- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Potential Security/spam relay issue with sendm...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-28-2003 02:03 PM
тАО12-28-2003 02:03 PM
Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.
http://search.hp.com/redirect.html?url=http%3A//forums1.itrc.hp.com/service/forums/questionanswer.do%3FthreadId%3D16430&qt=%22config+error%3A+mail+loops+back+to+me+(MX+problem%3F)%22&hit=2
http://search.hp.com/redirect.html?url=http%3A//forums1.itrc.hp.com/service/forums/questionanswer.do%3FthreadId%3D113283&qt=%22config+error%3A+mail+loops+back+to+me+(MX+problem%3F)%22&hit=3
Seach text is:
config error: mail loops back to me (MX problem?)
This message will appear in the mail log for sendmail, HP-UX or Linux under the following circumstances.
Please note, I have discovered inadvertantly a possible flaw in sendmail configuration if you are using named based virtual hosting.
Virtual httpd hosting allows you to part more than one domain name on the same IP address using apache httpd server. www.ilcba.org can have the same IP address as www.isnamerica.com
To make this work requires modification to httpd.conf which is beyond the scope of this lecture.
The potential issue is the DNS changes required to implement named based virtual hosting can open a security hole in sendmail that can allow spammers to relay mail through your server.
If the MX record for mail and the www record for the website point to the SAME IP address, mail can potentially be relayed as follows:
sendmail to anyname1234@www.ilcba.org
Note that I have closed this hole.
If the configuration is just right, the mail to the above address will be relayed.
Here are the factors you want to check:
check the /etc/mail/access file
You need not have RELAY on for the individual domains for mail to be accepted and sent.
Some people turn this on while trying to straighten out issues with mail not being delivered properly when running multiple domains on a single physical server.
/etc/mail/aliases (/etc/aliases on Linux) must be checked for circular references. This can cause looping or mail to be relayed.
The key issue in preventing this is the DNS zone record.
Do not point the primary MX record at the same IP address as the www server. Though it is possible to block spam relay in such a setup, you will get error messages in your sendmail mail log (/var/log/maillog in Linux) /var/adm/syslog/mail.log under HP-UX
Mail database generation:
Under HP-UX, you set up /etc/mail/access and /etc/mail/aliases and for multiple domain names /etc/mail/virtusertable /etc/mail/genericstable as shown on the sendmail.org website.
Linux uses /etc/aliases
Under HP-UX you generate the mail databases with the gen_cf script. Your best bet is to search for it under /usr
It is extremely important to run sendmail tests against your server to verify that spam can not be relayed through your server.
sendmail -v -d8.99 -d38.99 invaliduser@yourdomain.com
type some text
.
The command under Linux is:
sendmail -v -d8 -d38 invaliduser@yourdomain.com
Also run the exact same test with a valid sendmail user.
I'm attaching a script to build the sendmail databases under sendmail 8.11 Linux. I've posted it a hundred times before. It includes other anti-spam technology, but its still pretty intuitive.
I am attaching a correct, and altered zone record for BIND 9.2.0 It will work on HP-UX and Linux BIND 9.2.x
Start zone record:
-----------
$TTL 86400
@ IN SOA @ dns1.investmenttool.com (
2003122809 ; serial
3600 ; refresh
3600 ; retry
604800 ; expire
86400 ; ttl
)
@ IN NS dns1.investmenttool.com.
@ IN NS dns2.investmenttool.com.
@ IN NS dns3.investmenttool.com.
@ IN MX 10 mail.isnamerica.com. ; primary mail exchanger
@ A 61.82.113.148
www A 61.82.113.148
dns1 A 61.82.113.144
dns2 A 61.82.113.145
dns3 A 61.82.113.146
ftp CNAME isnamerica.com.
mail CNAME isnamerica.com.
------------------
End Zone record. Do not inlcude the
Why am I posting this: Because a few enterprising young spammers exploited this setup to get some spam relayed through my server.
I discovered this because I got messages on a yahoo account that were sent by MY mail server but not websites residing on my web server.
