¿Qué usuario estaba tratando de autenticar este spammer?

1

Tengo una aplicación personalizada que supervisa y registra la sesión SMTP de un usuario, y encontré a este spammer tratando de usar mi MTA como retransmisión.

¿Es posible determinar con qué nombre de usuario están intentando iniciar sesión?

Waiting for a connection... Connected!


SmtpReceiveTestAgent_OnEhloCommand
DisableStartTLS: False
Domain: OWNEROR-KTATDUI
Spambypass False
AuthenticationSource Anonymous
HelloDomain
IsConnected True
IsExternalConnection True
IsTls False
LastExternalIPAddress 5.9.32.178
LocalEndPoint 10.10.10.242:25
RemoteEndPoint 5.9.32.178:2648
SessionId 634767757514516172
Waiting for a connection... Connected!


SmtpReceiveTestAgent_OnAuthCommand
AuthenticationMechanism:
Spambypass False
AuthenticationSource Anonymous
HelloDomain OWNEROR-KTATDUI
IsConnected True
IsExternalConnection True
IsTls False
LastExternalIPAddress 5.9.32.178
LocalEndPoint 10.10.10.242:25
RemoteEndPoint 5.9.32.178:2648
SessionId 634767757514516172
Waiting for a connection... Connected!


SmtpReceiveTestAgent_OnReject
Command: TlRMTVNTUAADAAAAGAAYAH4AAABSAVIBlgAAAAAAAABYAAAACAAIAFgAAAAeAB4AYAAAAAA
AAADoAQAABYKIogYBsR0AAAAP1fXonCW+WU07L/KUILITX3QAZQBzAHQATwBXAE4ARQBSAE8AUgAtAEs
AVABBAFQARABVAEkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdkWHUUPIHk2TIK1nq2Rj8QEBAAAAAAA
Acvo4+TJYzQFloTpuXluwygAAAAACABAAUgBFAEwAQQBZADMANgAwAAEAGABDAE8ATgBZAEMARQBYADM
ANgAwADAAMgAEABwAcgBlAGwAYQB5ADMANgAwAC4AbABvAGMAYQBsAAMANgBDAE8ATgBZAEMARQBYADM
ANgAwADAAMgAuAHIAZQBsAGEAeQAzADYAMAAuAGwAbwBjAGEAbAAFABwAcgBlAGwAYQB5ADMANgAwAC4
AbABvAGMAYQBsAAcACABy+jj5MljNAQYABAACAAAACAAwADAAAAAAAAAAAAAAAAAwAAC0ykOxCYthQLJ
DgBWZ1QybmTgAin969Z+a+/3oBg6+MwoAEAAAAAAAAAAAAAAAAAAAAAAACQAQAFMATQBUAFAAUwBWAEM
ALwAAAAAAAAAAAAAAAAA=
Original Arguments:
Parsing Status: Error
SMTP Response: 535 5.7.3 Authentication unsuccessful
Spambypass False
AuthenticationSource Anonymous
HelloDomain OWNEROR-KTATDUI
IsConnected True
IsExternalConnection True
IsTls False
LastExternalIPAddress 5.9.32.178
LocalEndPoint 10.10.10.242:25
RemoteEndPoint 5.9.32.178:2648
SessionId 634767757514516172
Waiting for a connection... Connected!


SmtpReceiveTestAgent_OnHeloCommand
Helo Domain: 8.8.8.65
Spambypass False
AuthenticationSource Anonymous
HelloDomain
IsConnected True
IsExternalConnection True
IsTls False
LastExternalIPAddress 114.43.5.69
LocalEndPoint 10.10.10.242:25
RemoteEndPoint 114.43.5.69:11968
SessionId 634767757514516612
Waiting for a connection... Connected!


SmtpReceiveTestAgent_onMailCommand
Auth:
BodyType: NotSpecified
DSN requested: NotSpecified
EnvelopeID:
FromAddress: [email protected]
Oorg:
Size: 0
Spambypass False
AuthenticationSource Anonymous
HelloDomain 8.8.8.65
IsConnected True
IsExternalConnection True
IsTls False
LastExternalIPAddress 114.43.5.69
LocalEndPoint 10.10.10.242:25
RemoteEndPoint 114.43.5.69:11968
SessionId 634767757514516612
Waiting for a connection... Connected!


SmtpReceiveTestAgent_OnReject
Command: RCPT TO: <[email protected]>
Original Arguments:
Parsing Status: Error
SMTP Response: 550 5.7.1 Unable to relay
Spambypass False
AuthenticationSource Anonymous
HelloDomain 8.8.8.65
IsConnected True
IsExternalConnection True
IsTls False
LastExternalIPAddress 114.43.5.69
LocalEndPoint 10.10.10.242:25
RemoteEndPoint 114.43.5.69:11968
SessionId 634767757514516612
Waiting for a connection...
    
pregunta random65537 02.07.2012 - 15:47
fuente

1 respuesta

7

Parece que intentaron iniciar sesión como prueba. Esta es la disección del campo Comando:

NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_AUTH (0x00000003)
Lan Manager Response: 000000000000000000000000000000000000000000000000
NTLM Client Challenge: 0000000000000000
NTLM Response: 7645875143c81e4d9320ad67ab6463f10101000000000000...
NTLM Client Challenge: 65a13a6e5e5bb0ca
Domain name: NULL
User name: test
Host name: OWNEROR-KTATDUI
Session Key: Empty
Flags: 0xa2888205
Version 6.1 (Build 7601); NTLM Current Revision 15
MIC: d5f5e89c25be594d3b2ff29420b2135
    
respondido por el Zzz 02.07.2012 - 17:47
fuente

Lea otras preguntas en las etiquetas