[OT] Sendmail open relay problem

Miguel Koren O'Brien de Lacy miguelk at KONSULTEX.COM.BR
Mon Aug 9 21:40:08 IST 2004 

<x-flowed>
James;

What they had in common is that they said they were coming from my ip as
the relay. They were not from a null sender though and there was
variety, which made me think of a virus infected machine having gained
pop access.

I use Openwebmail on this server. Would it be a valid theory that some
program in that package gets used to spam?

Miguel


James R. Stevens wrote:

>I'm curious as to what the messages in the queue had in common. Are they
>all from a null sender (i.e.  <> ) Did Sendmail think localhost(or
>127.0.0.1) was the relay for each piece of mail???
>
>-----Original Message-----
>From: Miguel Koren [mailto:miguelk at KONSULTEX.COM.BR]
>Sent: Monday, August 09, 2004 2:26 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: [OT] Sendmail open relay problem
>
>
>I have been running along with Mail Scanner just fine for a long, long
>time and thought I had all my defenses in place. Over the weekend
>however
>one of my servers seems to have been 'discovered' by a spamming
>operation
>or a virus infected machine and I ended up with 75,000 files in the
>mqueue
>directory this morning.
>
>I use Sednmail 8.12.8 on Red Hat 9 in this case.
>
>What I did is shut down Mail Scanner and Sendmail and deleted all those
>files. It's possible that some were geunine emails but if so, very, very
>few.
>
>My understanding of Sendmail is that a relay is closed if the
>/etc/mail/access file is ok. Here is what I have:
>
>localhost.localdomain   RELAY
>localhost               RELAY
>127.0.0.1               RELAY
>
># internal
>10.10.10.0              RELAY
>
>
>I also have this in /etc/mail/relay-domains:
>
># internal
>10.10.10.
>
># localhost
>127.0.0.1
>localhost
>localhost.localdomain
>
>I also run pop-before-smtp for our roaming users and I can't stop
>using it short term. Perhaps some of the IPs I see in the
>pop-before-smtp
>log are that particular spammer IP.
>
>I don't think Red Hat 9 has any default users that can log in to email
>with
>default passwords. If anybody is intereseted, this
>http://popbsmtp.sourceforge.net/ is a good system assuming it did not
>cause
>the problems. This system requires a change in
>/etc/mail/sendmail.cf to make Sendmail check the pop-before-smtp
>database
>before sending emails. This is the change that I made a long time ago:
>
>Kpopauth hash -a<OK> /etc/mail/popauth
>
>SLocal_check_rcpt
>R$*             $: $(popauth $&{client_addr} $: <?> $)
>R<?>            $@ NoPopAuth
>R$*<OK>         $# OK
>......
>
>then I have all the rest of the normal file.
>
>My theory is that there may be an infected machine logging in to pop and
>then sending emails or a deliberate attempt to use pop with default
>users
>gets the same result.
>
>Summarizing:
>a) are there any errors in access and relay-domains?
>b) are there any known default users in Red Hat 9 that can access pop?
>c) Would this sendmail.cf somehow mess up the relay checking (apart from
>checking the database first)?
>
>Miguel
>
>-------------------------- MailScanner list ----------------------
>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>Before posting, please see the Most Asked Questions at
>http://www.mailscanner.biz/maq/     and the archives at
>http://www.jiscmail.ac.uk/lists/mailscanner.html
>
>
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
</x-flowed>

More information about the MailScanner mailing list