Spammer login without password

[floyd]

I have a spammer that is a able to login with smtp with a username and send spam. I thought he must have guessed the password. So I changed the password. No effect.

He is connecting on port 25 and sending login information. Log shows

P=esmtpa A=logineoplestax

I can disable the user in /etc/passwd and it blocks them. But changing the password in /etc/shadow has no effect.

He never connects with pop3.

EDIT: Update. I changed the password from within DirectAdmin and that seems to have stopped it. The log is now showing "Incorrect authentication data" Where is the password that DA updated that stopped the mail login?

 

[nobaloney]

Floyd,

Please update or edit your thread to let us know what program you used to change the password in /etc/shadow, and then we can ask DirectAdmin Support to look into it.

Thanks.

Jeff

 

[floyd]

Since I was at the command line investigation the spam issue I used the command:

passwd peoplestax

to change the password. Not effect. The spammer continued to login and send spam.

I even manually edited /etc/shadow and put a ! in front of the password to suspend the user. The spammer continued to login and send spam.

Only by using Directadmin to change the password was the spammer denied access. So I am thinking their must be another password file somewhere being used for smtp login.

 

[floyd]

I finally found it. There is a .passwd file in the user's home directory. I deleted that and the spammer cannot login anymore.

Edit: Could be .shadow file. I forgot now what I found but I did just find a .shadow so maybe that is what I meant above.