1WsXw1-002BAD-XX-X
mailnull 47 12
<[email protected]>
1401975745 0
-helo_name WIN-QR1R9GS1KDE
-host_address 91.207.60.XX.47907
-host_auth dovecot_plain
-interface_address 74.63.XXX.XXX.587
-received_protocol esmtpsa
-body_linecount 2
-max_received_linelength 373
-auth_id [email protected]
-deliver_firsttime
-host_lookup_failed
-tls_cipher TLSv1:DHE-RSA-AES256-SHA:256
XX
What do you see on this header? .... this is the header of a spam message, sent from one account on cpanel server, account is [email protected] ... helo name of the machine is known (serach on google, you found lot of this same id) WIN-QR1R9GS1KDE .... and what really weird, is that it uses DOVEVOT_PLAIN login, as well as TLS ... not a normal spam on port 25...
One thing is that... this user, uses google (gmail) with this account to send mail.
WHERE exactly is the problem?
HOW could the attacker/spammer, able to login ... the password was impossible to guess, and client dont even uses that password, because its linked to gmail, so YES, password was "saved" on gmail... and gmail account is using that authenticated token, that any new device, needs that token to login, so double security....
Now.... someone cracked google? ... how is possible that someone got that SMTP information from google account? is the only place where is stored.
I also see weird why its dovecot auth, instead of normal smtp auth, but maybe its just like this cause the spammer just does it the way google does it... or maybe the spammer fakes being google to have pre-authenticated and able to send spam?...
Anyone... iluminate me please! thanks.
mailnull 47 12
<[email protected]>
1401975745 0
-helo_name WIN-QR1R9GS1KDE
-host_address 91.207.60.XX.47907
-host_auth dovecot_plain
-interface_address 74.63.XXX.XXX.587
-received_protocol esmtpsa
-body_linecount 2
-max_received_linelength 373
-auth_id [email protected]
-deliver_firsttime
-host_lookup_failed
-tls_cipher TLSv1:DHE-RSA-AES256-SHA:256
XX
What do you see on this header? .... this is the header of a spam message, sent from one account on cpanel server, account is [email protected] ... helo name of the machine is known (serach on google, you found lot of this same id) WIN-QR1R9GS1KDE .... and what really weird, is that it uses DOVEVOT_PLAIN login, as well as TLS ... not a normal spam on port 25...
One thing is that... this user, uses google (gmail) with this account to send mail.
WHERE exactly is the problem?
HOW could the attacker/spammer, able to login ... the password was impossible to guess, and client dont even uses that password, because its linked to gmail, so YES, password was "saved" on gmail... and gmail account is using that authenticated token, that any new device, needs that token to login, so double security....
Now.... someone cracked google? ... how is possible that someone got that SMTP information from google account? is the only place where is stored.
I also see weird why its dovecot auth, instead of normal smtp auth, but maybe its just like this cause the spammer just does it the way google does it... or maybe the spammer fakes being google to have pre-authenticated and able to send spam?...
Anyone... iluminate me please! thanks.
