HPE Community
Operating System - HP-UX
1752797 Members
5944 Online
108789 Solutions
New Discussion юеВ

Re: Someone is probing my sendmail configuration

 
Geoff Wild
Honored Contributor

тАО01-11-2004 05:09 AM

тАО01-11-2004 05:09 AM

Re: Someone is probing my sendmail configuration

As far as the formscript - yes - doesn't look like it is getting through - I have the same issue - some kiddie was trying to use a formmail script I use to relay - didn't work - though I was annoyed cause all his attempts went to my inbox!

I complained to shaw.ca to have his account revoked - as it was a violation of their terms of agreement - but to no avail - so I blocked his ip in my iptables...


His ip: 24.82.81.169

I would block that if I was you.

I also added that to my rc.local:

rc.local:/sbin/route add -host 24.82.81.169 reject

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-11-2004 01:23 PM

тАО01-11-2004 01:23 PM

Re: Someone is probing my sendmail configuration

I'm going to enhance logging sendmail, get the ip address and block it.

What a pain.

Its nice to know the mail is being rejected.

I think the way to prevent the form script from relaying to the target email address is to read the target email addresses from a file.

That might not help.

I have no idea how to relay mail through anyone elses server. I'm not a really good hacker/spammer I guess.

Don't post a script here. email it to investmenttool@yahoo.com

I'm using that to collect the garbage from the form script.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Geoff Wild
Honored Contributor

тАО01-12-2004 12:44 AM

тАО01-12-2004 12:44 AM

Re: Someone is probing my sendmail configuration

Steven,

Have you tried:

http://www.abuse.net/relay.html

It doesn't do a loclhost test - but it does try spamtest@yourdomain.com


Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-12-2004 05:36 AM

тАО01-12-2004 05:36 AM

Re: Someone is probing my sendmail configuration

I've totally taken relay statements out of the /etc/mail/access file.

Since then I've had no problems with the spam, but it doesn't happen every day.

I'm waiting, monitoring, checking out those links and will get back to you.

A hardware problem hung up my main Linux web server this morning forced an embarassing mid-day reboot. It was not spam or hacker related.

Once you've actually identified the source ip address of the problem, you can use iptables to block all access.

That also means public access to any public web sites you are running. Its not step to be taken lightly.

iptables(Linux) is robust but I'm not sure how many ip addresses you can have on the drop list before it starts eating up the whole cpu.

Same thing can be done with different syntax on the ipfilter hp firewall.

I really think HP should port iptables to HP-UX and be done with it. Its a good product.

Here is Goeof's thread:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=364287

Anyone else has ideas, let me know.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Geoff Wild
Honored Contributor

тАО01-13-2004 03:01 AM

тАО01-13-2004 03:01 AM

Re: Someone is probing my sendmail configuration

Here's the lastest attempt I've seen:

Jan 12 18:48:13 dune sendmail[21149]: i0D2mDP5021149: ... User unknown
Jan 12 18:48:13 dune sendmail[21149]: i0D2mDP5021149: from=, size=1024, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=shawidc-mo1.cg.shawcable.net [24.71.223.10]

Of course, a legitimate email from the MAILER-DAEMON is NOT fully qualified...

So I would explicitly block that in the access db.

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.