HPE Community
Operating System - HP-UX
1753537 Members
5089 Online
108795 Solutions
New Discussion юеВ

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

 
Steven E. Protter
Exalted Contributor

тАО01-22-2004 04:47 AM

тАО01-22-2004 04:47 AM

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

Goeff(or anyone)

In the thread:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=364287

You wanted to block certain ip addresses.

Please post the methodology you used to find them. I've been log hunting but not getting enough.

Perhaps I need to increase sendmail log levels.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-22-2004 05:09 AM

тАО01-22-2004 05:09 AM

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

I have figured out how to increase sendmail log errors.

Looking at the various items, sometimes I get the source ip address of the smtp connection, sometimes not.

Is there anything I can do to always get that address?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Geoff Wild
Honored Contributor

тАО01-22-2004 06:38 AM

тАО01-22-2004 06:38 AM

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

Hmnn...not too sure if you can force the log NOT to resolve host names from ip's....

You might have to run a script that parses the logs, looking at the "hostname" and doing a dig to determine the ip address...


All though I did find this on google:

Add this to your
sendmail.cf file:

# Force Sendmail not to resolve host names
O ServiceSwitchFile=/etc/nsswitch.conf

Then create the file /etc/nsswitch.conf and populate it with:

# ServiceSwitchFile to tell Sendmail not to use DNS
hosts /etc/hosts

Don't know if that will work with current sendmail...


Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-22-2004 06:41 AM

тАО01-22-2004 06:41 AM

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

Goeff,

I think I led you astray.

I'm not getting hostnames or ipaddresses on a lot of entries.

I think thats becasue they are being triggered by misuse of the formscript and the events are internal.

I guess I need to track the event back to a usable ip address.

I've stopped the spam,now I'm trying to stop the violations because they are filling up my log files.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Geoff Wild
Honored Contributor

тАО01-22-2004 06:53 AM

тАО01-22-2004 06:53 AM

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

Ah, ok.

So when you do something like:

grep relay maillog |awk -F[ '{print $3}'

There are no ip's?

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-22-2004 07:05 AM

тАО01-22-2004 07:05 AM

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

Here is what is happening:

I looked at the access_log on the website.

Matched it up against the maillog.

A particular IP address has been running formscript.cgi.

It matches up against almost every spam relay attempt in the past month.

The page that contains the form has not been accessed.

I am adding the IP address to my access file but will probably have to block that user at the firewall.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Geoff Wild
Honored Contributor

тАО01-22-2004 07:14 AM

тАО01-22-2004 07:14 AM

Re: Potential Security/spam relay issue with sendmail BIND and apache named based virtual hosting.

Ok - yeah - I get the same....every now and then some yahoo try's to break formmail - then I find his/her ip in almost every log I have....

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.