HPE Community
Operating System - HP-UX
1753481 Members
4258 Online
108794 Solutions
New Discussion юеВ

Re: Senmail MTA open

 
alman
Regular Advisor

тАО04-22-2002 08:00 AM

тАО04-22-2002 08:00 AM

Senmail MTA open

Guys , I need an urgent help. Currently i am running Sendmail 8.10.2 .I found that my email servers is an open relay , a lot of intruders are using my smtp to send emails . Can anybody can help me to close the relay.

Thanks
Email
0 Kudos
Reply
28 REPLIES 28
Helen French
Honored Contributor

тАО04-22-2002 08:06 AM

тАО04-22-2002 08:06 AM

Re: Senmail MTA open

Hi Alman:

Check this document ( TKB #KBRC00000010 ) about configuring mail relay:

http://us-support2.external.hp.com/cki/bin/doc.pl/sid=b6500252086181cec5/screen=ckiDisplayDocument?docId=200000045145919

HTH,
Shiju

Life is a promise, fulfill it!
0 Kudos
Reply
alman
Regular Advisor

тАО04-22-2002 11:17 AM

тАО04-22-2002 11:17 AM

Re: Senmail MTA open

Thank Shiju , but I have tried that , there are another message coming from the server 200.30.128.126 did not issue MAIL/EXPN/VRFY/ETRN , this messages keep on coming , I have tried blocking the ip and the domain names , but there are other ip 's keep on coming .
Hope you understand my problem descrip

Thanks in advance
Email
0 Kudos
Reply
alman
Regular Advisor

тАО04-22-2002 11:21 AM

тАО04-22-2002 11:21 AM

Re: Senmail MTA open

the error messages is mailq = 62.131.81.121 did not issue mail/expn/vrfy/etrn during connection to MTA
Email
0 Kudos
Reply
Jeff Schussele
Honored Contributor

тАО04-22-2002 11:25 AM

тАО04-22-2002 11:25 AM

Re: Senmail MTA open

Hi alman,

Here's a good doc on anti-relaying from sendmail.org

http://www.sendmail.org/tips/relaying.html

And here's a good doc on how to use the "check" features in the rulesets.

http://www.sendmail.org/%7Eca/email/check.html

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Michael Elleby III_1
Trusted Contributor

тАО04-23-2002 04:49 AM

тАО04-23-2002 04:49 AM

Re: Senmail MTA open

Alman-

I haven't done this in a little while, but you can setup an access database where you can actually regulate the incoming mail by stating if it is OK to do this:

1. go to the /etc/mail directory and use vi to create a file called 'access' to setup your allowable addresses:

johndoe@company.com OK
imcingular.com RELAY
notthisguy@no.com REJECT

2. execute the command "makemap hash /etc/mail/access < /etc/mail/access

3. Stop and restart sendmail.

This should help you keep this under control

Mike
Knowledge Is Power
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

тАО04-23-2002 05:29 AM

тАО04-23-2002 05:29 AM

Re: Senmail MTA open

Relaying is off by default as of sendmail 8.9 and later. If you are actually being used as a relay, that means that you've "undone" the default, or there's something else going on.

Why don't you post your configuration file so we can have a look.

As mentioned in an earlier post, control relaying with the access database.
0 Kudos
Reply
alman
Regular Advisor

тАО04-23-2002 04:05 PM

тАО04-23-2002 04:05 PM

Re: Senmail MTA open

Thanks to Michael and Chris , I am trying that option now by editing the /etc/mail/access database. But the problem is there are many ip 's keep on coming. For example if I Reject
101.0.10.0 , then five seconds later it will be
101.10.12.0 , I have to edit access.db all the time . Any other way ,

Email
0 Kudos
Reply
alman
Regular Advisor

тАО04-23-2002 04:50 PM

тАО04-23-2002 04:50 PM

Re: Senmail MTA open

Guys , I have another info the error message is NOQUEQU 213.131.74.114 did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA, I checked on the mail.abuse.org, they are saying it is a tickling dropboxes used by the spammers.
Email
0 Kudos
Reply
Michael Elleby III_1
Trusted Contributor

тАО04-23-2002 06:03 PM

тАО04-23-2002 06:03 PM

Re: Senmail MTA open

Alman-

Firstly, the NOQUEUE bascially means that an incoming connection was initiated, but then dropped... I can see right through this trick used by the spammers. What they are doing here is testing how you have restricted acceptance by the ip addresses they are using and going for certain ranges (So now, it's war.. ).

Since this can become an involved battle to see which range they will try next, and add that we normally use the access table and use the option REJECT, which can indicate to the spammer to try another series of addresses... To combat this, use the DISCARD option instead of REJECT, as this will make the spammer think that the message has gone through, all the while, the messages are being discarded. Keep in mind that you can specify a part of an ip address to reject, so, you could per say, use the first octet to see if it will discard these messages. I've never tried using only the first octet in the ip address, but here's a good reason to try, it won't hurt.

Also, Can you go to your /var/adm/syslog/mail.log and get the destination addresses/domains that these messages are going to? If you can narrow it down to where these messages are going, you can create the mailertable to direct certain mail to a specified smtp host and make the message fail, or send it to a host and store these messages for further investigation (hint, hint).

1. Go to /etc/mail directory, use vi to create a file called mailertable.

2. Your entries will look like this:

101.0 smtp:dummyhost.com
101.10 smtp:dummyhost.com

3. Execute the command "makemap dbm /etc/mail/mailertable < /etc/mail/mailertable"

4. Use vi to edit sendmail.cf and uncomment the line that points to the mailertable, i.e.
"Kmailertable dbm /etc/mail/mailertable

5. Stop and Start Sendmail again.

Let me know if this helps.

P.S. Also, a little visit to your Firewall administrator might not hurt to see if he can catch this traffic at the firewall and reject it..

Mike-
Knowledge Is Power
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.