Spam - smtp_auth null@null

[singeX]

This morning I had a lot of spam go through one of my plesk 8.4 centos5 servers.

/usr/local/psa/var/log/maillog has this:

Sep 1 05:14:24 orange2 relaylock: /var/qmail/bin/relaylock: mail from 220.171.139.240:4813 (not defined)
Sep 1 05:14:25 orange2 smtp_auth: SMTP connect from (null)@(null) [220.171.139.240]
Sep 1 05:14:25 orange2 smtp_auth: smtp_auth: SMTP user : logged in from (null)@(null) [220.171.139.240]

The from address in the email header of the spam is the domain name of our isp. We have 6 ip addresses on the server which don't have any domains hosted on them. 5 of those still have the default ptr from our isp (which is their domain name). I assume that's how the from address was formed.
Then I found this thread http://forum.swsoft.com/showthread.php?t=53015 with the same problem. I also tried using telnet to auth using the ptr domain but it didn't work for me. Parallels said that it is a bug which will be fixed in 8.4.1. The release notes for 8.6 says "Fixed issue with empty mail user name displayed in logs of Plesk installed on SuSE.".

My questions is, does anybody have an idea on how to fix this besides removing the unused ip addresses from the server (if that's even the problem)? And does anybody know if this is fixed in 8.6? I guess it's about time to upgrade anyways but I like to wait a few months after a release of plesk.

[faris]

Isn't the solution to just add a hosting account to the unused IP? It doesn't have to be a real hosting account. Just a placeholder really.

This is just based on what I recall about this issue. I could be wrong.

Faris.

[scott]

Spammers are using a compromised SMTP_AUTH account, the encoding used is something that the smtp_auth code in qmail cant parse in log output (but works great in authentication of course!). Its probably something silly, like info/info or test/test. Anyway, theres a scanner in ASL for that kind of thing or you can check out the utility to do it in Plesk Power Toys if you cant whip one up on your own.