A quale utente questo spammer ha provato ad autenticarsi?

1

Ho un'applicazione personalizzata che monitora e registra la sessione SMTP di un utente e trova questo spammer che tenta di utilizzare il mio MTA come relay.

È possibile determinare quale nome utente stanno cercando di accedere come?

Waiting for a connection... Connected!


SmtpReceiveTestAgent_OnEhloCommand
DisableStartTLS: False
Domain: OWNEROR-KTATDUI
Spambypass False
AuthenticationSource Anonymous
HelloDomain
IsConnected True
IsExternalConnection True
IsTls False
LastExternalIPAddress 5.9.32.178
LocalEndPoint 10.10.10.242:25
RemoteEndPoint 5.9.32.178:2648
SessionId 634767757514516172
Waiting for a connection... Connected!


SmtpReceiveTestAgent_OnAuthCommand
AuthenticationMechanism:
Spambypass False
AuthenticationSource Anonymous
HelloDomain OWNEROR-KTATDUI
IsConnected True
IsExternalConnection True
IsTls False
LastExternalIPAddress 5.9.32.178
LocalEndPoint 10.10.10.242:25
RemoteEndPoint 5.9.32.178:2648
SessionId 634767757514516172
Waiting for a connection... Connected!


SmtpReceiveTestAgent_OnReject
Command: TlRMTVNTUAADAAAAGAAYAH4AAABSAVIBlgAAAAAAAABYAAAACAAIAFgAAAAeAB4AYAAAAAA
AAADoAQAABYKIogYBsR0AAAAP1fXonCW+WU07L/KUILITX3QAZQBzAHQATwBXAE4ARQBSAE8AUgAtAEs
AVABBAFQARABVAEkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdkWHUUPIHk2TIK1nq2Rj8QEBAAAAAAA
Acvo4+TJYzQFloTpuXluwygAAAAACABAAUgBFAEwAQQBZADMANgAwAAEAGABDAE8ATgBZAEMARQBYADM
ANgAwADAAMgAEABwAcgBlAGwAYQB5ADMANgAwAC4AbABvAGMAYQBsAAMANgBDAE8ATgBZAEMARQBYADM
ANgAwADAAMgAuAHIAZQBsAGEAeQAzADYAMAAuAGwAbwBjAGEAbAAFABwAcgBlAGwAYQB5ADMANgAwAC4
AbABvAGMAYQBsAAcACABy+jj5MljNAQYABAACAAAACAAwADAAAAAAAAAAAAAAAAAwAAC0ykOxCYthQLJ
DgBWZ1QybmTgAin969Z+a+/3oBg6+MwoAEAAAAAAAAAAAAAAAAAAAAAAACQAQAFMATQBUAFAAUwBWAEM
ALwAAAAAAAAAAAAAAAAA=
Original Arguments:
Parsing Status: Error
SMTP Response: 535 5.7.3 Authentication unsuccessful
Spambypass False
AuthenticationSource Anonymous
HelloDomain OWNEROR-KTATDUI
IsConnected True
IsExternalConnection True
IsTls False
LastExternalIPAddress 5.9.32.178
LocalEndPoint 10.10.10.242:25
RemoteEndPoint 5.9.32.178:2648
SessionId 634767757514516172
Waiting for a connection... Connected!


SmtpReceiveTestAgent_OnHeloCommand
Helo Domain: 8.8.8.65
Spambypass False
AuthenticationSource Anonymous
HelloDomain
IsConnected True
IsExternalConnection True
IsTls False
LastExternalIPAddress 114.43.5.69
LocalEndPoint 10.10.10.242:25
RemoteEndPoint 114.43.5.69:11968
SessionId 634767757514516612
Waiting for a connection... Connected!


SmtpReceiveTestAgent_onMailCommand
Auth:
BodyType: NotSpecified
DSN requested: NotSpecified
EnvelopeID:
FromAddress: [email protected]
Oorg:
Size: 0
Spambypass False
AuthenticationSource Anonymous
HelloDomain 8.8.8.65
IsConnected True
IsExternalConnection True
IsTls False
LastExternalIPAddress 114.43.5.69
LocalEndPoint 10.10.10.242:25
RemoteEndPoint 114.43.5.69:11968
SessionId 634767757514516612
Waiting for a connection... Connected!


SmtpReceiveTestAgent_OnReject
Command: RCPT TO: <[email protected]>
Original Arguments:
Parsing Status: Error
SMTP Response: 550 5.7.1 Unable to relay
Spambypass False
AuthenticationSource Anonymous
HelloDomain 8.8.8.65
IsConnected True
IsExternalConnection True
IsTls False
LastExternalIPAddress 114.43.5.69
LocalEndPoint 10.10.10.242:25
RemoteEndPoint 114.43.5.69:11968
SessionId 634767757514516612
Waiting for a connection...
    
posta random65537 02.07.2012 - 15:47
fonte

1 risposta

7

Sembra che abbiano provato ad accedere come test. Questa è la dissezione del campo Comando:

NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_AUTH (0x00000003)
Lan Manager Response: 000000000000000000000000000000000000000000000000
NTLM Client Challenge: 0000000000000000
NTLM Response: 7645875143c81e4d9320ad67ab6463f10101000000000000...
NTLM Client Challenge: 65a13a6e5e5bb0ca
Domain name: NULL
User name: test
Host name: OWNEROR-KTATDUI
Session Key: Empty
Flags: 0xa2888205
Version 6.1 (Build 7601); NTLM Current Revision 15
MIC: d5f5e89c25be594d3b2ff29420b2135
    
risposta data 02.07.2012 - 17:47
fonte

Leggi altre domande sui tag