If you have a spammer sending through you then the first thing you need to do is secure the server and require all users to authenticate to the server. This will ensure that at the very least you are able to see the account doing this in the SMTP logfile. These spammers usually get through an IP listed in the relay field of Icewarp or an account with an easy username and password to crack, such as info,info. The steps below will take you through the few steps needed to catch this activity.
- Go to the [Mail Service], [Security], [General] tab and remove all the IP's listed except the localhost address of 127.0.0.1 or the IP you have SMTP bound to. If you do not have Icewarp listening on the localhost address then make sure you keep only the address you have it bound to.
- Uncheck the POP Before SMTP option. This will ensure all users are using SMTP authentication when trying to send a message. The reason this is needed is so the AUTH string is seen in the logfile which you can then decode.
- Go to the [Advanced] and make sure you have the SMTP AUTH option allowed. In older versions this would be the [Other] tab. The option is [Deny SMTP AUTH], so make sure this does not have a check in the box.
- Before restarting the SMTP services, make sure that you clear out the current \Icewarp\mail\_outgoing\retry directories. These directories will hold old, unauthenticated, e-mail in them and try to send out as soon as the SMTP service is restarted. To avoid this, and to make sure that all new e-mails require authentication, you have to remove, or move the contents of these folders somewhere else
- Restart the SMTP service to ensure all changes are put into effect.
- From this point forward you will see all users logging in with SMTP AUTH. It will look like this.
184.108.40.206 [0000036C] Fri, 14 Mar 2003 14:00:36 +0100 <<< AUTH LOGIN
220.127.116.11 [0000036C] Fri, 14 Mar 2003 14:00:36 +0100 >>> 334 VXNlcm5hbWU6
18.104.22.168 [0000036C] Fri, 14 Mar 2003 14:00:47 +0100 <<< YWRtaW4=
22.214.171.124 [0000036C] Fri, 14 Mar 2003 14:00:47 +0100 >>> 334 UGFzc3dvcmQ6
126.96.36.199 [0000036C] Fri, 14 Mar 2003 14:00:52 +0100 <<< YWRtaW4=
The first line under the AUTH LOGIN will be 334 username and the second 334 password. Each line under this would be the respective username and password.
When using a Cram-5 password authentication, the SMTP log files will be slightly different, and the password information will not be available. But the account name will show up.
127.0.0.1  19:29:32 <<< AUTH CRAM-MD5
127.0.0.1  19:29:32 >>> 334 PDIwMDkwMzA1MTkyOTMxQG5hcGVydmlsbGUuZXhwcmVzc2xlYXJuaW5nY2VudGVycy5jb20+
Go to http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx and decode the strings to find the actual username and password for this account logging in.
Once you know who the account is you can either disable the account or change the password. These are usually seen as very weak passwords so it is always suggested to have a password policy in place that would not allow this easy of a password to be used.