Someone is probing my sendmail configuration

Steven E. Protter · ‎01-09-2004

I've been watching my sendmail configuration closely since my problems resulted in a Security Bulliten, which I still owe HP some information on.

I've followed all the rules, been tight with permissions, worked on access file, run Bastille on the configuration.

Yet I'm still being probed and mail is being relayed once in a while. Though the success rate is less than 1% its unacceptable.

I'd like get some help on the following:

1) Scripts that probe my sendmail configuration as if they were an outsider and report possible vulnerabilities. In essence I want to run tools the spammers use and close the holes before they use them.

2) Any suggesetions or scripts for scanning the mail logs to detect problems.

My most recent problem was this:

localhost was in my /etc/mail/access file

This seemed reasonable until I got spam on my yahoo account from my own server from apache@mydomain.com

The mail log showed the mail was sent to apache@localhost relay style.

I didn't know outsiders could take advantage of localhost, but a good probe script would have helped.

Thanks in advance for your help.

Reasonable help will be rewarded significantly.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Steven E. Protter · ‎01-09-2004

With regards to the specific problem:

There is no localhost entry in /etc/access
sendmail 8.11

Yet the logs still show root cron's mail with these types of entries

relay=root@localhost

Since my specific problem is still present, id like to know how to do the following:

stop mail with relay=apache@localhost while still enabling my websites to send mailforms and such.

I'm thinking about adding a DEFER entry to access:

apache@localhost DEFER
root@localhost DEFER

Don't want to block up root cron's mail though.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Steven E. Protter · ‎01-09-2004

does anyone know why when sending mail as a local user, say root cron there is an entry inthe mail.log file with the text relay=root@localhost

I think this is a security problem. I think spammers are using root@localhost and apache@localhost to push spam through sendmail.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Geoff Wild · ‎01-09-2004

Are you using the spam filters I mentioned in:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=315767

Or direct:

http://www.visi.com/~hawkeyd/spamfilters.html

In it, there is a

SCheckLocal

# record the address
R$* $: $(storein {TestAddr} $@ $1 $) $1
# focus on host and domain
R$* < @ $+ . > $* $1 < @ $2 > $3
R$* < @ $+ > $* $: $2
# validate: local user, host, host and domain, domain, or remote
R$&{TestAddr} $@ LOCAL $&{TestAddr}
R127 . 0 . 0 . 1 $@ LOCAL 127 . 0 . 0 . 1
Rlocalhost $@ LOCAL localhost
R$+ . $m $@ LOCAL $&{TestAddr}
R$m $@ LOCAL $&{TestAddr}
R$* $@ $&{TestAddr}

I see a lot of spam attempts at my server - the localhost ones are rejected....unless they are mine...

My biggest beef is:

--------------------- sendmail Begin ------------------------

329 unidentified unknown users

Unknown users:
AGBfMJ@mydomain.ca: 1 Times(s)
AZzoR@mydomain.ca: 1 Times(s)
Avx@mydomain.ca: 1 Times(s)
AxJV@mydomain.ca: 1 Times(s)
BFfpl@mydomain.ca: 1 Times(s

etc...etc......every day...

The spammer is sending test messages off of open relays...with from=<> as quick as every 15 seconds....what a waste of my cpu...

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

Steven E. Protter · ‎01-10-2004

I think that the testing methodology you point at Goeff is what is being done to my server.

I have the server locked down pretty tightly.

I'm a heavy user of the sendmail.mc file. I use every spam option that works in there.

I'm looking into your links and may come back with further questions.

Thanks for answering Sir.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Steven E. Protter · ‎01-10-2004

Working on the Spamfilter product.

It is unclear at this time whether this will stop relay using apache@localhost and root@localhost

It is extremely urgent that I find a way to shut this down.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Geoff Wild · ‎01-10-2004

I can't confirm against my server - due to my access - do you want to try it?

My server:

www.met.ca

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

Steven E. Protter · ‎01-11-2004

Its very interesting.

