topic Re: how to handle sendmail spoof in Operating System - Linux

how to handle sendmail spoof

K.C. Chan — Fri, 29 Apr 2005 11:14:08 GMT

All,
I am getting spoof email from outside, the from field: fake.user@mydomain, shows that the email is coming from us; how would one counter measure this sort of spoof? Thanks.

Re: how to handle sendmail spoof

Stuart Browne — Fri, 29 Apr 2005 18:40:23 GMT

Does the 'mydomain' exist?

There's an option in the sendmail configuration to not accept mail from unresolvable domains. Start by making sure you don't have that enabled.

Next is to enable spam filtering using spamassassin or some other method.

There should be RPM's for any RedHat/Fedora system to do this, and the instructions are fairly easy to follow.

Re: how to handle sendmail spoof

renarios — Sat, 30 Apr 2005 06:50:15 GMT

Hi KC,

To block unwanted domains, I put the following entry in my sendmail.mc:
dnl # Anti spam
FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl

In that list there are world-wide rejected domains. Very handy dandy!
Don't forget to rebuild your sendmail.cf with the new configuration!

Cheers,

Renarios

Re: how to handle sendmail spoof

K.C. Chan — Sat, 30 Apr 2005 09:46:19 GMT

All,
I am using spamassassin, it catches most of the spam. But if a user is spoofing my sendmail, for example:
the domain which my mail server answer to is "mydomain.com". What happen is mail from outside is faking my mail server out by having the from field set to someuser@mydomain.com. Isn't there something in the sendmail config which makes sure that email from outside of my network that have mydomain.com in it is a spoof email?

Re: how to handle sendmail spoof

Stuart Browne — Sat, 30 Apr 2005 10:47:22 GMT

remove 'mydomain.com' from /etc/mail/access, and re-make the access db (cd /etc/mail;make).

You should only relay based on local-net subnet's only, and 'accept' for 'mydomain.com' only (which isn't done in 'access').

Re: how to handle sendmail spoof

K.C. Chan — Sun, 01 May 2005 09:21:14 GMT

Stuart,
I have done that already, and I noticed two other which have the mydomain entry in it:

local-host-names
relay-domains

I would think it would be o.k to take it out from there? Thanks.

Re: how to handle sendmail spoof

Stuart Browne — Sun, 01 May 2005 18:58:56 GMT

Remove it from 'relay-domains'.. but assuming you've updated Sendmail recently, it should be in use.

Re: how to handle sendmail spoof

K.C. Chan — Mon, 02 May 2005 12:34:04 GMT

Stuart,
I believe I need "mydomain.com" to be in "relay-domains" file, otherwise user (users on our network, mydomain.com) will get 550 error when trying to send mail out.

Re: how to handle sendmail spoof

Steven E. Protter — Mon, 02 May 2005 15:34:42 GMT

There are lots of indirect counter measures.

One of the best is to see if the sender has a reverse lookup domain. Here is a thread that tells how to do that.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=450771

SEP

Re: how to handle sendmail spoof

Stuart Browne — Mon, 02 May 2005 20:10:44 GMT

If it's a recent version of sendmail (i.e. less than 3 years old), then no. you should only need the IP's that the users are sending from in the access as a 'relay'.

If they are sending from the outside world, not just internally, then you need to implement some other verification steps, i.e. SMTP auth for those external connections.

Re: how to handle sendmail spoof

K.C. Chan — Tue, 03 May 2005 09:58:00 GMT

Stuart,
so if all my servers are NATED, e.g: network of "192.168.10.", then putting this in the relay-domain file will allow all internal pc/servers to mail outside of our network and still be able to recieve email from outside? This will stop the spoof of "mydomain.com" from outside, if they try, they will get a 550 error? Please confirm before I attempt to modify the relay-domain file. Thanks.

Re: how to handle sendmail spoof

Stuart Browne — Tue, 03 May 2005 19:26:53 GMT

It should.

But given the names of the files involved, I'd start by updating Sendmail.

Many many versions ago, all the access and relay information was combined into the single database 'access.db' (via 'access'), using the keywords 'RELAY' and 'OK'.

It also has the control to allow 'To:' acceptance i.e. from my box:

xxx.29.19.45 RELAY
xxx.29.19.46 RELAY
To:bekar.xx.xx OK

But I also have my box using SMTPAuth for my mobile phone.. :)

Re: how to handle sendmail spoof

K.C. Chan — Wed, 04 May 2005 17:14:16 GMT

Stuart,
in the relay-domain file, could I use something like: "192.168.10." and "10.10.10." in place of "mydomain.com"? Thanks.

Re: how to handle sendmail spoof

Stuart Browne — Wed, 04 May 2005 19:24:54 GMT

That should be fine, yes.

Just don't forget to re-make the hash-databases after changing the contents.

Re: how to handle sendmail spoof

K.C. Chan — Thu, 05 May 2005 08:29:07 GMT

Thanks,
I will see if I can make the changes Today; will let you know it goes.