[OT] Sendmail open relay problem

Miguel Koren O'Brien de Lacy miguelk at KONSULTEX.COM.BR
Mon Aug 9 21:40:08 IST 2004


What they had in common is that they said they were coming from my ip as
the relay. They were not from a null sender though and there was
variety, which made me think of a virus infected machine having gained
pop access.

I use Openwebmail on this server. Would it be a valid theory that some
program in that package gets used to spam?


James R. Stevens wrote:

>I'm curious as to what the messages in the queue had in common. Are they
>all from a null sender (i.e.  <> ) Did Sendmail think localhost(or
> was the relay for each piece of mail???
>-----Original Message-----
>From: Miguel Koren [mailto:miguelk at KONSULTEX.COM.BR]
>Sent: Monday, August 09, 2004 2:26 PM
>Subject: [OT] Sendmail open relay problem
>I have been running along with Mail Scanner just fine for a long, long
>time and thought I had all my defenses in place. Over the weekend
>one of my servers seems to have been 'discovered' by a spamming
>or a virus infected machine and I ended up with 75,000 files in the
>directory this morning.
>I use Sednmail 8.12.8 on Red Hat 9 in this case.
>What I did is shut down Mail Scanner and Sendmail and deleted all those
>files. It's possible that some were geunine emails but if so, very, very
>My understanding of Sendmail is that a relay is closed if the
>/etc/mail/access file is ok. Here is what I have:
>localhost.localdomain   RELAY
>localhost               RELAY
>               RELAY
># internal
>              RELAY
>I also have this in /etc/mail/relay-domains:
># internal
># localhost
>I also run pop-before-smtp for our roaming users and I can't stop
>using it short term. Perhaps some of the IPs I see in the
>log are that particular spammer IP.
>I don't think Red Hat 9 has any default users that can log in to email
>default passwords. If anybody is intereseted, this
>http://popbsmtp.sourceforge.net/ is a good system assuming it did not
>the problems. This system requires a change in
>/etc/mail/sendmail.cf to make Sendmail check the pop-before-smtp
>before sending emails. This is the change that I made a long time ago:
>Kpopauth hash -a<OK> /etc/mail/popauth
>R$*             $: $(popauth $&{client_addr} $: <?> $)
>R<?>            $@ NoPopAuth
>R$*<OK>         $# OK
>then I have all the rest of the normal file.
>My theory is that there may be an infected machine logging in to pop and
>then sending emails or a deliberate attempt to use pop with default
>gets the same result.
>a) are there any errors in access and relay-domains?
>b) are there any known default users in Red Hat 9 that can access pop?
>c) Would this sendmail.cf somehow mess up the relay checking (apart from
>checking the database first)?
>-------------------------- MailScanner list ----------------------
>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>Before posting, please see the Most Asked Questions at
>http://www.mailscanner.biz/maq/     and the archives at

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at

More information about the MailScanner mailing list