Mailing List SIMS@mail.stalker.com Message #6128
From: Bill Cole <listbill@scconsult.com>
Subject: Re: Odd SYSTEM Account log entry
Date: Sun, 4 Jun 2000 00:39:48 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
An oldie... I've been away for a fortnight...

At 5:35 AM -0700 5/22/00, Glenn Gutierrez  imposed structure on a stream
of electrons, yielding:
>Any idea what was attempted here this morning?
>
>02:55:06 0 SYSTEM The current date is Monday, May 22, 2000
>02:55:06 1 SMTP-334([62.192.20.2]) SPAM? Host is blacklisted per RBL
>relays.mail-abuse.org with result [127.0.0.2]
>02:55:09 0 SYSTEM Account {cn=mail-ns.flad.de, cn=ns.flad.de,
>ou=Netscape Servers} Resources open failed. Error Code=-43
>02:55:09 1 SMTP {cn=mail-ns.flad.de, cn=ns.flad.de, ou=Netscape
>Servers} AUTH failed: password(csGViwdQLO) is wrong. Connection from
>[62.192.20.2:41436]
>
>I've seen that string of characters in the logs before (cn= ou=), but
>hadn't noticed it cause a SYSTEM Account action. Hoping it's "just" a
>spammer trying to relay.


What you are seeing is someone trying to authenticate to an account
specified in LDAP format (or X.500, which is essentially the same). It
appears that you are running one of the latest versions of SIMS that
supports SMTP AUTH. The presumptively-mismanaged machine (it's on RSS
after all) sees AUTH capability and is assuming that AUTH means the
Netscape implementation of inter-server authentication that predates the
current AUTH standard and is not perfectly compatible with the standard.

The broken server is trying to authenticate to your server, as the
'Account' named "cn=mail-ns.flad.de, cn=ns.flad.de, ou=Netscape Servers"
which is a perfectly valid LDAP name but which SIMS can't figure out: it
looks for an account file with that name and doesn't find it: that's the
-43 error.

The end result of this is pretty ugly. Every time a spammer tries to rape
that box, it talks to machines around the world and tries to use an
authentication system that clearly shouldn't go outside the range of some
unspecified LDAP server in Germany. Leaving its password in mail logs
worldwide. Oops.


--
Bill Cole
MAPS L.L.C. Consulting Services Group
Incident Response Service Senior Consultant
(hey look, I got a new job!!!)
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster