before-SMTP or SMTP AUTH  with some user's weak password.


-- Bill Cole                                  bill@scconsult.com


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <SIMS@mail.stalker.com>.
To unsubscribe, E-mail to: <SIMS-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <SIMS-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <SIMS-index@mail.stalker.com>
Send administrative queries to  <SIMS-request@mail.stalker.com>


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster