How did this get through?
Carpenter, Troy
troy at carpenter.cx
Wed Mar 26 16:01:55 CET 2014
On 2014-03-26 10:44 am, hede wrote:
> Am Wed, 26 Mar 2014 09:55:08 -0400 schrieb "Troy Carpenter"
> <troy at carpenter.cx>:
>
>> Short of this person hacking my password (as may be indicated by the
>> second
>> line in the log below and which has since been changed), how did the
>> email
>> below get through my system?
>
> Maybe I do not understand the question, but if he really hacked your
> password, then it's quite common his mails get through your system!?
This email got flagged by the SPAM system running on the smart relay I
use. It prompted me to go through the logs for the past month. This is
the only instance I can find where something from the outside passed
through my system and back to the outside world that wasn't supposed to.
The only difference I see between this and normal relay probing is that
the connect line implies the hacker (spammer) was actually authorized:
"Mar 26 08:18:19 mail postfix/submission/smtpd[25019]: 52AD338A1:
client=unknown[85.26.199.161], sasl_method=PLAIN,
sasl_username=troy at carpenter.cx"
No other log entries EXCEPT when valid users send email have the
sasl_username entry. The IP address listed above looks Russian, so
clearly one of my hosts didn't generate the email (as in a bot attack).
If it was a password hack, then the spammer has to start sometime and
maybe I caught him before he could get started. If he's got my
password, then I can understand how the system let the email
through...but I just want to be sure that some other hole wasn't found.
More information about the users
mailing list