Not sure if RT_AUTHRELAY_ALERT is working?
Posted: 26 May 2009, 19:02
Recently, a spammer guessed the email password of one of our users (he guessed it in 5 tries!) and then proceeded to use SMTP AUTH to send thousands of spams through my server.
I looked through my e-mail alerts, and did not find any alerts about this high volume of relayed mail. I only found out about the problem due to receiving an alert about the high queue size.
In CSF, I have the following:
RT_AUTHRELAY_ALERT = 1 (Default: 1)
RT_AUTHRELAY_LIMIT = 100 (Default: 100)
RT_AUTHRELAY_BLOCK = 0 (Default: 0)
Looking at the logs, this spammer may have used BCC's to send out mail... does CSF count the number of messages, or the number of recipients? I'm going to guess the number of messages... so maybe if the spammer sent out a small number of messages with a huge number of BCC's, it would fly under the CSF radar?
Here are two log snippets, that show the large number of recipients (I've redacted anything personal) -- I don't know if the exim log limits the size of the list of recipients, or if these two messages are showing the full list of recipients for these messages. gary@redacted.com is my customer that had his email password guessed (exim logs show 4 logins denied, then success, hence my opinion his password was guessed)
2009-05-22 12:19:59 [6152] 1M7YPU-0001bE-7F <= alex@redacted.onet.pl H=(User) [82.128.47.119]:3128 I=[123.123.123.123]:25 P=esmtpa A=fixed_login:gary@redacted.com S=4155 T="CALL FOR YOUR PACKAGE +234-805-996-9221 OR 011-234-805-996-9221" from <alex@redacted.onet.pl> for redacted@msn.com redacted@yahoo.com redacted@earthlink.net redacted@consolidated.net redacted@hotmail.com redacted@yahoo.com redacted@yahoo.com redacted@verizon.net redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@netzero.com redacted@verizon.net redacted@redacted.com redacted@smithbarney.com redacted@gmail.com redacted@yahoo.com redacted@verizon.net redacted@roche.com redacted@davita.com redacted@yahoo.com redacted@verizonwireless.com redacted@netscape.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@hotmail.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@aol.com redacted@aol.com redacted@yahoo.com redacted@earthlink.net redacted@aol.com redacted@yahoo.com redacted@yahoo.com redacted@tds.net redacted@yahoo.com redacted@aol.com redacted@yahoo.com redacted@yahoo.com redacted@aol.com
2009-05-22 12:20:05 [7056] 1M7YPd-0001po-5j <= info@redacted.com H=localhost [127.0.0.1]:56061 I=[127.0.0.1]:25 P=esmtpa A=fixed_login:gary@redacted.com S=4359 id=20090522122004.bo26u4u6so8os0ck@www7.redacted.com T="Goodday TO You!!!!!!!!!!!!" from <info@redacted.com> for redacted@yahoo.com redacted@adelphia.net redacted@optonline.net redacted@att.net redacted@rocketmail.com redacted@yahoo.com redacted@adelphia.net redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@earthlink.net redacted@fkilogistex.com redacted@yahoo.com redacted@yahoo.com redacted@austin.rr.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@juno.com redacted@yahoo.com redacted@aol.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@hotmail.com redacted@univision.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@verizon.net redacted@charter.net redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@hotmail.com redacted@mchsi.com redacted@yahoo.com redacted@yahoo.com redacted@insight.rr.com redacted@stny.rr.com redacted@yahoo.com redacted@hotmail.com redacted@redacted.com redacted@yahoo.com redacted@yahoo.com redacted@hotmail.com redacted@verizon.net redacted@yahoo.com redacted@redacted.com redacted@kodak.com redacted@aol.com redacted@yahoo.com redacted@yahoo.com redacted@earthlink.net redacted@windstream.net redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@stny.rr.com redacted@yahoo.com redacted@aol.com redacted@yahoo.com redacted@yahoo.com redacted@aol.com redacted@yahoo.com redacted@ec.rr.com fredacted@aol.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@mac.com redacted@yahoo.com redacted@gmail.com redacted@yahoo.com redacted@snet.net redacted@yahoo.com redacted@yahoo.com redacted@bellsouth.net redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@twcny.rr.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@peoplepc.com redacted@redacted.com redacted@msn.com redacted@yahoo.com redacted@verizon.net redacted@msn.com
I looked through my e-mail alerts, and did not find any alerts about this high volume of relayed mail. I only found out about the problem due to receiving an alert about the high queue size.
