Re: Spam sent through server using authid=apache or mysql

On 5/30/2008 12:49 PM, Stephen Pusey wrote:
I'm new to this mailing list - but I am hoping that someone out there
may bring light to a problem I am having recently with spammers. I do
not allow relaying through the server and external tests have
confirmed that there are no open relays. I have also run a test for
open ports with pxytest - and none were found. Email can only be
relayed by users logged on through SASL etc. I have checked all the
user directories for old formmail programs and disabled any that I
found - but the apache logs do not show the spammer using POST or
formmail. The record of the spam only appears in the maillog. Here
is an example (I have changed the server name and the spammers

May 21 08:12:32 thismachine sendmail[16842]: AUTH=server, [],
authid=apache, mech=LOGIN, bits=0

Looks like they guessed the password for your 'apache' user.

spammers have also used authid=mysql

Same for mysql user. Except neither of these users should have valid password entries.

Or, something's wrong with your SASL so that it's authenticating valid user names with non-existant passwords?

Try sending email yourself with SASL, username apache and blank password?


Y'awl probably think I am an idiot for not figuring this out - but I
would really appreciate your help - or direction to the right place.



Mark Frey
IT Manager
Extend Communications Inc
49 Charlotte St
Brantford ON N3T 2W4
519 759-6820
800 265-9975
Fax: 519 751-5701