Today I recieved an abuse notice from my ISP. Apparently, spam was send from my IP-address. I asked for some extra info and started digging through the logfiles. And to my astonishment, someone was connection to my mailserver, authenticating with a bogus username agains SASL and sending emails through my server.
How is this even possible?
Here is a snippet from the logs
* We do not use the full email-address to authenticate, only the username.
* The user fax, or the email-address fax@mydomain.com, doesn't even exist.
* How could someone authenticate himself as fax@mydomain.com, succeed at this and start sending emails?
How is this even possible?
Here is a snippet from the logs
Code:
Apr 1 10:39:23 mail postfix/smtpd[29028]: warning: hostname static-198-124.softronics.ch does not resolve to address 94.242.198.124: Name or service not known
Apr 1 10:39:23 mail postfix/smtpd[29028]: connect from unknown[94.242.198.124]
Apr 1 10:39:23 mail postfix/smtpd[29028]: 709CC41E259: client=unknown[94.242.198.124], sasl_method=LOGIN, sasl_username=fax@mydomain.com
Apr 1 10:39:23 mail postfix/cleanup[29170]: 709CC41E259: message-id=<eb03a1f320b5a7b250080622b32f3901@mydomain.com>
Apr 1 10:39:24 mail postfix/qmgr[29581]: 709CC41E259: from=<fax@mydomain.com>, size=5040, nrcpt=1 (queue active)
Apr 1 10:39:24 mail postfix/smtpd[29028]: disconnect from unknown[94.242.198.124]
Apr 1 10:39:25 mail postfix/smtpd[29055]: connect from mail.mydomain.com[127.0.0.1]
Apr 1 10:39:25 mail postfix/smtpd[29055]: 6CBE141E599: client=mail.mydomain.com[127.0.0.1]
Apr 1 10:39:25 mail postfix/cleanup[28957]: 6CBE141E599: message-id=<eb03a1f320b5a7b250080622b32f3901@mydomain.com>
Apr 1 10:39:25 mail postfix/smtpd[29055]: disconnect from mail.mydomain.com[127.0.0.1]
Apr 1 10:39:25 mail postfix/qmgr[29581]: 6CBE141E599: from=<fax@mydomain.com>, size=5509, nrcpt=1 (queue active)
Apr 1 10:39:25 mail postfix/smtp[28574]: 709CC41E259: to=<mrincodex2003@yahoo.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=0.8/0/0/1.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6CBE141E599)
Apr 1 10:39:25 mail postfix/qmgr[29581]: 709CC41E259: removed
Apr 1 10:39:26 mail postfix/smtp[28710]: 6CBE141E599: to=<mrincodex2003@yahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=0.92, delays=0.2/0/0.1/0.63, dsn=2.0.0, status=sent (250 ok dirdel)
Apr 1 10:39:26 mail postfix/qmgr[29581]: 6CBE141E599: removed
* We do not use the full email-address to authenticate, only the username.
* The user fax, or the email-address fax@mydomain.com, doesn't even exist.
* How could someone authenticate himself as fax@mydomain.com, succeed at this and start sending emails?