Liste de diffusion Message #15442
De: Bill Cole <>
Sujet: Re: How did this spammer get through?
Date: Thu, 8 Feb 2007 10:08:29 -0500
A: SIMS Discussions <>
At 9:53 AM -0500 2/8/07, Anibal Escobar  imposed structure on a stream of electrons, yielding:
Hi, right now the logging level is "Problems".  Should I go to "Low level" or "all info"?

I go 'all info' on all modules except HTTP. Anything deeper than "Problems" there makes using the web interface a log DoS.

Having everything logged may even point out an alternative explanation for thje relaying.

Is there anyway to isolate the user that has been compromised?

Not retrospectively without deep logging.

I'd look first at 'postmaster' and any other common-name role account. Changing the passwords on such accounts to very strong ones is a must. If postmaster has a dictionary word as a password, you can bet on it being the problem.

Thanks, Anibal

On Feb 8, 2007, at 9:44 AM, Bill Cole wrote:

At 6:35 AM -0800 2/8/07, Anibal Escobar  imposed structure on a stream of electrons, yielding:
Hello everyone, I have a Sims 1.8b9d14 running with Relay for Clients only checked.  A couple of days, someone sent out a lot of spam through my server.  Here's a snippet from the log:

06:37:45 3 SMTP-658(User) Failed to verify. Real address is []
06:38:05 2 SMTP-658([]) {S.0005385044} received, 7094 bytes
06:38:05 2 SYSTEM [S.0005385044] S.0005385044 50+0
06:38:05 3 SMTP [S.0005385044] dequeueing

Any thoughts on how this could have happened?  Thanks, Anibal Escobar

If you are not logging any deeper than that, any response is theoretical and unverifiable.

The most likely thing is that you have a compromised user account, and the spammer has used POP-before-SMTP or SMTP AUTH  with some user's weak password.

Bill Cole                        

S'abonner aux messages S'abonner aux sommaires S'abonner aux indexes Se désabonner Ecrire un email au responsable de la liste