Spammer using Gmail provided smtp (Dovecot_Plain auth, TLS/SSL) ... gmail problem? client problem?..

cass

Well-Known Member
Jul 17, 2002
349
0
166
Argentina/USA/Mexico
1WsXw1-002BAD-XX-X
mailnull 47 12
<[email protected]>
1401975745 0
-helo_name WIN-QR1R9GS1KDE
-host_address 91.207.60.XX.47907
-host_auth dovecot_plain
-interface_address 74.63.XXX.XXX.587
-received_protocol esmtpsa
-body_linecount 2
-max_received_linelength 373
-auth_id [email protected]
-deliver_firsttime
-host_lookup_failed
-tls_cipher TLSv1:DHE-RSA-AES256-SHA:256
XX

What do you see on this header? .... this is the header of a spam message, sent from one account on cpanel server, account is [email protected] ... helo name of the machine is known (serach on google, you found lot of this same id) WIN-QR1R9GS1KDE .... and what really weird, is that it uses DOVEVOT_PLAIN login, as well as TLS ... not a normal spam on port 25...

One thing is that... this user, uses google (gmail) with this account to send mail.

WHERE exactly is the problem?
HOW could the attacker/spammer, able to login ... the password was impossible to guess, and client dont even uses that password, because its linked to gmail, so YES, password was "saved" on gmail... and gmail account is using that authenticated token, that any new device, needs that token to login, so double security....

Now.... someone cracked google? ... how is possible that someone got that SMTP information from google account? is the only place where is stored.

I also see weird why its dovecot auth, instead of normal smtp auth, but maybe its just like this cause the spammer just does it the way google does it... or maybe the spammer fakes being google to have pre-authenticated and able to send spam?...

Anyone... iluminate me please! thanks.:confused:
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Re: Spammer using Gmail provided smtp (Dovecot_Plain auth, TLS/SSL) ... gmail problem? client proble

Hello :)

SMTP authentication is required even if the sender is using Google. The "Send mail as" feature in GMail requests the SMTP authentication details for this purpose. Is it possible the user's google account was compromised (either through brute force or a virus)? Do the sent emails show up in the clients email client? Were you able to find additional information about the email deliveries in /var/log/exim_mainlog?

Thank you.