- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Someone is probing my sendmail configuration
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2004 01:53 AM
01-09-2004 01:53 AM
Someone is probing my sendmail configuration
I've followed all the rules, been tight with permissions, worked on access file, run Bastille on the configuration.
Yet I'm still being probed and mail is being relayed once in a while. Though the success rate is less than 1% its unacceptable.
I'd like get some help on the following:
1) Scripts that probe my sendmail configuration as if they were an outsider and report possible vulnerabilities. In essence I want to run tools the spammers use and close the holes before they use them.
2) Any suggesetions or scripts for scanning the mail logs to detect problems.
My most recent problem was this:
localhost was in my /etc/mail/access file
This seemed reasonable until I got spam on my yahoo account from my own server from apache@mydomain.com
The mail log showed the mail was sent to apache@localhost relay style.
I didn't know outsiders could take advantage of localhost, but a good probe script would have helped.
Thanks in advance for your help.
Reasonable help will be rewarded significantly.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2004 02:41 AM
01-09-2004 02:41 AM
Re: Someone is probing my sendmail configuration
There is no localhost entry in /etc/access
sendmail 8.11
Yet the logs still show root cron's mail with these types of entries
relay=root@localhost
Since my specific problem is still present, id like to know how to do the following:
stop mail with relay=apache@localhost while still enabling my websites to send mailforms and such.
I'm thinking about adding a DEFER entry to access:
apache@localhost DEFER
root@localhost DEFER
Don't want to block up root cron's mail though.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2004 05:55 AM
01-09-2004 05:55 AM
Re: Someone is probing my sendmail configuration
I think this is a security problem. I think spammers are using root@localhost and apache@localhost to push spam through sendmail.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2004 07:58 AM
01-09-2004 07:58 AM
Re: Someone is probing my sendmail configuration
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=315767
Or direct:
http://www.visi.com/~hawkeyd/spamfilters.html
In it, there is a
SCheckLocal
# record the address
R$* $: $(storein {TestAddr} $@ $1 $) $1
# focus on host and domain
R$* < @ $+ . > $* $1 < @ $2 > $3
R$* < @ $+ > $* $: $2
# validate: local user, host, host and domain, domain, or remote
R$&{TestAddr} $@ LOCAL $&{TestAddr}
R127 . 0 . 0 . 1 $@ LOCAL 127 . 0 . 0 . 1
Rlocalhost $@ LOCAL localhost
R$+ . $m $@ LOCAL $&{TestAddr}
R$m $@ LOCAL $&{TestAddr}
R$* $@ $&{TestAddr}
I see a lot of spam attempts at my server - the localhost ones are rejected....unless they are mine...
My biggest beef is:
--------------------- sendmail Begin ------------------------
329 unidentified unknown users
Unknown users:
AGBfMJ@mydomain.ca: 1 Times(s)
AZzoR@mydomain.ca: 1 Times(s)
Avx@mydomain.ca: 1 Times(s)
AxJV@mydomain.ca: 1 Times(s)
BFfpl@mydomain.ca: 1 Times(s
etc...etc......every day...
The spammer is sending test messages off of open relays...with from=<> as quick as every 15 seconds....what a waste of my cpu...
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2004 12:21 PM
01-10-2004 12:21 PM
Re: Someone is probing my sendmail configuration
I have the server locked down pretty tightly.
I'm a heavy user of the sendmail.mc file. I use every spam option that works in there.
I'm looking into your links and may come back with further questions.
Thanks for answering Sir.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2004 12:29 PM
01-10-2004 12:29 PM
Re: Someone is probing my sendmail configuration
It is unclear at this time whether this will stop relay using apache@localhost and root@localhost
It is extremely urgent that I find a way to shut this down.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2004 01:25 PM
01-10-2004 01:25 PM
Re: Someone is probing my sendmail configuration
My server:
www.met.ca
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2004 04:21 AM
01-11-2004 04:21 AM
Re: Someone is probing my sendmail configuration
The problem might not be as bad as i thought.
Here is what the log looks like:
Jan 11 08:27:05 jerusalem sendmail[31321]: i0BER5u31321: from=apache, size=14673, class=0, nrcpts=503, msgid=<200401111427.i0BER5u31321@investmenttool.com>, relay=apache@localhost
Jan 11 08:27:06 jerusalem sendmail[31326]: i0BER5U31326: from=apache, size=14673, class=0, nrcpts=502, msgid=<200401111427.i0BER5U31326@investmenttool.com>, relay=apache@localhost
Jan 11 08:27:06 jerusalem sendmail[31329]: i0BER5U31326: to=natashia627@www.protterstory.com, ctladdr=apache (48/48), delay=00:00:01, xdelay=00:00:00, mailer=esmtp, pri=15074673, relay=www.protterstory.com. [66.92.143.198], dsn=4.0.0, stat=Deferred: Connection refused by www.protterstory.com.
This looks like some kind of spoof based on a cgi formscript.
The formscript has my yahoo account hard coded into it for cgi gateway forms.
Please sendmail guru's does this log mean the spam attempt is failing?
Looks like only my yahoo account gets any mail.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2004 04:24 AM
01-11-2004 04:24 AM
Re: Someone is probing my sendmail configuration
Confused.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2004 04:55 AM
01-11-2004 04:55 AM
Re: Someone is probing my sendmail configuration
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2004 05:09 AM
01-11-2004 05:09 AM
Re: Someone is probing my sendmail configuration
I complained to shaw.ca to have his account revoked - as it was a violation of their terms of agreement - but to no avail - so I blocked his ip in my iptables...
His ip: 24.82.81.169
I would block that if I was you.
I also added that to my rc.local:
rc.local:/sbin/route add -host 24.82.81.169 reject
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2004 01:23 PM
01-11-2004 01:23 PM
Re: Someone is probing my sendmail configuration
What a pain.
Its nice to know the mail is being rejected.
I think the way to prevent the form script from relaying to the target email address is to read the target email addresses from a file.
That might not help.
I have no idea how to relay mail through anyone elses server. I'm not a really good hacker/spammer I guess.
Don't post a script here. email it to investmenttool@yahoo.com
I'm using that to collect the garbage from the form script.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2004 12:44 AM
01-12-2004 12:44 AM
Re: Someone is probing my sendmail configuration
Have you tried:
http://www.abuse.net/relay.html
It doesn't do a loclhost test - but it does try spamtest@yourdomain.com
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2004 05:36 AM
01-12-2004 05:36 AM
Re: Someone is probing my sendmail configuration
Since then I've had no problems with the spam, but it doesn't happen every day.
I'm waiting, monitoring, checking out those links and will get back to you.
A hardware problem hung up my main Linux web server this morning forced an embarassing mid-day reboot. It was not spam or hacker related.
Once you've actually identified the source ip address of the problem, you can use iptables to block all access.
That also means public access to any public web sites you are running. Its not step to be taken lightly.
iptables(Linux) is robust but I'm not sure how many ip addresses you can have on the drop list before it starts eating up the whole cpu.
Same thing can be done with different syntax on the ipfilter hp firewall.
I really think HP should port iptables to HP-UX and be done with it. Its a good product.
Here is Goeof's thread:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=364287
Anyone else has ideas, let me know.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2004 03:01 AM
01-13-2004 03:01 AM
Re: Someone is probing my sendmail configuration
Jan 12 18:48:13 dune sendmail[21149]: i0D2mDP5021149:
Jan 12 18:48:13 dune sendmail[21149]: i0D2mDP5021149: from=
Of course, a legitimate email from the MAILER-DAEMON is NOT fully qualified...
So I would explicitly block that
Rgds...Geoff