Date: Sun, 14 Jan 2007 10:18:39 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: David Banning <david+dated+1169163260.888eb8@skytracker.ca> Cc: Paul Schmehl <pauls@utdallas.edu>, questions@freebsd.org Subject: Re: question on smtp AUTH Message-ID: <45AA037F.4090306@infracaninophile.co.uk> In-Reply-To: <20070113233415.GA20356@skytracker.ca> References: <20070113180815.GA7980@skytracker.ca> <9F7B3DEC0E5C38DF44E9AE3A@paul-schmehls-powerbook59.local> <20070113233415.GA20356@skytracker.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig943E66D6B991AB2316DAE2AE
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
David Banning wrote:
>> That would seem to suggest that the spam is being sent using an author=
ized=20
>> account, however, is it possible that a host inside your network is=20
>> sending the spam?
>=20
> Thanks for that test Paul. I do believe that it could have been a virus=
> infected windows box. I am not convinced now. I -do- know that I have
> had crackers attempting access via SSH and I did not have anything to
> stop them from trying every possible configuration. Eventually they
> may have gotten a usable login and password. I now have them blocked
> after 5 failed attempts but still there could be someone spamming using=
> the login and password obtained previously. Before getting -everyone-
> to change thier password I am wondering if there isn't a way to log
> who is sending via what login authentication. I could then just
> setup a new password for that user only.
You can make the logging more verbose at the SASL level. You should=20
have a file
/usr/local/lib/sasl2/Sendmail.conf=20
which contains sendmail specific bits of the SASL configuration.
(just create it if you don't already have it). You can add to
that a
log_level: 6
parameter, which should cause enough logging to be generated that you
can tell who was logging in and where from, without logging passwords
or other sensitive stuff. You might want to follow the instructions in
/etc/syslog.conf for enabling the all.log.
For more info on the sort of stuff you can put in the various SASL
config files see:
http://www.sendmail.org/~ca/email/cyrus2/options.html
The available levels (from sasl.h) are:
/* Logging levels for use with the logging callback function. */
#define SASL_LOG_NONE 0 /* don't log anything */
#define SASL_LOG_ERR 1 /* log unusual errors (default) */
#define SASL_LOG_FAIL 2 /* log all authentication failures */
#define SASL_LOG_WARN 3 /* log non-fatal warnings */
#define SASL_LOG_NOTE 4 /* more verbose than LOG_WARN */
#define SASL_LOG_DEBUG 5 /* more verbose than LOG_NOTE */
#define SASL_LOG_TRACE 6 /* traces of internal protocols */
#define SASL_LOG_PASS 7 /* traces of internal protocols, includin=
g
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig943E66D6B991AB2316DAE2AE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.1 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFqgOH8Mjk52CukIwRCD3UAJ0S5qlTpDpDO7ERlD8iSOCOIkEbkgCfRAgl
BO831C+M4wRiJSkoQfrQ2Oo=
=u/cJ
-----END PGP SIGNATURE-----
--------------enig943E66D6B991AB2316DAE2AE--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45AA037F.4090306>