It seems like people are sending spam through my mailserver using SMTP server authentication.
- I’m getting bounces of undelivered mail
- The bounces contain correct Received: headers from my mail server
- My mail server is not an open relay
- I changed the passwords for all accounts on the server
Sample headers of the original mail:
Received: from mydomain.net ([190.236.249.21])
(authenticated bits=0)
by mymailserver.net with ESMTP id tA9FuD9m015519
for <[email protected]>; Mon, 9 Nov 2015 16:56:34 +0100
The IP is not mine, in fact it’s from Peru, and the same kinds of mails are submitted from IPs in India, Malaysia, etc.
The corresponding entry in the mail.log:
Nov 9 16:56:17 mymailserver sm-mta[15519]: AUTH=server, relay=[190.236.249.21], [email protected], mech=PLAIN, bits=0
Nov 9 16:56:20 mymailserver sm-mta[15519]: tA9FuD9h015519: from=<[email protected]>, size=428, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=[190.236.249.21]
Nov 9 16:56:20 mymailserver sm-mta[15519]: tA9FuD9h015519: Milter insert (0): header: Received-SPF: pass (mymailserver.net: authenticated connection) receiver=mymailserver.net; client-ip=190.236.249.21; helo=mydomain.net; [email protected]; x-software=spfmilter 0.97 http://www.acme.com/software/spfmilter/ with libspf-unknown;
Nov 9 16:56:23 mymailserver sm-mta[15519]: tA9FuD9i015519: from=<[email protected]>, size=451, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=[190.236.249.21]
Nov 9 16:56:23 mymailserver sm-mta[15519]: tA9FuD9i015519: Milter insert (0): header: Received-SPF: pass (mymailserver.net: authenticated connection) receiver=mymailserver.net; client-ip=190.236.249.21; helo=mydomain.net; [email protected]; x-software=spfmilter 0.97 http://www.acme.com/software/spfmilter/ with libspf-unknown;
I’m stumped – I’m not sure how they get a) AUTH=server
and b) [email protected]
. But I’m not sure how to debug this, and I can’t find anything on Google on disabling this kind of authentication, everything only refers to authenticating clients (which is what I do) and identifying towards other servers when sendmail is a client (which I don’t do).