Operating System - HP-UX
1748265 Members
3748 Online
108760 Solutions
New Discussion юеВ

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

 
Steven E. Protter
Exalted Contributor

Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

The following two Linux threads show the result ing problem causing the error message referenced in the threads. I will copy the message in here for the search engine:

http://search.hp.com/redirect.html?url=http%3A//forums1.itrc.hp.com/service/forums/questionanswer.do%3FthreadId%3D16430&qt=%22config+error%3A+mail+loops+back+to+me+(MX+problem%3F)%22&hit=2
http://search.hp.com/redirect.html?url=http%3A//forums1.itrc.hp.com/service/forums/questionanswer.do%3FthreadId%3D113283&qt=%22config+error%3A+mail+loops+back+to+me+(MX+problem%3F)%22&hit=3

Seach text is:
config error: mail loops back to me (MX problem?)

This message will appear in the mail log for sendmail, HP-UX or Linux under the following circumstances.


Please note, I have discovered inadvertantly a possible flaw in sendmail configuration if you are using named based virtual hosting.

Virtual httpd hosting allows you to part more than one domain name on the same IP address using apache httpd server. www.ilcba.org can have the same IP address as www.isnamerica.com

To make this work requires modification to httpd.conf which is beyond the scope of this lecture.

The potential issue is the DNS changes required to implement named based virtual hosting can open a security hole in sendmail that can allow spammers to relay mail through your server.

If the MX record for mail and the www record for the website point to the SAME IP address, mail can potentially be relayed as follows:

sendmail to anyname1234@www.ilcba.org
Note that I have closed this hole.

If the configuration is just right, the mail to the above address will be relayed.

Here are the factors you want to check:

check the /etc/mail/access file
You need not have RELAY on for the individual domains for mail to be accepted and sent.

Some people turn this on while trying to straighten out issues with mail not being delivered properly when running multiple domains on a single physical server.

/etc/mail/aliases (/etc/aliases on Linux) must be checked for circular references. This can cause looping or mail to be relayed.

The key issue in preventing this is the DNS zone record.

Do not point the primary MX record at the same IP address as the www server. Though it is possible to block spam relay in such a setup, you will get error messages in your sendmail mail log (/var/log/maillog in Linux) /var/adm/syslog/mail.log under HP-UX

Mail database generation:
Under HP-UX, you set up /etc/mail/access and /etc/mail/aliases and for multiple domain names /etc/mail/virtusertable /etc/mail/genericstable as shown on the sendmail.org website.

Linux uses /etc/aliases

Under HP-UX you generate the mail databases with the gen_cf script. Your best bet is to search for it under /usr

It is extremely important to run sendmail tests against your server to verify that spam can not be relayed through your server.

sendmail -v -d8.99 -d38.99 invaliduser@yourdomain.com
type some text

.


The command under Linux is:
sendmail -v -d8 -d38 invaliduser@yourdomain.com

Also run the exact same test with a valid sendmail user.

I'm attaching a script to build the sendmail databases under sendmail 8.11 Linux. I've posted it a hundred times before. It includes other anti-spam technology, but its still pretty intuitive.

I am attaching a correct, and altered zone record for BIND 9.2.0 It will work on HP-UX and Linux BIND 9.2.x

Start zone record:
-----------
$TTL 86400
@ IN SOA @ dns1.investmenttool.com (
2003122809 ; serial
3600 ; refresh
3600 ; retry
604800 ; expire
86400 ; ttl
)


@ IN NS dns1.investmenttool.com.
@ IN NS dns2.investmenttool.com.
@ IN NS dns3.investmenttool.com.
@ IN MX 10 mail.isnamerica.com. ; primary mail exchanger

@ A 61.82.113.148
www A 61.82.113.148
dns1 A 61.82.113.144
dns2 A 61.82.113.145
dns3 A 61.82.113.146

ftp CNAME isnamerica.com.
mail CNAME isnamerica.com.
------------------
End Zone record. Do not inlcude the

Why am I posting this: Because a few enterprising young spammers exploited this setup to get some spam relayed through my server.

I discovered this because I got messages on a yahoo account that were sent by MY mail server but not websites residing on my web server.

