- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Someone is probing my sendmail configuration
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-09-2004 01:53 AM
тАО01-09-2004 01:53 AM
Someone is probing my sendmail configuration
I've followed all the rules, been tight with permissions, worked on access file, run Bastille on the configuration.
Yet I'm still being probed and mail is being relayed once in a while. Though the success rate is less than 1% its unacceptable.
I'd like get some help on the following:
1) Scripts that probe my sendmail configuration as if they were an outsider and report possible vulnerabilities. In essence I want to run tools the spammers use and close the holes before they use them.
2) Any suggesetions or scripts for scanning the mail logs to detect problems.
My most recent problem was this:
localhost was in my /etc/mail/access file
This seemed reasonable until I got spam on my yahoo account from my own server from apache@mydomain.com
The mail log showed the mail was sent to apache@localhost relay style.
I didn't know outsiders could take advantage of localhost, but a good probe script would have helped.
Thanks in advance for your help.
Reasonable help will be rewarded significantly.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-09-2004 02:41 AM
тАО01-09-2004 02:41 AM
Re: Someone is probing my sendmail configuration
There is no localhost entry in /etc/access
sendmail 8.11
Yet the logs still show root cron's mail with these types of entries
relay=root@localhost
Since my specific problem is still present, id like to know how to do the following:
stop mail with relay=apache@localhost while still enabling my websites to send mailforms and such.
I'm thinking about adding a DEFER entry to access:
apache@localhost DEFER
root@localhost DEFER
Don't want to block up root cron's mail though.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-09-2004 05:55 AM
тАО01-09-2004 05:55 AM
Re: Someone is probing my sendmail configuration
I think this is a security problem. I think spammers are using root@localhost and apache@localhost to push spam through sendmail.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-09-2004 07:58 AM
тАО01-09-2004 07:58 AM
Re: Someone is probing my sendmail configuration
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=315767
Or direct:
http://www.visi.com/~hawkeyd/spamfilters.html
In it, there is a
SCheckLocal
# record the address
R$* $: $(storein {TestAddr} $@ $1 $) $1
# focus on host and domain
R$* < @ $+ . > $* $1 < @ $2 > $3
R$* < @ $+ > $* $: $2
# validate: local user, host, host and domain, domain, or remote
R$&{TestAddr} $@ LOCAL $&{TestAddr}
R127 . 0 . 0 . 1 $@ LOCAL 127 . 0 . 0 . 1
Rlocalhost $@ LOCAL localhost
R$+ . $m $@ LOCAL $&{TestAddr}
R$m $@ LOCAL $&{TestAddr}
R$* $@ $&{TestAddr}
I see a lot of spam attempts at my server - the localhost ones are rejected....unless they are mine...
My biggest beef is:
--------------------- sendmail Begin ------------------------
329 unidentified unknown users
Unknown users:
AGBfMJ@mydomain.ca: 1 Times(s)
AZzoR@mydomain.ca: 1 Times(s)
Avx@mydomain.ca: 1 Times(s)
AxJV@mydomain.ca: 1 Times(s)
BFfpl@mydomain.ca: 1 Times(s
etc...etc......every day...
The spammer is sending test messages off of open relays...with from=<> as quick as every 15 seconds....what a waste of my cpu...
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-10-2004 12:21 PM
тАО01-10-2004 12:21 PM
Re: Someone is probing my sendmail configuration
I have the server locked down pretty tightly.
I'm a heavy user of the sendmail.mc file. I use every spam option that works in there.
I'm looking into your links and may come back with further questions.
Thanks for answering Sir.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-10-2004 12:29 PM
тАО01-10-2004 12:29 PM
Re: Someone is probing my sendmail configuration
It is unclear at this time whether this will stop relay using apache@localhost and root@localhost
It is extremely urgent that I find a way to shut this down.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-10-2004 01:25 PM
тАО01-10-2004 01:25 PM
Re: Someone is probing my sendmail configuration
My server:
www.met.ca
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-11-2004 04:21 AM
тАО01-11-2004 04:21 AM
Re: Someone is probing my sendmail configuration
The problem might not be as bad as i thought.
Here is what the log looks like:
Jan 11 08:27:05 jerusalem sendmail[31321]: i0BER5u31321: from=apache, size=14673, class=0, nrcpts=503, msgid=<200401111427.i0BER5u31321@investmenttool.com>, relay=apache@localhost
Jan 11 08:27:06 jerusalem sendmail[31326]: i0BER5U31326: from=apache, size=14673, class=0, nrcpts=502, msgid=<200401111427.i0BER5U31326@investmenttool.com>, relay=apache@localhost
Jan 11 08:27:06 jerusalem sendmail[31329]: i0BER5U31326: to=natashia627@www.protterstory.com, ctladdr=apache (48/48), delay=00:00:01, xdelay=00:00:00, mailer=esmtp, pri=15074673, relay=www.protterstory.com. [66.92.143.198], dsn=4.0.0, stat=Deferred: Connection refused by www.protterstory.com.
This looks like some kind of spoof based on a cgi formscript.
The formscript has my yahoo account hard coded into it for cgi gateway forms.
Please sendmail guru's does this log mean the spam attempt is failing?
Looks like only my yahoo account gets any mail.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-11-2004 04:24 AM
тАО01-11-2004 04:24 AM
Re: Someone is probing my sendmail configuration
Confused.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-11-2004 04:55 AM
тАО01-11-2004 04:55 AM
Re: Someone is probing my sendmail configuration
Rgds...Geoff