A bit of healthy paranoia never goes amiss [:P]

<p>Hi folks , i got an issue with an spammer / scammer again i just dont have a clue how he could spoof the right credentials ...</p><p>heres a session log , maybe someone can gimme a hint , i tried to decrypt the md5 pass and username but no success ...</p><p>i use dns blacklists , not permitting relay from non local , auth users can relay and spamhalter with all options except greylisting </p><p> 03:30:49.062: Connection from 64.220.121.86, Wed Mar 11 03:30:49 2009<lf> 03:30:49.078: << 220 mail.xxx.org ESMTP server ready.<cr><lf> 03:30:50.250: >> EHLO User<cr><lf> 03:30:50.250: << 250-mail.xxx.org Hello User; ESMTPs are:<cr><lf>250-TIME<cr><lf> 03:30:50.250: << 250-SIZE 0<cr><lf> 03:30:50.265: << 250-8BITMIME<cr><lf> 03:30:50.265: << 250-AUTH CRAM-MD5 LOGIN<cr><lf> 03:30:50.265: << 250-AUTH=LOGIN<cr><lf> 03:30:50.265: << 250 HELP<cr><lf> 03:30:50.859: >> AUTH LOGIN<cr><lf> 03:30:50.859: << 334 VXNlcm5hbWU6<cr><lf> 03:30:50.031: >> dGVzdA==<cr><lf> 03:30:50.031: << 334 UGFzc3dvcmQ6<cr><lf> 03:30:51.218: >> dGVzdA==<cr><lf> 03:30:51.218: << 235 Authentication successful.<cr><lf> 03:30:51.406: >> RSET<cr><lf> 03:30:51.406: << 250 Command processed OK.<cr><lf> 03:30:51.578: >> MAIL FROM:<support@securityi.com><cr><lf> 03:30:51.593: << 250 Sender OK - send RCPTs.<cr><lf> 03:30:51.781: >> RCPT TO:<marco@addr.com><cr><lf> 03:30:51.781: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:51.968: >> RCPT TO:<marco@adhoc.ch><cr><lf> 03:30:51.968: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:52.156: >> RCPT TO:<marco@drco.com><cr><lf> 03:30:52.156: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:52.359: >> RCPT TO:<marco@econophone.ch><cr><lf> 03:30:52.359: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:52.546: >> RCPT TO:<marco@geocities.com><cr><lf> 03:30:52.546: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:52.718: >> RCPT TO:<marco@gmail.com><cr><lf> 03:30:52.718: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:52.906: >> RCPT TO:<marco@gonnapuke.com><cr><lf> 03:30:52.906: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:53.093: >> RCPT TO:<marco@hgsi.com><cr><lf> 03:30:53.093: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:53.281: >> RCPT TO:<marco@hicom.net><cr><lf> 03:30:53.281: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:53.453: >> RCPT TO:<marco@hongkong.com><cr><lf> 03:30:53.453: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:53.656: >> RCPT TO:<marco@iland.net><cr><lf> 03:30:53.656: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:53.859: >> RCPT TO:<marco@ime.net><cr><lf> 03:30:53.859: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:53.046: >> RCPT TO:<marco@ina.com><cr><lf> 03:30:53.046: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:54.234: >> RCPT TO:<marco@inforamp.net><cr><lf> 03:30:54.234: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:54.421: >> RCPT TO:<marco@interaccess.net><cr><lf> 03:30:54.421: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 03:30:54.593: >> DATA<cr><lf> 03:30:54.593: << 354 OK, send data, end with CRLF.CRLF<cr><lf> 03:30:54.796: >> From: "Support"<support@securityi.com><cr><lf> 03:30:55.250: >> Subject: Notification from PayPal<cr><lf> 03:30:55.250: >> Date: Tue, 10 Mar 2009 19:30:54 -0700<cr><lf> 03:30:55.250: >> MIME-Version: 1.0<cr><lf> 03:30:55.250: >> Content-Type: text/plain;<cr><lf> 03:30:55.250: >>     charset="Windows-1251"<cr><lf> 03:30:55.250: >> Content-Transfer-Encoding: 7bit<cr><lf> 03:30:55.250: >> X-Priority: 3<cr><lf> 03:30:55.250: >> X-MSMail-Priority: Normal<cr><lf> 03:30:55.250: >> X-Mailer: Microsoft Outlook Express 6.00.2600.0000<cr><lf> 03:30:55.250: >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000<cr><lf> 03:30:55.250: >> <cr><lf> 03:30:55.250: >> Dear PayPal Member,<cr><lf> 03:30:55.250: >> <cr><lf> 03:30:55.250: >> We recently have determined that different computers have logged onto<cr><lf> 03:30:55.250: >> your PayPal account, and multiple password failures were present before<cr><lf> 03:30:55.250: >> the logins. We now need you to re-confirm your account information to us.<cr><lf> 03:30:55.250: >> If this is not completed by March 08, 2009, we will be forced to suspend<cr><lf> 03:30:55.250: >> your account indefinitely, as it may have been used for fraudulent purposes.<cr><lf> 03:30:55.250: >> We thank you for your cooperation in this manner. To confirm your Account<cr><lf> 03:30:55.250: >> records click on the following link:<cr><lf> 03:30:55.250: >> <cr><lf> 03:30:55.250: >> http://www.paypal.com.cgi-bin.webscr.ki2row.es:8085/service/login.htm<cr><lf> 03:30:55.250: >> <cr><lf> 03:30:55.250: >> Thank you for your patience in this matter.<cr><lf> 03:30:55.250: >> PayPal Customer Service.<cr><lf> 03:30:55.250: >> Please do not reply to this e-mail as this is only a notification.<cr><lf> 03:30:55.250: >> <cr><lf> 03:30:55.250: >> 1999-2009 PayPal. All rights reserved.<cr><lf> 03:30:55.250: >> .<cr><lf> 03:30:55.250: << 250 Data received OK.<cr><lf> 03:30:55.437: >> QUIT<cr><lf> 03:30:55.437: << 221 mail.xxx.org Service closing channel.<cr><lf> 03:30:55.437: --- Connection closed normally at Wed Mar 11 03:30:55 2009. ---</p>