An analysis of the mail logs showed attempts to send thousands of spam messages through various methods, most of which were blocked by sendmail security features. The success rate was around 1% but that is too high.

My setup is incomplete. the primary domain server is accepting some mail that it should not accept, but the sub domains are properly.

I am continuing to run tests and will provide updates as needed.

This is really an informational post. It is not intended for the merry handing out of points and rabbits.

I will not however rule out that possibility because the discussion process might lead to new information.

If you have any questions, please post. If I think them unrelated, I'll encourage you to create a new thread.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
16 REPLIES 16
Steven E. Protter
Exalted Contributor

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

During the same security audit that I initiated upon finding the sendmail problem I found another issue.

There are hackers trying the old ftp as root trick. I received 5000 bad login attempts using various user id's. The assault used common "christan" names as login id's.

I detected the assault with the attached script which detects bad root logins. It can be modified to check other logins.

Figuring out where the attack came from was taking too long, so I disabled telent and ftp on the server and will use ipfilter to block the ports prior to turning them back on for internal use.

At this point I consider this thread information, like Berlene's Security Posts.

In my opinion, I created this vulnerability myself with poor construction of DNS/BIND zone records.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

The hole seems to be filled for the time being.

Allocated an IP address exclusively for mail processing. That seemed to help.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Berlene Herren
Honored Contributor

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

Hello Steven,
If you believe you have created or found a vulnerability, please email our security team at security-alert@hp.com. This will help keep our product safe for all.

Thanks,
Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
Geoff Wild
Honored Contributor

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

What I do to get around this (though didn't know it was an issue) is I explicitly set the email addresses for all my virtual domains in my access file:

To:mydomian.ca ERROR:"553 reject...."

gjwild@mydomian.ca OK
lawild@mydomian.ca OK
webmaster@mydomian.ca OK
info@mydomian.ca OK
mdwild@mydomian.ca OK

etc...

If you send to joker@www.mydomain.ca:

The original message was received at Wed, 31 Dec 2003 17:30:16 -0800
from root@localhost

----- The following addresses had permanent fatal errors -----
joker@www.mydomain.ca
(reason: 550 5.1.1 ... User unknown)
(expanded from: joker@www.mydomain.ca)

----- Transcript of session follows -----
... while talking to [127.0.0.1]:
>>> DATA
<<< 550 5.1.1 ... User unknown
550 5.1.1 joker@www.mydomain.ca... User unknown
<<< 503 5.0.0 Need RCPT (recipient)

Now I'm no too sure if it's my access file or my anti spam rules in my sendmail.cf.

I posted those in:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=315767

Rgds...Geoff




Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Steven E. Protter
Exalted Contributor

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

Goeff,

I did the same thing as you.

Yet I found by sending mass emails to say invalidadress14@somedomain.com that some of the spam got through.

I detected this because one of my yahoo accounts was being spammed and I traced it back to my own mail server.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

I have notified HP Security Berlene.

Happy new year.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Berlene Herren
Honored Contributor

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

And to you Steven and the rest of the forums... A very happy and prosperous new year for all!

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
Christopher Caldwell
Honored Contributor

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

On HP, by default, sendmail.cf is set up to automagically listen on all available IP addresses. This isn't optimal in virt hosting situations.



Here's what we do (good for your issue _and_ general spam prevention):

1) keep MXs and "www hosts" separate (suggested in an earlier post).
2) configure sendmail _not_ to listen on all IP addresses (see SMTP daemon options in sendmail.cf).
3) use virtuser_entire_domain and virtusertable to specifically validate rcpt to addresses.
4) use the access database to _strictly_ enforce relay rules.
5) use sendmail.cw to define local (by default, local is sendmail.cw + all of the IPs found on the interfaces + the name of all of the IPs found on the interfaces -- see 2 and DontProbeInterfaces to change this behavior).

Note - if you're using a front-end MX, you must use a technique like the virtuser_entire_domain/virtusertable
trick to validate each rcpt to relayed address.

This is one of the most effective methods I've found to reduce dictionary style spam attacks. You want to reject this mail outright, because the mail usually can't be returned (it sits in you mail queue, then gets bounced to postmaster).

Steven E. Protter
Exalted Contributor

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

Darn,

I totally forgot this weekend to send the files hp requested. I'll do it tonight.

Sorry.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com