Mailing List SIMS@mail.stalker.com Message #15530
From: Bill Cole <listbill@scconsult.com>
Subject: Re: Spam on my server
Date: Wed, 29 Aug 2007 23:56:10 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
At 3:37 PM +0100 8/29/07, Clive Bruton  imposed structure on a stream of electrons, yielding:
On 29 Aug 2007, at 15:06, Bill Cole wrote:

If you have SMTP AUTH or POP-before-SMTP enabled, it is likely that this is the result of the spammer guessing the password of some account and using that to open up relay access. Unfortunately, the most commonly guessed passwords are those of common accounts, e.g. 'postmaster'  for a SIMS system.

Is there SMTP auth in SIMS!?

Yes.

("Advertise AUTH capability" - I've never been able to get that to work).

It's actually always there, but that switch makes it visible to clients. I never had any trouble making it work.


POP-before-SMTP is the way it works right now.

Without deep logging, it is impossible to know for sure why SIMS let that mail through. I always recommend setting logging for every piece other than the HTTP module in SIMS to "All" but I'm a log fetishist. Having full logs is only problematic if you are  short on disk space and/or lack good tools for examining them, two problems that are readily fixed. Lacking full logs means you lack necessary data to be able to figure out unexpected events, and that missing information is gone for good.

Right, the data to track is gone. I thought I had pretty good passwords that weren't susceptible to dictionary-type attacks, but I have seen people trying these in the past. I am pretty short on disk space, and this (beige) G3 is overdue for retirement, so I don't think it's going to get upgraded. Perhaps I'll move some things around.

I can look through the logs with BBEdit, do you recommend something else?

BBEdit is certainly capable, particularly if you are good with regular expressions for searching through the logs.

I'll watch the logs over the next few weeks to see if I can find any repeated attempted log-ins.

Good Luck.
--
Bill Cole                                  bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster