question on smtp AUTH

Matthew Seaman m.seaman at infracaninophile.co.uk
Sun Jan 14 10:19:10 UTC 2007


David Banning wrote:
>> That would seem to suggest that the spam is being sent using an authorized 
>> account, however, is it possible that a host inside your network is 
>> sending the spam?
> 
> Thanks for that test Paul. I do believe that it could have been a virus
> infected windows box. I am not convinced now. I -do- know that I have
> had crackers attempting access via SSH and I did not have anything to
> stop them from trying every possible configuration. Eventually they
> may have gotten a usable login and password. I now have them blocked
> after 5 failed attempts but still there could be someone spamming using
> the login and password obtained previously. Before getting -everyone-
> to change thier password I am wondering if there isn't a way to log
> who is sending via what login authentication. I could then just
> setup a new password for that user only.

You can make the logging more verbose at the SASL level.  You should 
have a file

    /usr/local/lib/sasl2/Sendmail.conf 

which contains sendmail specific bits of the SASL configuration.
(just create it if you don't already have it).  You can add to
that a

   log_level: 6

parameter, which should cause enough logging to be generated that you
can tell who was logging in and where from, without logging passwords
or other sensitive stuff.  You might want to follow the instructions in
/etc/syslog.conf for enabling the all.log.

For more info on the sort of stuff you can put in the various SASL
config files see:

   http://www.sendmail.org/~ca/email/cyrus2/options.html

The available levels (from sasl.h) are:

/* Logging levels for use with the logging callback function. */
#define SASL_LOG_NONE  0        /* don't log anything */
#define SASL_LOG_ERR   1        /* log unusual errors (default) */
#define SASL_LOG_FAIL  2        /* log all authentication failures */
#define SASL_LOG_WARN  3        /* log non-fatal warnings */
#define SASL_LOG_NOTE  4        /* more verbose than LOG_WARN */
#define SASL_LOG_DEBUG 5        /* more verbose than LOG_NOTE */
#define SASL_LOG_TRACE 6        /* traces of internal protocols */
#define SASL_LOG_PASS  7        /* traces of internal protocols, including

	Cheers,

	Matthew


-- 
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20070114/9c158fb3/signature.pgp


More information about the freebsd-questions mailing list