2

It seems like people are sending spam through my mailserver using SMTP server authentication.

  • I’m getting bounces of undelivered mail
  • The bounces contain correct Received: headers from my mail server
  • My mail server is not an open relay
  • I changed the passwords for all accounts on the server

Sample headers of the original mail:

Received: from mydomain.net ([190.236.249.21])
    (authenticated bits=0)
    by mymailserver.net with ESMTP id tA9FuD9m015519
    for <[email protected]>; Mon, 9 Nov 2015 16:56:34 +0100

The IP is not mine, in fact it’s from Peru, and the same kinds of mails are submitted from IPs in India, Malaysia, etc.

The corresponding entry in the mail.log:

Nov  9 16:56:17 mymailserver sm-mta[15519]: AUTH=server, relay=[190.236.249.21], [email protected], mech=PLAIN, bits=0
Nov  9 16:56:20 mymailserver sm-mta[15519]: tA9FuD9h015519: from=<[email protected]>, size=428, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=[190.236.249.21]
Nov  9 16:56:20 mymailserver sm-mta[15519]: tA9FuD9h015519: Milter insert (0): header: Received-SPF: pass (mymailserver.net: authenticated connection) receiver=mymailserver.net; client-ip=190.236.249.21; helo=mydomain.net; [email protected]; x-software=spfmilter 0.97 http://www.acme.com/software/spfmilter/ with libspf-unknown;
Nov  9 16:56:23 mymailserver sm-mta[15519]: tA9FuD9i015519: from=<[email protected]>, size=451, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=[190.236.249.21]
Nov  9 16:56:23 mymailserver sm-mta[15519]: tA9FuD9i015519: Milter insert (0): header: Received-SPF: pass (mymailserver.net: authenticated connection) receiver=mymailserver.net; client-ip=190.236.249.21; helo=mydomain.net; [email protected]; x-software=spfmilter 0.97 http://www.acme.com/software/spfmilter/ with libspf-unknown;

I’m stumped – I’m not sure how they get a) AUTH=server and b) [email protected]. But I’m not sure how to debug this, and I can’t find anything on Google on disabling this kind of authentication, everything only refers to authenticating clients (which is what I do) and identifying towards other servers when sendmail is a client (which I don’t do).

Improve this question
2
  • any solution to this? I am having the same issue...
    – born2net
    Commented Jul 26, 2016 at 0:20
  • Yeah, ancient credentials were cached in some file related to SASL iirc. Unfortunately it’s been a while and I don’t have that server anymore, so I can’t find the details now :( Try running a grep on your /etc/mail (or whatever) for the authid listed in the log.
    – moeffju
    Commented Jul 27, 2016 at 11:19

1 Answer 1

Reset to default
0

This might not generalize, but when tearing down that server a little later, we found a PHP shell that had been dropped through a WordPress bug. All it had been used for was to add a user for mail relaying into the sasl database, as far as we could tell. So, if you also have a similar issue, definitely check for rootkits and droppers, and if you have the slightest doubt that somebody could have gotten access to your server, nuke it and rebuild it.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .