Operating System - HP-UX
1748214 Members
3262 Online
108759 Solutions
New Discussion юеВ

Someone is probing my sendmail configuration

 
Steven E. Protter
Exalted Contributor

Someone is probing my sendmail configuration

I've been watching my sendmail configuration closely since my problems resulted in a Security Bulliten, which I still owe HP some information on.

I've followed all the rules, been tight with permissions, worked on access file, run Bastille on the configuration.

Yet I'm still being probed and mail is being relayed once in a while. Though the success rate is less than 1% its unacceptable.

I'd like get some help on the following:

1) Scripts that probe my sendmail configuration as if they were an outsider and report possible vulnerabilities. In essence I want to run tools the spammers use and close the holes before they use them.

2) Any suggesetions or scripts for scanning the mail logs to detect problems.

My most recent problem was this:

localhost was in my /etc/mail/access file

This seemed reasonable until I got spam on my yahoo account from my own server from apache@mydomain.com

The mail log showed the mail was sent to apache@localhost relay style.

I didn't know outsiders could take advantage of localhost, but a good probe script would have helped.

Thanks in advance for your help.

Reasonable help will be rewarded significantly.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
14 REPLIES 14
Steven E. Protter
Exalted Contributor

Re: Someone is probing my sendmail configuration

With regards to the specific problem:

There is no localhost entry in /etc/access
sendmail 8.11

Yet the logs still show root cron's mail with these types of entries

relay=root@localhost

Since my specific problem is still present, id like to know how to do the following:

stop mail with relay=apache@localhost while still enabling my websites to send mailforms and such.

I'm thinking about adding a DEFER entry to access:

apache@localhost DEFER
root@localhost DEFER

Don't want to block up root cron's mail though.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: Someone is probing my sendmail configuration

does anyone know why when sending mail as a local user, say root cron there is an entry inthe mail.log file with the text relay=root@localhost

I think this is a security problem. I think spammers are using root@localhost and apache@localhost to push spam through sendmail.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Geoff Wild
Honored Contributor

Re: Someone is probing my sendmail configuration

Are you using the spam filters I mentioned in:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=315767

Or direct:

http://www.visi.com/~hawkeyd/spamfilters.html


In it, there is a

SCheckLocal

# record the address
R$* $: $(storein {TestAddr} $@ $1 $) $1
# focus on host and domain
R$* < @ $+ . > $* $1 < @ $2 > $3
R$* < @ $+ > $* $: $2
# validate: local user, host, host and domain, domain, or remote
R$&{TestAddr} $@ LOCAL $&{TestAddr}
R127 . 0 . 0 . 1 $@ LOCAL 127 . 0 . 0 . 1
Rlocalhost $@ LOCAL localhost
R$+ . $m $@ LOCAL $&{TestAddr}
R$m $@ LOCAL $&{TestAddr}
R$* $@ $&{TestAddr}

I see a lot of spam attempts at my server - the localhost ones are rejected....unless they are mine...

My biggest beef is:

--------------------- sendmail Begin ------------------------



329 unidentified unknown users

Unknown users:
AGBfMJ@mydomain.ca: 1 Times(s)
AZzoR@mydomain.ca: 1 Times(s)
Avx@mydomain.ca: 1 Times(s)
AxJV@mydomain.ca: 1 Times(s)
BFfpl@mydomain.ca: 1 Times(s

etc...etc......every day...

The spammer is sending test messages off of open relays...with from=<> as quick as every 15 seconds....what a waste of my cpu...

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Steven E. Protter
Exalted Contributor

Re: Someone is probing my sendmail configuration

I think that the testing methodology you point at Goeff is what is being done to my server.

I have the server locked down pretty tightly.

I'm a heavy user of the sendmail.mc file. I use every spam option that works in there.

I'm looking into your links and may come back with further questions.

Thanks for answering Sir.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: Someone is probing my sendmail configuration

Working on the Spamfilter product.

It is unclear at this time whether this will stop relay using apache@localhost and root@localhost

It is extremely urgent that I find a way to shut this down.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Geoff Wild
Honored Contributor

Re: Someone is probing my sendmail configuration

I can't confirm against my server - due to my access - do you want to try it?

My server:

www.met.ca

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Steven E. Protter
Exalted Contributor

Re: Someone is probing my sendmail configuration

Its very interesting.

The problem might not be as bad as i thought.

Here is what the log looks like:

Jan 11 08:27:05 jerusalem sendmail[31321]: i0BER5u31321: from=apache, size=14673, class=0, nrcpts=503, msgid=<200401111427.i0BER5u31321@investmenttool.com>, relay=apache@localhost
Jan 11 08:27:06 jerusalem sendmail[31326]: i0BER5U31326: from=apache, size=14673, class=0, nrcpts=502, msgid=<200401111427.i0BER5U31326@investmenttool.com>, relay=apache@localhost
Jan 11 08:27:06 jerusalem sendmail[31329]: i0BER5U31326: to=natashia627@www.protterstory.com, ctladdr=apache (48/48), delay=00:00:01, xdelay=00:00:00, mailer=esmtp, pri=15074673, relay=www.protterstory.com. [66.92.143.198], dsn=4.0.0, stat=Deferred: Connection refused by www.protterstory.com.


This looks like some kind of spoof based on a cgi formscript.

The formscript has my yahoo account hard coded into it for cgi gateway forms.

Please sendmail guru's does this log mean the spam attempt is failing?

Looks like only my yahoo account gets any mail.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: Someone is probing my sendmail configuration

What should I try Goeff?

Confused.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Geoff Wild
Honored Contributor

Re: Someone is probing my sendmail configuration

Just try sending email as root@localhost through my server...

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.