An analysis of the mail logs showed attempts to send thousands of spam messages through various methods, most of which were blocked by sendmail security features. The success rate was around 1% but that is too high.
My setup is incomplete. the primary domain server is accepting some mail that it should not accept, but the sub domains are properly.
I am continuing to run tests and will provide updates as needed.
This is really an informational post. It is not intended for the merry handing out of points and rabbits.
I will not however rule out that possibility because the discussion process might lead to new information.
If you have any questions, please post. If I think them unrelated, I'll encourage you to create a new thread.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-28-2003 02:23 PM
тАО12-28-2003 02:23 PM
Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.
There are hackers trying the old ftp as root trick. I received 5000 bad login attempts using various user id's. The assault used common "christan" names as login id's.
I detected the assault with the attached script which detects bad root logins. It can be modified to check other logins.
Figuring out where the attack came from was taking too long, so I disabled telent and ftp on the server and will use ipfilter to block the ports prior to turning them back on for internal use.
At this point I consider this thread information, like Berlene's Security Posts.
In my opinion, I created this vulnerability myself with poor construction of DNS/BIND zone records.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-29-2003 03:52 AM
тАО12-29-2003 03:52 AM
Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.
Allocated an IP address exclusively for mail processing. That seemed to help.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-30-2003 11:05 PM
тАО12-30-2003 11:05 PM
Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.
If you believe you have created or found a vulnerability, please email our security team at security-alert@hp.com. This will help keep our product safe for all.
Thanks,
Berlene
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-31-2003 12:40 PM
тАО12-31-2003 12:40 PM
Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.
To:mydomian.ca ERROR:"553 reject...."
gjwild@mydomian.ca OK
lawild@mydomian.ca OK
webmaster@mydomian.ca OK
info@mydomian.ca OK
mdwild@mydomian.ca OK
etc...
If you send to joker@www.mydomain.ca:
The original message was received at Wed, 31 Dec 2003 17:30:16 -0800
from root@localhost
----- The following addresses had permanent fatal errors -----
joker@www.mydomain.ca
(reason: 550 5.1.1
(expanded from: joker@www.mydomain.ca)
----- Transcript of session follows -----
... while talking to [127.0.0.1]:
>>> DATA
<<< 550 5.1.1
550 5.1.1 joker@www.mydomain.ca... User unknown
<<< 503 5.0.0 Need RCPT (recipient)
Now I'm no too sure if it's my access file or my anti spam rules in my sendmail.cf.
I posted those in:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=315767
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-31-2003 12:51 PM
тАО12-31-2003 12:51 PM
Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.
I did the same thing as you.
Yet I found by sending mass emails to say invalidadress14@somedomain.com that some of the spam got through.
I detected this because one of my yahoo accounts was being spammed and I traced it back to my own mail server.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-31-2003 12:51 PM
тАО12-31-2003 12:51 PM
Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.
Happy new year.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-01-2004 02:13 AM
тАО01-01-2004 02:13 AM
Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.
Berlene
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-02-2004 02:29 AM
тАО01-02-2004 02:29 AM
Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.
Here's what we do (good for your issue _and_ general spam prevention):
1) keep MXs and "www hosts" separate (suggested in an earlier post).
2) configure sendmail _not_ to listen on all IP addresses (see SMTP daemon options in sendmail.cf).
3) use virtuser_entire_domain and virtusertable to specifically validate rcpt to addresses.
4) use the access database to _strictly_ enforce relay rules.
5) use sendmail.cw to define local (by default, local is sendmail.cw + all of the IPs found on the interfaces + the name of all of the IPs found on the interfaces -- see 2 and DontProbeInterfaces to change this behavior).
Note - if you're using a front-end MX, you must use a technique like the virtuser_entire_domain/virtusertable
trick to validate each rcpt to relayed address.
This is one of the most effective methods I've found to reduce dictionary style spam attacks. You want to reject this mail outright, because the mail usually can't be returned (it sits in you mail queue, then gets bounced to postmaster).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-12-2004 05:30 AM
тАО01-12-2004 05:30 AM
Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.
I totally forgot this weekend to send the files hp requested. I'll do it tonight.
Sorry.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com