topic Sendmail config in Operating System - Linux

Sendmail config

Vernon Brown_4 — Wed, 04 Feb 2004 15:21:31 GMT

Sendmail seems to be relaying. I'm using the default setup from RedHat 7.1 installed on HP 8500 running Apache server. I enabled FEATURE(redirect) so that /etc/aliases would work but don't want to do relaying for just anybody.

I think I might be relaying because maillog gets about a thousand relay= entries a day like the example below:

Feb 1 05:16:32 linda sendmail[1941]: i11BGMq01941: from=,
size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=h24-68-12-216.gv.shawcable.net [24.68.12.216]

Any ideas ??

Re: Sendmail config

Steven E. Protter — Wed, 04 Feb 2004 15:28:09 GMT

Vernon,

I've been dealin with this myself. Checklist:

/etc/mail/access

Only local IP addresses on your internal network should be set to RELAY. Even if you host internet domains, you don't need RELAY on the subdomains.

I'm attaching my buildmail script which will build the hast databases.

In all documentroot and subdirectories you need a robots.txt file. That file prevents external users from using your cgi formscripts to relay mail

See these threads:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=333766
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=358250
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=250630
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=391433

Just because these threads are hpux does not invalidate them. Sendmail is sendmail.

Also, if you suspect formscripts, do a google search for Fromscript security

Your scripts can be used to relay mail.

SEP

Need more? Just ask.

Re: Sendmail config

Steven E. Protter — Wed, 04 Feb 2004 15:30:30 GMT

Vhat happened to my attachment?????

Trying again.

SEP

Re: Sendmail config

Alexander Chuzhoy — Wed, 04 Feb 2004 15:33:25 GMT

By default your sendmail shouldn't permit relay ( from 8.9 version of sendmail)

for start edit the file /etc/mail/relay-domains for relay permited domains entries.

Re: Sendmail config

Vernon Brown_4 — Wed, 04 Feb 2004 17:17:51 GMT

I found an open-relay test site in one of Steven's examples. 14 tests came back; "relaying denied"

Yet I'm getting all these log file hits. I don't see any indication in the log entries that the relay was blocked ??

Is there any way to tell if the log entries are the result of successful relays ?

Thanks for your input !!

Re: Sendmail config

Steven E. Protter — Wed, 04 Feb 2004 17:26:39 GMT

Those log entries are probably the result of successful relays.

I've put together a package of scripts for you that I use on Linux to scan my logs and such for possible spam.

http://www.isnamerica.com/spam.tar.gz

It also includes my spammer list and access configuration as a referendce. Let me know when its downloaded because I'm going to remove it.

spamlist lets me forward via elm spam messages to me and then process them into /etc/access blocks.

SEP

Re: Sendmail config

Vernon Brown_4 — Wed, 04 Feb 2004 18:13:56 GMT

Thanks Steven; I have downloaded the file.

I'll play around with it and try to put it to work !1

Re: Sendmail config

Steven E. Protter — Wed, 04 Feb 2004 21:52:07 GMT

Vernon,

While trying to help you with your issue, my server was attacked with a relay attack.

This does not mean you should not do what I've advised. But in a very painful two hour period I have learned more.

If you have cgi formscripts, you need this code near the top:

@referers = ('67.94.143.147','67.94.143.147');
@recipients = ('yourname@yourdomain.com');

You may need this depending on what kind of form you are using:

if ( $sender ne "yourname\@yourdomain.com" )
{
print "Content-type: text/html\r\n\r\n";
print "

Hijacking of scripts is ILLEGAL!
Your
ip address, $ENV{'REMOTE_ADDR'} has been recorded, as

as well as the date and time.
$refer
$ENV{'HTTP_REFERER'}

";
exit(0);
}

This code is a retrofit for formmail scripts that lets you stop people from using your scripts to send their mail.

I've come pretty close to closing all the holes, so when the attacker found a weak script he/she/it queued up a bunch of mail for later delivery.

mailq spots it

rm -f /var/spool/mqueue/*

Will clean out the mail queue. Good mail as well as bad will die an untimely death.

I actually saw messages queued up to go to aol.com scheduled for the next 24 hours.

Also, here is the code of robots.txt

It should keep folks out of your cgi-bin directory.

User-agent: *
Disallow: /cgi-bin
Disallow: /server-cgi
Disallow: /images

#
# Standard robot exclusion entries- PLEASE DO NOT DELETE!
#

We should exchange notes and help each other on this issue. You may have been exploited in a way that I don't know about.

I will keep up my end and feel free to update me with anything you discover.

SEP

Re: Sendmail config

Vernon Brown_4 — Wed, 04 Feb 2004 23:37:35 GMT

Thanks for the info Steven; I've also been getting new scans looking for valid users on my servers. Example:

Feb 4 01:03:25 linda sendmail[6297]: i1473OO06297: ... User unknown
Feb 4 01:06:32 linda sendmail[6299]: i1476VO06299: ... User unknown
Feb 4 01:06:39 linda sendmail[6301]: i1476bO06301: ... User unknown
Feb 4 01:06:42 linda sendmail[6303]: i1476gO06303: ... User unknown

This is from the maillog. Seems to be someone scanning for valid users. So far they haven't found any but they eventually will. Now the question; what will they do when they know a vaild user name ??

Interesting ! I'll follow up on this. I will keep in touch. Thanks for all your help !

Vern

Re: Sendmail config

Seth Parker — Thu, 05 Feb 2004 00:15:24 GMT

Does a thousand combined incoming and outgoing messages a day sound reasonable for your server? That may just be your normal load.

Check the full trace for this message. Look for the other entries in the log that contain "i11BGMq01941" and you'll get the full picture of what this message was doing.