<p>Having a user called 'test' with a password of 'test' will be why. [:O] </p><p>Change it. </p>

ye that was the issue last time but i deleted it and i could decrypt it too with md5 decrypter but this time i cant guess which credentials the spammer used ... test / test isnt the fault ...

<p>[quote user="Sammy123"]ye that was the issue last time but i deleted it and i could decrypt it too with md5 decrypter but this time i cant guess which credentials the spammer used ... test / test isnt the fault ... [/quote]</p><p>This says that it is</p><p>[quote]</p><p>03:30:50.859: >> AUTH LOGIN<cr><lf> 03:30:50.859: << 334 VXNlcm5hbWU6<cr><lf> 03:30:50.031: >> dGVzdA==<cr><lf> 03:30:50.031: << 334 UGFzc3dvcmQ6<cr><lf> 03:30:51.218: >> dGVzdA==<cr><lf> 03:30:51.218: << 235 Authentication successful.<cr><lf>[/quote]</p><p>It is base64 encoded, and decoding it gives test / test as the successfully authenticated user / pass </p>

weird ... i got no user named test in my local users and also no one in my aliases ... also no folder test in my mailbox folders ... now im confused ... [:S]

It will be in auth.pwd, the file that MercS uses to authenticate SMTP connections.

no test / test their either ... but it seems like it is an old sessionlog from last year march  when i look at the timestamps inside the log . But when i look in filesystem the log file time stamp is from today ..... weird weird ...as if mercury changes the timestamp of old log files in filesystem to newer dates ...

If a session log with the name of the current transaction ID already exists, the new log is appended to the end of the existing file.

<p>oh ok , then it seems that this time it was blind alert ;)</p><p>thank u anyway for your  time and patience :) </p>