This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

spammer sending mail through non existing smtp sasl user

3 posts / 0 new

Topic locked

Last post

#1 Sat, 10/27/2012 - 16:28

mnt_schred

spammer sending mail through non existing smtp sasl user

One of my virtualmin servers (centos based) is beïng used by a spammer

tail -f /var/log/maillog -n | grep sasl

Oct 26 18:28:17 postfix/smtpd[22204]: 900D6BC033: client=mail.zabo.be[217.76.226.156], sasl_method=LOGIN, sasl_username=username@domain Oct 26 18:32:42 postfix/smtpd[23738]: D89DFBC033: client=93-2-60.netrun.cytanet.com.cy[93.109.2.60], sasl_method=LOGIN, sasl_username=username@domain Oct 26 18:43:59 postfix/smtpd[27327]: 6DD12BC033: client=unknown[79.174.197.27], sasl_method=LOGIN, sasl_username=username@domain Oct 26 18:57:15 postfix/smtpd[30563]: 6CD31BC033: client=unknown[41.224.242.182], sasl_method=LOGIN, sasl_username=username@domain Oct 26 20:40:01 postfix/smtpd[27600]: 06E0EBC033: client=bre75-1-78-192-242-228.fbxo.proxad.net[78.192.242.228], sasl_method=LOGIN, sasl_username=username@domain

i've changed the username to username@domain for obvious reasons.

The username@domain is not a virtualmin user, but it was the same e-mailaddress as an alias. I've changed the password of the account which the alias reffered to and I even deleted the alias, but the spammer is still able to authenticate and send spam.

The strange thing is that the is username@domain is not a systemuser and I cannot find any other reference to this user.

How can I tell which database smtpd uses in virtualmin to do the sasl authentication on? Anyone know how I can prevent a specific user from using smtp?

#2 Sun, 10/28/2012 - 23:19

andreychek

Howdy,

Hmm, by default shouldn't be able to authenticate without a system user , though there's two things I can think of to look for... one, can you post the output of "postconf -n"? I'm curious if there's something in there enabling some sort of virtual user that would cause it to not need a system user.

Second, if you didn't already, can you run "grep username@domain /etc/passwd", just to make super-sure that there's no username in there?

-Eric

#3 Mon, 10/29/2012 - 14:37

jrhosting

or just id username@domain instead (because if it is not from /etc/passwd but via LDAP or something, you will not find it with the grep itself).

The log just tells you that someone is able to logon to the postfix instance with the credentials shown. So there must be a user that authorizes this login (else you would get failures).

Rgrds, Remko

Topic locked