In CSF, I have the following:
RT_AUTHRELAY_ALERT = 1 (Default: 1)
RT_AUTHRELAY_LIMIT = 100 (Default: 100)
RT_AUTHRELAY_BLOCK = 0 (Default: 0)
Looking at the logs, this spammer may have used BCC's to send out mail... does CSF count the number of messages, or the number of recipients? I'm going to guess the number of messages... so maybe if the spammer sent out a small number of messages with a huge number of BCC's, it would fly under the CSF radar?
Here are two log snippets, that show the large number of recipients (I've redacted anything personal) -- I don't know if the exim log limits the size of the list of recipients, or if these two messages are showing the full list of recipients for these messages. gary@redacted.com is my customer that had his email password guessed (exim logs show 4 logins denied, then success, hence my opinion his password was guessed)
2009-05-22 12:19:59 [6152] 1M7YPU-0001bE-7F <= alex@redacted.onet.pl H=(User) [82.128.47.119]:3128 I=[123.123.123.123]:25 P=esmtpa A=fixed_login:gary@redacted.com S=4155 T="CALL FOR YOUR PACKAGE +234-805-996-9221 OR 011-234-805-996-9221" from <alex@redacted.onet.pl> for redacted@msn.com redacted@yahoo.com redacted@earthlink.net redacted@consolidated.net redacted@hotmail.com redacted@yahoo.com redacted@yahoo.com redacted@verizon.net redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@netzero.com redacted@verizon.net redacted@redacted.com redacted@smithbarney.com redacted@gmail.com redacted@yahoo.com redacted@verizon.net redacted@roche.com redacted@davita.com redacted@yahoo.com redacted@verizonwireless.com redacted@netscape.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@hotmail.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@aol.com redacted@aol.com redacted@yahoo.com redacted@earthlink.net redacted@aol.com redacted@yahoo.com redacted@yahoo.com redacted@tds.net redacted@yahoo.com redacted@aol.com redacted@yahoo.com redacted@yahoo.com redacted@aol.com
2009-05-22 12:20:05 [7056] 1M7YPd-0001po-5j <= info@redacted.com H=localhost [127.0.0.1]:56061 I=[127.0.0.1]:25 P=esmtpa A=fixed_login:gary@redacted.com S=4359 id=20090522122004.bo26u4u6so8os0ck@www7.redacted.com T="Goodday TO You!!!!!!!!!!!!" from <info@redacted.com> for redacted@yahoo.com redacted@adelphia.net redacted@optonline.net redacted@att.net redacted@rocketmail.com redacted@yahoo.com redacted@adelphia.net redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@earthlink.net redacted@fkilogistex.com redacted@yahoo.com redacted@yahoo.com redacted@austin.rr.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@juno.com redacted@yahoo.com redacted@aol.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@hotmail.com redacted@univision.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@verizon.net redacted@charter.net redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@hotmail.com redacted@mchsi.com redacted@yahoo.com redacted@yahoo.com redacted@insight.rr.com redacted@stny.rr.com redacted@yahoo.com redacted@hotmail.com redacted@redacted.com redacted@yahoo.com redacted@yahoo.com redacted@hotmail.com redacted@verizon.net redacted@yahoo.com redacted@redacted.com redacted@kodak.com redacted@aol.com redacted@yahoo.com redacted@yahoo.com redacted@earthlink.net redacted@windstream.net redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@stny.rr.com redacted@yahoo.com redacted@aol.com redacted@yahoo.com redacted@yahoo.com redacted@aol.com redacted@yahoo.com redacted@ec.rr.com fredacted@aol.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@mac.com redacted@yahoo.com redacted@gmail.com redacted@yahoo.com redacted@snet.net redacted@yahoo.com redacted@yahoo.com redacted@bellsouth.net redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@twcny.rr.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@yahoo.com redacted@peoplepc.com redacted@redacted.com redacted@msn.com redacted@yahoo.com redacted@verizon.net redacted@msn.com