The "relay=" on the line may be nothing because it's put on every line that has "from=" on it so you know what machine actually sent (relayed) the message to you.

In the example you gave, "linda@earhling.net" sent a message and it hit your server from the machine "h24-68-12-216.gv.shawcable.net". To know more, you need to look at the rest of the log entries.

If the entry that has "to=" is someone in your domain, everything's fine. If it's for someone outside your domain, you've got a problem.

With the open relay checks you ran, it sounds like you're not relaying, but check it out just in case.

You can see what normal messages look like in the logs by sending one to someone you know and tracking that. Then have someone send one to you and track it. That'll give you an idea of what you're looking at.

Regards,
Seth

Re: Sendmail config

Steven E. Protter — Thu, 05 Feb 2004 00:21:13 GMT

I'm attaching my sendmail.mc which I use with the prevoiusly submitted buildmail script.

It sets sendmail to not accept these kind of probes.

If that does not work, run Bastille on your system and answer the sendmail questions Yes.

That will stop people from doing that.

The scan you see if people trying to find valid users they can spam.

They can use these users to send you spam and cc others. Bad.

SEP

Re: Sendmail config

Alexander Chuzhoy — Thu, 05 Feb 2004 01:43:26 GMT

the best test to check your if your server allows relay is here:

http://abuse.net/relay.html

Re: Sendmail config

Steven E. Protter — Thu, 05 Feb 2004 02:41:16 GMT

I think the site posted is great btw. My server passed all the relay tests. It does not test cgi form abuse.

my google search on that topic:

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=Formmail+security&btnG=Google+Search

This one is really good.
http://216.239.39.104/search?q=cache:Wx8Se0MeqD0J:www.monkeys.com/anti-spam/formmail-advisory.pdf+Formmail+security&hl=en&ie=UTF-8

Finally, it took an hour to put this all together will all the interupts, you should test your own site from outside with the following scripts:

http://www.yoursite.com/cgi-bin/formmail.cgi?recipient=email@poorspamrecipient.com&message=You have been spammed

If the mail gets through, you have a problem.

SEP

Re: Sendmail config

Vernon Brown_4 — Thu, 05 Feb 2004 08:51:43 GMT

Thanks Alexander; tried it; passed all the tests. Still getting the log entries.

I've tried tweaking the log level to make it show more info. Still need something in the log entry to say if the transaction was successful or was blocked !

Strange that this most important info would not be in the log entry.

Steven; I did have the problem of spammers using formmail. I finally changed the name of formmail which I could do since I had control of all the legal scripts that used it. I scan daily for abuse of that; get lots of attempts; no successes.

Re: Sendmail config

Steven E. Protter — Thu, 05 Feb 2004 10:11:19 GMT

Vernon,

I have some excellent news for you:

The changes I recommended in the formscripts worked really well.

An attempt was made to send about 50,000 messages through my server in 500 message batches.

The nasty little spammer thought he/she/it was getting aol. All messages were limited by their recipient base to my email account.

There is some low volume stuff getting through and I will be reporting what steps are required to STOP that.

Most likely more script modifications.

SEP

Re: Sendmail config

Vernon Brown_1 — Thu, 05 Feb 2004 11:31:34 GMT

Thanks Steven; I think I've about got all the loopholes closed now. It seems that when sendmail sends successfully it creates an entry with "status=Sent" in the body. Didn't find any bogus entries with "status=Sent" in them.

Re: Sendmail config

Seth Parker — Thu, 05 Feb 2004 11:41:36 GMT

Vernon,

Those "scans" might be a side-effect of the Novarg/Mydoom virus. Since it spoofs the sender's address, you may be getting bounces because of it. Also, I've seen that virus make up its own e-mail addresses and maybe that's part of what you're seeing.

I've been getting virus-laden e-mails with non-existent addresse because of that.

Just something else to keep in mind.

Regards,
Seth

Re: Sendmail config

Steven E. Protter — Fri, 06 Feb 2004 11:30:53 GMT

Probably my final notes on this topic:

1) if you connect to your mail server telnet mailservername 25 you get a direct connection to the server. If you know a valid email address you are able to type or paste in smtp commands to your hearts content.

2) If you have /etc/mail/genericstable /etc/mail/virtusertable entries like @somedomain.com that will let the abuser of item 1 send email adderss using any from address on the domain whether or not it has a valid user id. The abuser can then cc anybody he wants. Guess who gets blamed for the spam. You must have valid system users before the @ sign in those configuration files.

I think I have slammed the door shut tight on the spammers. I will let you know either here or in my own threads.

SEP

Re: Sendmail config

Steven E. Protter — Fri, 06 Feb 2004 12:36:06 GMT

I am currently testing a system for dealing with large isps.

aol has a list of valid mail server at http://postmaster.aol.com

I copied those into my /etc/mail/access file

mail.aol.com OK
aol.com 550 Only valid aol mail servers
@aol.com 550 Only valid aol mail servers

This setup should block all of aol on port 25 except for posted valid outbound and inbound mail servers.

I will post test results.

SEP

Re: Sendmail config

Steven E. Protter — Fri, 06 Feb 2004 12:53:31 GMT

Don't try my last idea.

It doesn't work.

It blocks aol mail servers completely.

SEP

topic Sendmail config in Operating System - Linux

Sendmail config

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Hijacking of scripts is ILLEGAL! Your ip address, $ENV{'REMOTE_ADDR'} has been recorded, as as well as the date and time.$refer$ENV{'HTTP_REFERER'}

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Re: Sendmail config

Hijacking of scripts is ILLEGAL!
Your
ip address, $ENV{'REMOTE_ADDR'} has been recorded, as

as well as the date and time.
$refer
$ENV{'HTTP_REFERER'}