How did this get through?

Carpenter, Troy troy at carpenter.cx
Wed Mar 26 16:01:55 CET 2014


On 2014-03-26 10:44 am, hede wrote:
> Am Wed, 26 Mar 2014 09:55:08 -0400 schrieb "Troy Carpenter" 
> <troy at carpenter.cx>:
> 
>> Short of this person hacking my password (as may be indicated by the 
>> second
>> line in the log below and which has since been changed), how did the 
>> email
>> below get through my system?
> 
> Maybe I do not understand the question, but if he really hacked your
> password, then it's quite common his mails get through your system!?

This email got flagged by the SPAM system running on the smart relay I 
use.  It prompted me to go through the logs for the past month.  This is 
the only instance I can find where something from the outside passed 
through my system and back to the outside world that wasn't supposed to. 
  The only difference I see between this and normal relay probing is that 
the connect line implies the hacker (spammer) was actually authorized:

"Mar 26 08:18:19 mail postfix/submission/smtpd[25019]: 52AD338A1: 
client=unknown[85.26.199.161], sasl_method=PLAIN, 
sasl_username=troy at carpenter.cx"

No other log entries EXCEPT when valid users send email have the 
sasl_username entry.  The IP address listed above looks Russian, so 
clearly one of my hosts didn't generate the email (as in a bot attack).

If it was a password hack, then the spammer has to start sometime and 
maybe I caught him before he could get started.  If he's got my 
password, then I can understand how the system let the email 
through...but I just want to be sure that some other hole wasn't found.


More information about the users mailing list