[OT] Sendmail open relay problem - SOLVED

Miguel Koren O'Brien de Lacy miguelk at KONSULTEX.COM.BR
Wed Aug 18 13:02:08 IST 2004 

<x-flowed>
I just thought I would let anyone that was interested in this problem
know what had happened. It may help others avoid the same problem.

A few weeks before this episode we had to make a change in the
httpd.conf file to allow external access to a web site running on an
internal server. The easiest way at the moment was to enable the
ProxyPass directive, which had to have access from "All". However this
also let the spammer use the web server to access sendmail by using
connection to port 25. I found this by searching through the httpd log
files. Once I rolled back that change, all open relay tests were ok
again. Summarizing I would say that the less services run on the mail
machine, the better.

Miguel

Miguel Koren wrote:

>I have been running along with Mail Scanner just fine for a long, long
>time and thought I had all my defenses in place. Over the weekend however
>one of my servers seems to have been 'discovered' by a spamming operation
>or a virus infected machine and I ended up with 75,000 files in the mqueue
>directory this morning.
>
>I use Sednmail 8.12.8 on Red Hat 9 in this case.
>
>What I did is shut down Mail Scanner and Sendmail and deleted all those
>files. It's possible that some were geunine emails but if so, very, very
>few.
>
>My understanding of Sendmail is that a relay is closed if the
>/etc/mail/access file is ok. Here is what I have:
>
>localhost.localdomain   RELAY
>localhost               RELAY
>127.0.0.1               RELAY
>
># internal
>10.10.10.0              RELAY
>
>
>I also have this in /etc/mail/relay-domains:
>
># internal
>10.10.10.
>
># localhost
>127.0.0.1
>localhost
>localhost.localdomain
>
>I also run pop-before-smtp for our roaming users and I can't stop
>using it short term. Perhaps some of the IPs I see in the pop-before-smtp
>log are that particular spammer IP.
>
>I don't think Red Hat 9 has any default users that can log in to email
>with
>default passwords. If anybody is intereseted, this
>http://popbsmtp.sourceforge.net/ is a good system assuming it did not
>cause
>the problems. This system requires a change in
>/etc/mail/sendmail.cf to make Sendmail check the pop-before-smtp database
>before sending emails. This is the change that I made a long time ago:
>
>Kpopauth hash -a<OK> /etc/mail/popauth
>
>SLocal_check_rcpt
>R$*            $: $(popauth $&{client_addr} $: <?> $)
>R<?>           $@ NoPopAuth
>R$*<OK>                $# OK
>......
>
>then I have all the rest of the normal file.
>
>My theory is that there may be an infected machine logging in to pop and
>then sending emails or a deliberate attempt to use pop with default users
>gets the same result.
>
>Summarizing:
>a) are there any errors in access and relay-domains?
>b) are there any known default users in Red Hat 9 that can access pop?
>c) Would this sendmail.cf somehow mess up the relay checking (apart from
>checking the database first)?
>
>Miguel
>
>
>
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>

More information about the MailScanner mailing list