[OT] Sendmail open relay problem
Rob
rob at THEHOSTMASTERS.COM
Mon Aug 9 20:33:19 IST 2004
If you are running a web server on this machine, check to see if you have
cgi's that access sendmail IE; form mail scripts as I had this issue on my
server and spammers were using this cgi to spam...
my 2 cents
:)
Rob....
----- Original Message -----
From: "Miguel Koren" <miguelk at KONSULTEX.COM.BR>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Monday, August 09, 2004 3:25 PM
Subject: [OT] Sendmail open relay problem
> I have been running along with Mail Scanner just fine for a long, long
> time and thought I had all my defenses in place. Over the weekend however
> one of my servers seems to have been 'discovered' by a spamming operation
> or a virus infected machine and I ended up with 75,000 files in the mqueue
> directory this morning.
>
> I use Sednmail 8.12.8 on Red Hat 9 in this case.
>
> What I did is shut down Mail Scanner and Sendmail and deleted all those
> files. It's possible that some were geunine emails but if so, very, very
> few.
>
> My understanding of Sendmail is that a relay is closed if the
> /etc/mail/access file is ok. Here is what I have:
>
> localhost.localdomain RELAY
> localhost RELAY
> 127.0.0.1 RELAY
>
> # internal
> 10.10.10.0 RELAY
>
>
> I also have this in /etc/mail/relay-domains:
>
> # internal
> 10.10.10.
>
> # localhost
> 127.0.0.1
> localhost
> localhost.localdomain
>
> I also run pop-before-smtp for our roaming users and I can't stop
> using it short term. Perhaps some of the IPs I see in the pop-before-smtp
> log are that particular spammer IP.
>
> I don't think Red Hat 9 has any default users that can log in to email
> with
> default passwords. If anybody is intereseted, this
> http://popbsmtp.sourceforge.net/ is a good system assuming it did not
> cause
> the problems. This system requires a change in
> /etc/mail/sendmail.cf to make Sendmail check the pop-before-smtp database
> before sending emails. This is the change that I made a long time ago:
>
> Kpopauth hash -a<OK> /etc/mail/popauth
>
> SLocal_check_rcpt
> R$* $: $(popauth $&{client_addr} $: <?> $)
> R<?> $@ NoPopAuth
> R$*<OK> $# OK
> ......
>
> then I have all the rest of the normal file.
>
> My theory is that there may be an infected machine logging in to pop and
> then sending emails or a deliberate attempt to use pop with default users
> gets the same result.
>
> Summarizing:
> a) are there any errors in access and relay-domains?
> b) are there any known default users in Red Hat 9 that can access pop?
> c) Would this sendmail.cf somehow mess up the relay checking (apart from
> checking the database first)?
>
> Miguel
>
> -------------------------- MailScanner list ----------------------
> To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/ and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list