Mailing List SIMS@mail.stalker.com Message #15528
From: Bill Cole <listbill@scconsult.com>
Subject: Re: Spam on my server
Date: Wed, 29 Aug 2007 10:06:20 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
At 6:24 AM -0700 8/29/07, Clive Bruton  imposed structure on a stream of electrons, yielding:
I seem to have managed to get spam relayed through my server. I've no idea how this happened, but here is the source of one of the messages.

**********

Received: from [211.158.162.250] (HELO expire)
  by mail.indx.co.uk (Stalker SMTP Server 1.8b9d14)
  with ESMTP id S.0002872782 for <cteng@webmail.com>; Thu, 23 Aug 2007 12:54:44 +0000
From: "Ruby Quan"<accessible@yahoo.com>
To: cteng@webmail.com
Subject: D0Nt import from China with0ut Magbazer
Date: Thu, 23 Aug 2007 12:54:46 GMT
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

[...]


************

I'm surmising from this that the header is not faked, and somehow my host accepted this mail in order that it relay the mail.

Yes. There's no way for a spammer to fake your Received header. That mail was handed to your machine from 211.158.162.250, which looks like a PC in Chongqing, China.


The only hosts allowed to relay to this host are in the 192.168.*.* range, and it obviously didn't come from them.

Any clues? My only guess is that someone got in through a pop account, but there's nothing in the logs for POP, I had logging on "problems", just switched it to "low-level".


If you have SMTP AUTH or POP-before-SMTP enabled, it is likely that this is the result of the spammer guessing the password of some account and using that to open up relay access. Unfortunately, the most commonly guessed passwords are those of common accounts, e.g. 'postmaster'  for a SIMS system.

Without deep logging, it is impossible to know for sure why SIMS let that mail through. I always recommend setting logging for every piece other than the HTTP module in SIMS to "All" but I'm a log fetishist. Having full logs is only problematic if you are  short on disk space and/or lack good tools for examining them, two problems that are readily fixed. Lacking full logs means you lack necessary data to be able to figure out unexpected events, and that missing information is gone for good.


--
Bill Cole                                  bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster