using smtp-auth, but spammers getting through?

I have been running been running smtp-auth
(http://members.elysium.pl/brush/qmail-smtpd-auth/) for years, but in
the last week spammers have been using roam.unifiedmind.com -- I have
no idea how.

I'm logging with recordio, and I patched qmail with
qmail-smtpd-auth-log (http://tomclegg.net/qmail/#qmail-smtpd-auth-log)
so that I can view the user in the log file, but it doesn't appear
that they are authenticating (no relevant 235 lines).

Sample header...

Return-Path: <laott@msn.com>
Received: (qmail 1565 invoked from network); 9 Jul 2003 01:10:56 -0000
Received: from unknown (HELO smtp0321.mail.yahoo.com)
(webmaster@218.70.150.60)
by 0 with SMTP; 9 Jul 2003 01:10:56 -0000
Date: Wed, 9 Jul 2003 06:14:32 GMT
From: "darryll "<laott@msn.com>
X-Priority: 3
To: vasi@vic.com
Subject: vasi,FREE Sample of weight loss product!


Any ideas?

JT> I have been running been running smtp-auth for years, [...]

.... but haven't configured its password checking correctly, and the
unsolicited bulk mailers have finally spotted this.

220 roam.unifiedmind.com ESMTP
EHLO 0
250-roam.unifiedmind.com
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250 8BITMIME
AUTH LOGIN
334 VXNlcm5hbWU6
piddle
334 UGFzc3dvcmQ6
piddle
235 ok, ¦']à, go ahead (#2.0.0)
MAIL FROM:<Spurious@example.invalid>
250 ok
RCPT TO:<Spurious@example.invalid>
250 ok
DATA
354 go ahead

The most common configuration mistake that produces this behaviour is to
forget one of the new arguments to "qmail-smtpd" and to thus end up running
"/bin/true" as one's password checking utility.