Hi All,
Just realized that someone is sending spam through my mercury server. I blocked this mails for now (about 90 mails made it through) and it seems that they somehow are able top connect using a valid user + password combination. I do have session logs for such connections but I cannot see which user it is.
It starts with:
09:27:31.579: Connection from 96.57.204.226, Mon Sep 03 09:27:31 2012<lf>
09:27:31.579: << 220 mail.brlv.de ESMTP server ready.<cr><lf>
09:27:31.704: >> EHLO [100.0.0.200]<cr><lf>
09:27:31.704: << 250-mail.brlv.de Hello [100.0.0.200]; ESMTPs are:<cr><lf>250-TIME<cr><lf>
09:27:31.704: << 250-SIZE 30000000<cr><lf>
09:27:31.704: << 250-AUTH CRAM-MD5 LOGIN<cr><lf>
09:27:31.704: << 250-AUTH=LOGIN<cr><lf>
09:27:31.704: << 250 HELP<cr><lf>
09:27:32.985: >> AUTH CRAM-MD5<cr><lf>
After that, there are two lines with encoded strings which might be user and password?!
Then it continuous with:
09:27:32.110: << 235 Authentication successful.<cr><lf>
09:27:32.297: >> MAIL FROM:<Hi-61223@astrazeneca.com><cr><lf>
...
How can I find out which user has been compromised?
Thanks
Konrad
This was posted on the Mercury mailing list as well, and the replies there were that the encoded reply from the client contains the username, which can be decoded using for instance this webtool:
Hi Rolf,
Yeah, I posted it in the list as well because this was a very critical issue for me...
Anyhow, the solution did not work because the user/password seems to be CRAM-MD5 encoded and so the base64 decoder does not really help...
Do you know how it is possible to determine which user has been compromised if something like this ever happens again?
Thanks
Konrad
Found the problem:
The base64 string for this particular user was not decode-able using this website
http://opinionatedgeek.com/dotnet/tools/base64decode/
I tried it with a few other users and they worked.
I found another website which was able to decode the string ;-)
So, problem solved and thanks to all of you!
Konrad
[quote user="PaulW"]For the benefit of others, can you post a link to the other decode website please?[/quote]
You are right ;-)
http://www.motobit.com/util/base64-decoder-encoder.asp
(just select decode the data from a Base64 string (base64 decoding) and you are good to go)
Konrad
I also want to encode username+password in my password file. I do not know how to use encode and decode in mail server, can I find a guide/instruction somewhere? how to encripty you email login info? thanks
Usernames and passwords that are base64 encoded when transmitted are not secured, anyone can decode it. The base64 encoding is done automatically by the connecting software.
/Rolf
Your previous draft for topic is pending
If you continue, your previous draft will be discarded.