topic Re: security / sendmail / spam in Operating System - HP-UX

security / sendmail / spam

Fred Martin_1 — Fri, 10 Jan 2003 21:18:41 GMT

Grab a coffee.

I had a user, dave. He had a login account but wanted no email. So, I put an alias in for him:

dave: nomail

Since there isn't a real "nomail" user, it causes any mail -to- dave to bounce back to sender. I have 15 or so accounts set up this way.

Some time after that, postmaster for my sendmail server started getting a returned-mail message. Basically it said:

mail from dave to spam.com.de was refused

It seemed to me that some spammer was sending mail to dave, and my server was simply bouncing it back. The receiver of the bounce was bogus. Hence, the message above.

Make sense?

About the same time that started, all users start getting more spam than ever, like a floodgate had opened. Even system accounts like adm and sys, which had in four years _never_ got mail, started getting spam.

Back to dave. dave was spending the winter in Florida and was not logging in.

After a while I got tired of all the postmaster messages regarding dave, so as a kind of test since we was gone, I renamed user dave to david on my system.

A few weeks later I start getting the same postmaster mail, saying:

mail from david to spam.com.de was refused

During this time, dave (david) never logged in, and no one at all, not even david, was aware that I renamed the account.

And! No more postmaster messages about dave. He doesn't get mail any more, where before he was regularly getting junk, which david now seems to be getting.

My sendmail is not relaying; I tested that.

I'm baffled by this; whatever is doing this seems to be using the password file, or at least it seems to me that's the case.

I don't see any unusual processes running; no system files have been modified lately that I can see; only five users on my system have any unix access at all.

Any ideas?

Re: security / sendmail / spam

Fred Martin_1 — Fri, 10 Jan 2003 21:31:43 GMT

It occurs to me now, that I am relaying mail, for PCs on my local network. They all run NAV and should be safe, but perhaps it's from the inside after all?

Most PC hosts on my network use Eudora, with a couple using Outlook 97 as a mailer (no Exchange server).

Re: security / sendmail / spam

Paul R. Dittrich — Fri, 10 Jan 2003 21:39:03 GMT

Look to see if those Outlook clients had an address book that could have been "harvested".

I would seriously consider implementing the RBL on the sendmail server so that bogus mail is simple never accepted in the first place.

HTH,
Paul

Re: security / sendmail / spam

Christopher Caldwell — Fri, 10 Jan 2003 23:17:33 GMT

The problem with your bounce technique is that sendmail will accept the mail. If the mail is spam, when the mail goes to bounce, the spamming server will likely not be present or won't accept mail, resulting in a bounce to postmaster. Here's how to fix it:

The trick is rejecting the mail altogether:

1) enable the virtusertable feature in sendmail by uncommenting these rulesets in /etc/mail/sendmail.cf

# Virtual user table (maps incoming users)
Kvirtuser dbm /etc/mail/virtusertable

SParse1
# handle virtual users
R$+ < @ $=w . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<@> $+ + $* < @ $* . >
$: < $(virtuser $1 + * @ $3 $@ $1 $: @ $) > $1 + $2 < @
$3 . >
R<@> $+ + $* < @ $* . >
$: < $(virtuser $1 @ $3 $@ $1 $: @ $) > $1 + $2 < @ $3 .
>
R<@> $+ < @ $+ . > $: < $(virtuser @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<@> $+ $: $1
R< error : $- $+ > $* $#error $@ $( dequote $1 $) $: $2
R< $+ > $+ < @ $+ > $: $>97 $1

restart sendmail

for each user that wants to reject mail outright, add an entry to /etc/mail/virtusertable like this:

dave@yourdomain.com error:nouser No such user

type
makemap dbm /etc/mail/virtusertable < /etc/mail/virtusertable
(run makemap everytime you modify /etc/mail/virtusertable)

Now try to send mail to dave@yourdomain.com.

If you want to get really serious about controlling mail, take the contrarian standpoint. Put an entry in virtusertable for each person that _should_ recieve mail. At the end of virtusertable, add an entry like
@yourdomain.com error:nouser No such user
to reject everything else.

This technique in conjunction with the RBL technique referenced in the other post does a great job of dealing with spam.

Re: security / sendmail / spam

Fred Martin_1 — Mon, 13 Jan 2003 21:54:19 GMT

Paul, thanks. Since we only have a few Outlook users, I did check that. Since the rename to "david" was not known, no one has the "david" name referenced.

This leads me to think that somehow the password file is accessable to someone outside, or is being sent outside. The "david" email began right away after renaming the unix user from "dave" to "david".

Re: security / sendmail / spam

Fred Martin_1 — Mon, 13 Jan 2003 21:59:03 GMT

Christopher,

Thanks. I was going to ask about the details and you've provided them.

---
I would like to hear from others as well. The fact that "david" appeared as a known user for incoming mail is particularly annoying. Unless some spammer is sending email to:

david@every_domain_in_the_book.com

And hit us that way, which is I suppose, possible. I do myself occasionally get mail that is CC'd to "fmartin@manydomains" including mine.

Re: security / sendmail / spam

Fred Martin_1 — Tue, 11 Feb 2003 17:38:40 GMT

Ok - I'm running HP-UX 11.0, and Sendmail 8.9.3 (PHNE_24419)

It's obvious to me now we are being compromised. If I create a new user, within a few days he starts getting junk mail. Someone on the outside clearly has access to our list of users.

I do not believe we've been accessed directly via a unix login, or a virus from an internal host. If I'm right there then I need to ask:

Is there any way possible with this version of sendmail, that someone can log into it and query for a complete list of addressees?

Re: security / sendmail / spam

Steven E. Protter — Tue, 11 Feb 2003 18:15:46 GMT

Here's another technique.

In /etc/mail/accesss

AcriHotline@aol.com 500 Spam reject. We charge $500/spam message.
brenda72@newmail.com 500 Spam reject. We charge $500/spam message.
Cash4Free@aol.com 500 Spam reject. We charge $500/spam message.

A few reject messages for known spammers.

Its not that hard to give the users a little interface that lets you collect data for known spammers.

If in the access file you are stingy about what machines you relay for, you won't accidently become a spam relay point.

Attached is a script that can be modified to let you customize your mail setup including sendmail.mc and then rebuild the hast databases when you have more data in your configuration.

It originated on Linux but has been successfully adapted to HP-UX.

You can also use /etc/aliases to forward dave's mail to his aol account so long as your mail server has a valid domain name that resolves.

Spam killing can be fun.

Its important to look at headers and see where the mail is being relayed, you can block mail from certain IP addresses and really cut your spam volume a lot.

SEP

Re: security / sendmail / spam

Jordan Bean — Tue, 11 Feb 2003 23:39:29 GMT

I don't believe your password or alias files are being harvested.

I believe that your mail server has fallen prey to the most popular and annoying spamming method: bomb every possible first name.

Check your mail log, I'm sure you'll find hundreds of entires from A to Z, most of them immediate failures that you wouldn't see since the weren't accepted in the first place.

Re: security / sendmail / spam

Jordan Bean — Tue, 11 Feb 2003 23:43:13 GMT

Hi Fred,

I thought this post was familiar... I responded to your first one, but didn't think of this until now... Sorry, bud. Here's a link to it:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xaf7a85079106d71190050090279cd0f9,00.html