[OT] Sendmail open relay problem

Thom Paine thom at CUSTOMNETWORKS.CA
Mon Aug 9 20:39:46 IST 2004

I don't use the relay domains. But mine is similar to yours.

My network is 10.10.10 and I have my access line 10.10.10. without the

I also comment out accept unresolvable domains in /etc/mail/sendmail.mc

On Mon, 2004-08-09 at 15:25, Miguel Koren wrote:
> I have been running along with Mail Scanner just fine for a long, long
> time and thought I had all my defenses in place. Over the weekend however
> one of my servers seems to have been 'discovered' by a spamming operation
> or a virus infected machine and I ended up with 75,000 files in the mqueue
> directory this morning.
> I use Sednmail 8.12.8 on Red Hat 9 in this case.
> What I did is shut down Mail Scanner and Sendmail and deleted all those
> files. It's possible that some were geunine emails but if so, very, very
> few.
> My understanding of Sendmail is that a relay is closed if the
> /etc/mail/access file is ok. Here is what I have:
> localhost.localdomain   RELAY
> localhost               RELAY
>               RELAY
> # internal
>              RELAY
> I also have this in /etc/mail/relay-domains:
> # internal
> 10.10.10.
> # localhost
> localhost
> localhost.localdomain
> I also run pop-before-smtp for our roaming users and I can't stop
> using it short term. Perhaps some of the IPs I see in the pop-before-smtp
> log are that particular spammer IP.
> I don't think Red Hat 9 has any default users that can log in to email
> with
> default passwords. If anybody is intereseted, this
> http://popbsmtp.sourceforge.net/ is a good system assuming it did not
> cause
> the problems. This system requires a change in
> /etc/mail/sendmail.cf to make Sendmail check the pop-before-smtp database
> before sending emails. This is the change that I made a long time ago:
> Kpopauth hash -a<OK> /etc/mail/popauth
> SLocal_check_rcpt
> R$*             $: $(popauth $&{client_addr} $: <?> $)
> R<?>            $@ NoPopAuth
> R$*<OK>         $# OK
> ......
> then I have all the rest of the normal file.
> My theory is that there may be an infected machine logging in to pop and
> then sending emails or a deliberate attempt to use pop with default users
> gets the same result.
> Summarizing:
> a) are there any errors in access and relay-domains?
> b) are there any known default users in Red Hat 9 that can access pop?
> c) Would this sendmail.cf somehow mess up the relay checking (apart from
> checking the database first)?
> Miguel

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at

More information about the MailScanner mailing list