Need smtp-auth logging

[datux]

Hi Admins,
a few days before somebody of my registered Users floaded the plesk server with spam mails and i wasnt able to see in the mail log from which user the mails come from.
Here is one line from the maillog to show the problem:
smtp_auth: smtp_auth: SMTP user : logged in from null)@mnch-4db15d82.pool.einsundeins.de [IP ADRESS]
There is no username logged.
My system is SuSE 10.1 and plesk is the latest version.

Can anybody show me a way to get a log from the smtp-auth logins ?

many thanks
andreas

 

[Alexiznn]

have the same problem

May 23 14:39:49 servername smtp_auth: SMTP connect from (null)@(null) [124.207.44.98]
May 23 14:39:49 servername smtp_auth: smtp_auth: SMTP user : logged in from (null)@(null) [124.207.44.98]

 

[Alexiznn]

What does it mean: NULL smtp user?

 

[dash]

Hi Admins,
a few days before somebody of my registered Users floaded the plesk server with spam mails and i wasnt able to see in the mail log from which user the mails come from.
Here is one line from the maillog to show the problem:
smtp_auth: smtp_auth: SMTP user : logged in from null)@mnch-4db15d82.pool.einsundeins.de [IP ADRESS]
There is no username logged.
My system is SuSE 10.1 and plesk is the latest version.

Can anybody show me a way to get a log from the smtp-auth logins ?

many thanks
andreas

It's a confirmed bug which will be fixed in Plesk 8.4.1 patch
Thanks for report.

 

[mr_c]

I am having this same problem on my Plesk servers. Where is the bug report where this is confirmed?

 

[mouse]

Null log ins used to create spam

I have been plagued by several spammers / spam bots that have been injecting spam into qmail via a null user login

# cat /usr/local/psa/var/log/maillog |grep null
Jun 17 09:02:46 penguin4 smtp_auth: SMTP connect from (null)@13.224.136.219.broad.gz.gd.dynamic.163data.com.cn [219.136.224.13]
Jun 17 09:02:46 penguin4 smtp_auth: smtp_auth: SMTP user : logged in from (null)@13.224.136.219.broad.gz.gd.dynamic.163data.com.cn [219.136.224.13]

I have spent alot of time researching this over the last month and belive I may have an answer for those that want to stop this before the patch of 8.4.1.

let me continue with a bit more information before I give conclusion

Plesk Control Panel version
psa v8.4.0_build84080514.18 os_FedoraCore 6
Operating system
GenuineIntel, Intel(R) Xeon(R)CPU 5130 @ 2.00GHz
Linux 2.6.18-1.2798.fc6

My first move was to add the domain 163data.com.cn to the blacklist.
I have never seen anything but spam come from 163data anyway.
So thought all was solved for the server until the next day when sure enough 100's more spam from 163data.com.cn.
So next step was to add

ALL: .163data.com.cn : DENY
to /etc/hosts.allow
this was sure to get these buggers

Well come the next few days things seemed ok
then bam! they where back again and they sure had me baffled
so this had to be a user or internal was my thoughts
at which point I looked at the smtp-auth, discovered the null logins
and also noticed that they where using my reverse.DNS names as the senders name,
I thought this curious and noted that this was a way to get thru the hosts.allow block
I proceeded to recreate how they where getting thru and sure enough a simple

telnet MYDOMAIN.com 25
smtp_auth: AUTH [email protected]
smtp_auth: PASS (null)

got me thru
WOW how could this be?

I tried removing the reverse DNS in the thoughts that relaylock would pick it up
(NOPE didn't work)
Was so frustrated that I decided to move all the server IPs in the hope of at least tracking why (really didn't want to do this)
It was when I got to the point of actually moving the IP's did I notice one common denominator.
The IP's that they where using for the names (reverseDNS names) had NO SITES ON THEM
I had added a block of IP's in preparation for several sever migration moves and never needed all of them but just left them in-place for future additions.

at this point I have removed unused ones and added a site to one they picked on the most
- after 3 days I see their failed null attempts but the spam is gone
hope this helps

Jerry The Mouse

 

[orison316]

Can you explain what you did exactly to the server to stop this. I deleted all of my excess ip addresses and have sites on the others but I am still plagued by this. I have even installed spamdyke, but I need some more direction on how to stop the madness.

 

[mb2000]

For me, the fix was to go into Plesk and then Server > Mail and to select the option "Only use of full POP3/IMAP mail accounts names is allowed." There are more details about the issue here:

http://www.securityfocus.com/archive/1/495881/30/0/threaded

 

[Paul D.]

Still not resolved?

It was supposed to be resolved in version 8.4.1 but it still is an issue even though I'm on version 8.6. Any news on this?

 

[ptrost]

This was indeed fixed in 8.6. After my upgrade to 8.6 I started seeing "smtp_auth: SMTP user <login here>" in my maillog. If you grep for smtp_auth on your maillog, what kinda entries are you seeing?

 

[Scott Mehaffey]

For me, the fix was to go into Plesk and then Server > Mail and to select the option "Only use of full POP3/IMAP mail accounts names is allowed." There are more details about the issue here:

http://www.securityfocus.com/archive/1/495881/30/0/threaded

Bam! This was the fix me after 48 hours of headaches

Nice work here.

 

[thanhc]

SMTP Relay Server Unlimited, RDP,Unlimited Webmail, Mail Leads,credit card,hacking,email password, mail and pass login


I would like to introduce service to our EMail Marketing.
Services include:
- STMP Relay Server Unlimited
- Unlimited Webmail
- Email Pass
- Email and pass login
- Credit Card: visa, master,amex,discover...(U.S,CA,UK...)
- Acount: Paypal, Walmart, Ebay....
- Fresh Email List
- RDP ( VPS Window with IP U.S and ASIA)
- Cheap license Software
Thanks for reaing our email. Wish you good health and success!

If you have any questions about our services.

Contact:
Website: http://emailstoreonline.com
Email: [email protected]
Y!M: sale.emailstoreonline