[OT] Sendmail open relay problem

James R. Stevens jstevens at ATHENSDISTRIBUTING.COM
Mon Aug 9 20:43:37 IST 2004 

I'm curious as to what the messages in the queue had in common. Are they
all from a null sender (i.e.  <> ) Did Sendmail think localhost(or
127.0.0.1) was the relay for each piece of mail???

-----Original Message-----
From: Miguel Koren [mailto:miguelk at KONSULTEX.COM.BR] 
Sent: Monday, August 09, 2004 2:26 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: [OT] Sendmail open relay problem


I have been running along with Mail Scanner just fine for a long, long
time and thought I had all my defenses in place. Over the weekend
however
one of my servers seems to have been 'discovered' by a spamming
operation
or a virus infected machine and I ended up with 75,000 files in the
mqueue
directory this morning.

I use Sednmail 8.12.8 on Red Hat 9 in this case.

What I did is shut down Mail Scanner and Sendmail and deleted all those
files. It's possible that some were geunine emails but if so, very, very
few.

My understanding of Sendmail is that a relay is closed if the
/etc/mail/access file is ok. Here is what I have:

localhost.localdomain   RELAY
localhost               RELAY
127.0.0.1               RELAY

# internal
10.10.10.0              RELAY


I also have this in /etc/mail/relay-domains:

# internal
10.10.10.

# localhost
127.0.0.1
localhost
localhost.localdomain

I also run pop-before-smtp for our roaming users and I can't stop
using it short term. Perhaps some of the IPs I see in the
pop-before-smtp
log are that particular spammer IP.

I don't think Red Hat 9 has any default users that can log in to email
with
default passwords. If anybody is intereseted, this
http://popbsmtp.sourceforge.net/ is a good system assuming it did not
cause
the problems. This system requires a change in
/etc/mail/sendmail.cf to make Sendmail check the pop-before-smtp
database
before sending emails. This is the change that I made a long time ago:

Kpopauth hash -a<OK> /etc/mail/popauth

SLocal_check_rcpt
R$*             $: $(popauth $&{client_addr} $: <?> $)
R<?>            $@ NoPopAuth
R$*<OK>         $# OK
......

then I have all the rest of the normal file.

My theory is that there may be an infected machine logging in to pop and
then sending emails or a deliberate attempt to use pop with default
users
gets the same result.

Summarizing:
a) are there any errors in access and relay-domains?
b) are there any known default users in Red Hat 9 that can access pop?
c) Would this sendmail.cf somehow mess up the relay checking (apart from
checking the database first)?

Miguel

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

-- 
This message has been scanned for viruses and
dangerous content by Athens Hyperion Scanner, and is
believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by Athens Hyperion Scanner, and is
believed to be clean.

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list