The problem might not be as bad as i thought.

Here is what the log looks like:

Jan 11 08:27:05 jerusalem sendmail[31321]: i0BER5u31321: from=apache, size=14673, class=0, nrcpts=503, msgid=<200401111427.i0BER5u31321@investmenttool.com>, relay=apache@localhost
Jan 11 08:27:06 jerusalem sendmail[31326]: i0BER5U31326: from=apache, size=14673, class=0, nrcpts=502, msgid=<200401111427.i0BER5U31326@investmenttool.com>, relay=apache@localhost
Jan 11 08:27:06 jerusalem sendmail[31329]: i0BER5U31326: to=natashia627@www.protterstory.com, ctladdr=apache (48/48), delay=00:00:01, xdelay=00:00:00, mailer=esmtp, pri=15074673, relay=www.protterstory.com. [66.92.143.198], dsn=4.0.0, stat=Deferred: Connection refused by www.protterstory.com.

This looks like some kind of spoof based on a cgi formscript.

The formscript has my yahoo account hard coded into it for cgi gateway forms.

Please sendmail guru's does this log mean the spam attempt is failing?

Looks like only my yahoo account gets any mail.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Steven E. Protter · ‎01-11-2004

What should I try Goeff?

Confused.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Geoff Wild · ‎01-11-2004

Just try sending email as root@localhost through my server...

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

Geoff Wild · ‎01-11-2004

As far as the formscript - yes - doesn't look like it is getting through - I have the same issue - some kiddie was trying to use a formmail script I use to relay - didn't work - though I was annoyed cause all his attempts went to my inbox!

I complained to shaw.ca to have his account revoked - as it was a violation of their terms of agreement - but to no avail - so I blocked his ip in my iptables...

His ip: 24.82.81.169

I would block that if I was you.

I also added that to my rc.local:

rc.local:/sbin/route add -host 24.82.81.169 reject

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

Steven E. Protter · ‎01-11-2004

I'm going to enhance logging sendmail, get the ip address and block it.

What a pain.

Its nice to know the mail is being rejected.

I think the way to prevent the form script from relaying to the target email address is to read the target email addresses from a file.

That might not help.

I have no idea how to relay mail through anyone elses server. I'm not a really good hacker/spammer I guess.

Don't post a script here. email it to investmenttool@yahoo.com

I'm using that to collect the garbage from the form script.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Geoff Wild · ‎01-12-2004

Steven,

Have you tried:

http://www.abuse.net/relay.html

It doesn't do a loclhost test - but it does try spamtest@yourdomain.com

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

Steven E. Protter · ‎01-12-2004

I've totally taken relay statements out of the /etc/mail/access file.

Since then I've had no problems with the spam, but it doesn't happen every day.

I'm waiting, monitoring, checking out those links and will get back to you.

A hardware problem hung up my main Linux web server this morning forced an embarassing mid-day reboot. It was not spam or hacker related.

Once you've actually identified the source ip address of the problem, you can use iptables to block all access.

That also means public access to any public web sites you are running. Its not step to be taken lightly.

iptables(Linux) is robust but I'm not sure how many ip addresses you can have on the drop list before it starts eating up the whole cpu.

Same thing can be done with different syntax on the ipfilter hp firewall.

I really think HP should port iptables to HP-UX and be done with it. Its a good product.

Here is Goeof's thread:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=364287

Anyone else has ideas, let me know.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Geoff Wild · ‎01-13-2004

Here's the lastest attempt I've seen:

Jan 12 18:48:13 dune sendmail[21149]: i0D2mDP5021149: ... User unknown
Jan 12 18:48:13 dune sendmail[21149]: i0D2mDP5021149: from=, size=1024, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=shawidc-mo1.cg.shawcable.net [24.71.223.10]

Of course, a legitimate email from the MAILER-DAEMON is NOT fully qualified...

So I would explicitly block that in the access db.

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.