- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- security / sendmail / spam
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-10-2003 01:18 PM
тАО01-10-2003 01:18 PM
I had a user, dave. He had a login account but wanted no email. So, I put an alias in for him:
dave: nomail
Since there isn't a real "nomail" user, it causes any mail -to- dave to bounce back to sender. I have 15 or so accounts set up this way.
Some time after that, postmaster for my sendmail server started getting a returned-mail message. Basically it said:
mail from dave to spam.com.de was refused
It seemed to me that some spammer was sending mail to dave, and my server was simply bouncing it back. The receiver of the bounce was bogus. Hence, the message above.
Make sense?
About the same time that started, all users start getting more spam than ever, like a floodgate had opened. Even system accounts like adm and sys, which had in four years _never_ got mail, started getting spam.
Back to dave. dave was spending the winter in Florida and was not logging in.
After a while I got tired of all the postmaster messages regarding dave, so as a kind of test since we was gone, I renamed user dave to david on my system.
A few weeks later I start getting the same postmaster mail, saying:
mail from david to spam.com.de was refused
During this time, dave (david) never logged in, and no one at all, not even david, was aware that I renamed the account.
And! No more postmaster messages about dave. He doesn't get mail any more, where before he was regularly getting junk, which david now seems to be getting.
My sendmail is not relaying; I tested that.
I'm baffled by this; whatever is doing this seems to be using the password file, or at least it seems to me that's the case.
I don't see any unusual processes running; no system files have been modified lately that I can see; only five users on my system have any unix access at all.
Any ideas?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-10-2003 01:31 PM
тАО01-10-2003 01:31 PM
Re: security / sendmail / spam
Most PC hosts on my network use Eudora, with a couple using Outlook 97 as a mailer (no Exchange server).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-10-2003 01:39 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-10-2003 03:17 PM
тАО01-10-2003 03:17 PM
Re: security / sendmail / spam
The trick is rejecting the mail altogether:
1) enable the virtusertable feature in sendmail by uncommenting these rulesets in /etc/mail/sendmail.cf
# Virtual user table (maps incoming users)
Kvirtuser dbm /etc/mail/virtusertable
SParse1
# handle virtual users
R$+ < @ $=w . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<@> $+ + $* < @ $* . >
$: < $(virtuser $1 + * @ $3 $@ $1 $: @ $) > $1 + $2 < @
$3 . >
R<@> $+ + $* < @ $* . >
$: < $(virtuser $1 @ $3 $@ $1 $: @ $) > $1 + $2 < @ $3 .
>
R<@> $+ < @ $+ . > $: < $(virtuser @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<@> $+ $: $1
R< error : $- $+ > $* $#error $@ $( dequote $1 $) $: $2
R< $+ > $+ < @ $+ > $: $>97 $1
restart sendmail
for each user that wants to reject mail outright, add an entry to /etc/mail/virtusertable like this:
dave@yourdomain.com error:nouser No such user
type
makemap dbm /etc/mail/virtusertable < /etc/mail/virtusertable
(run makemap everytime you modify /etc/mail/virtusertable)
Now try to send mail to dave@yourdomain.com.
If you want to get really serious about controlling mail, take the contrarian standpoint. Put an entry in virtusertable for each person that _should_ recieve mail. At the end of virtusertable, add an entry like
@yourdomain.com error:nouser No such user
to reject everything else.
This technique in conjunction with the RBL technique referenced in the other post does a great job of dealing with spam.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-13-2003 01:54 PM
тАО01-13-2003 01:54 PM
Re: security / sendmail / spam
This leads me to think that somehow the password file is accessable to someone outside, or is being sent outside. The "david" email began right away after renaming the unix user from "dave" to "david".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-13-2003 01:59 PM
тАО01-13-2003 01:59 PM
Re: security / sendmail / spam
Thanks. I was going to ask about the details and you've provided them.
---
I would like to hear from others as well. The fact that "david" appeared as a known user for incoming mail is particularly annoying. Unless some spammer is sending email to:
david@every_domain_in_the_book.com
And hit us that way, which is I suppose, possible. I do myself occasionally get mail that is CC'd to "fmartin@manydomains" including mine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-11-2003 09:38 AM
тАО02-11-2003 09:38 AM
Re: security / sendmail / spam
It's obvious to me now we are being compromised. If I create a new user, within a few days he starts getting junk mail. Someone on the outside clearly has access to our list of users.
I do not believe we've been accessed directly via a unix login, or a virus from an internal host. If I'm right there then I need to ask:
Is there any way possible with this version of sendmail, that someone can log into it and query for a complete list of addressees?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-11-2003 10:15 AM
тАО02-11-2003 10:15 AM
Re: security / sendmail / spam
In /etc/mail/accesss
AcriHotline@aol.com 500 Spam reject. We charge $500/spam message.
brenda72@newmail.com 500 Spam reject. We charge $500/spam message.
Cash4Free@aol.com 500 Spam reject. We charge $500/spam message.
A few reject messages for known spammers.
Its not that hard to give the users a little interface that lets you collect data for known spammers.
If in the access file you are stingy about what machines you relay for, you won't accidently become a spam relay point.
Attached is a script that can be modified to let you customize your mail setup including sendmail.mc and then rebuild the hast databases when you have more data in your configuration.
It originated on Linux but has been successfully adapted to HP-UX.
You can also use /etc/aliases to forward dave's mail to his aol account so long as your mail server has a valid domain name that resolves.
Spam killing can be fun.
Its important to look at headers and see where the mail is being relayed, you can block mail from certain IP addresses and really cut your spam volume a lot.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-11-2003 03:39 PM
тАО02-11-2003 03:39 PM
Re: security / sendmail / spam
I don't believe your password or alias files are being harvested.
I believe that your mail server has fallen prey to the most popular and annoying spamming method: bomb every possible first name.
Check your mail log, I'm sure you'll find hundreds of entires from A to Z, most of them immediate failures that you wouldn't see since the weren't accepted in the first place.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-11-2003 03:43 PM
тАО02-11-2003 03:43 PM
Re: security / sendmail / spam
Hi Fred,
I thought this post was familiar... I responded to your first one, but didn't think of this until now... Sorry, bud. Here's a link to it:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xaf7a85079106d71190050090279cd0f9,00.html