Senmail MTA open

alman · ‎04-22-2002

Guys , I need an urgent help. Currently i am running Sendmail 8.10.2 .I found that my email servers is an open relay , a lot of intruders are using my smtp to send emails . Can anybody can help me to close the relay.

Thanks

Email

Helen French · ‎04-22-2002

Hi Alman:

Check this document ( TKB #KBRC00000010 ) about configuring mail relay:

http://us-support2.external.hp.com/cki/bin/doc.pl/sid=b6500252086181cec5/screen=ckiDisplayDocument?docId=200000045145919

HTH,
Shiju

Life is a promise, fulfill it!

alman · ‎04-22-2002

Thank Shiju , but I have tried that , there are another message coming from the server 200.30.128.126 did not issue MAIL/EXPN/VRFY/ETRN , this messages keep on coming , I have tried blocking the ip and the domain names , but there are other ip 's keep on coming .
Hope you understand my problem descrip

Thanks in advance

Email

alman · ‎04-22-2002

the error messages is mailq = 62.131.81.121 did not issue mail/expn/vrfy/etrn during connection to MTA

Email

Jeff Schussele · ‎04-22-2002

Hi alman,

Here's a good doc on anti-relaying from sendmail.org

http://www.sendmail.org/tips/relaying.html

And here's a good doc on how to use the "check" features in the rulesets.

http://www.sendmail.org/%7Eca/email/check.html

HTH,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!

Michael Elleby III_1 · ‎04-23-2002

Alman-

I haven't done this in a little while, but you can setup an access database where you can actually regulate the incoming mail by stating if it is OK to do this:

1. go to the /etc/mail directory and use vi to create a file called 'access' to setup your allowable addresses:

johndoe@company.com OK
imcingular.com RELAY
notthisguy@no.com REJECT

2. execute the command "makemap hash /etc/mail/access < /etc/mail/access

3. Stop and restart sendmail.

This should help you keep this under control

Mike

Knowledge Is Power

Christopher Caldwell · ‎04-23-2002

Relaying is off by default as of sendmail 8.9 and later. If you are actually being used as a relay, that means that you've "undone" the default, or there's something else going on.

Why don't you post your configuration file so we can have a look.

As mentioned in an earlier post, control relaying with the access database.

alman · ‎04-23-2002

Thanks to Michael and Chris , I am trying that option now by editing the /etc/mail/access database. But the problem is there are many ip 's keep on coming. For example if I Reject
101.0.10.0 , then five seconds later it will be
101.10.12.0 , I have to edit access.db all the time . Any other way ,

Email

alman · ‎04-23-2002

Guys , I have another info the error message is NOQUEQU 213.131.74.114 did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA, I checked on the mail.abuse.org, they are saying it is a tickling dropboxes used by the spammers.

Email

Michael Elleby III_1 · ‎04-23-2002

Alman-

Firstly, the NOQUEUE bascially means that an incoming connection was initiated, but then dropped... I can see right through this trick used by the spammers. What they are doing here is testing how you have restricted acceptance by the ip addresses they are using and going for certain ranges (So now, it's war.. ).

Since this can become an involved battle to see which range they will try next, and add that we normally use the access table and use the option REJECT, which can indicate to the spammer to try another series of addresses... To combat this, use the DISCARD option instead of REJECT, as this will make the spammer think that the message has gone through, all the while, the messages are being discarded. Keep in mind that you can specify a part of an ip address to reject, so, you could per say, use the first octet to see if it will discard these messages. I've never tried using only the first octet in the ip address, but here's a good reason to try, it won't hurt.

Also, Can you go to your /var/adm/syslog/mail.log and get the destination addresses/domains that these messages are going to? If you can narrow it down to where these messages are going, you can create the mailertable to direct certain mail to a specified smtp host and make the message fail, or send it to a host and store these messages for further investigation (hint, hint).

1. Go to /etc/mail directory, use vi to create a file called mailertable.

2. Your entries will look like this:

101.0 smtp:dummyhost.com
101.10 smtp:dummyhost.com

3. Execute the command "makemap dbm /etc/mail/mailertable < /etc/mail/mailertable"

4. Use vi to edit sendmail.cf and uncomment the line that points to the mailertable, i.e.
"Kmailertable dbm /etc/mail/mailertable

5. Stop and Start Sendmail again.

Let me know if this helps.

P.S. Also, a little visit to your Firewall administrator might not hurt to see if he can catch this traffic at the firewall and reject it..

Mike-

Knowledge Is Power

Christopher Caldwell · ‎04-23-2002

Hmmmm. I hope you don't mean 101.0.10.0 literally ... I don't see that network available in the global routing table.

gate> show ip route 101.0.10.1
% Network not in table

In the access database, it would be possible to catch a wider range of IPs. For example,
101.0
would match 101.0.*.*.

101.0.10.0 is an IANA reserved netblock:

$ whois -h whois.arin.net 101.0.10.0
IANA (RESERVED-8)
Internet Assigned Numbers Authority
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292-6695
US

Netname: RESERVED-8
Netblock: 96.0.0.0 - 126.255.255.255

Coordinator:
Internet Corporation for Assigned Names and Numbers (IANA-ARIN) res-ip@i
ana.org
(310) 823-9358

Record last updated on 03-Nov-1998.
Database last updated on 23-Apr-2002 19:59:40 EDT.

alman · ‎04-24-2002

Hi Mike,
Thanks for your help :
I will edit my access.db as you say
192.65.0.0 DISCARD
202.45.58.0 DISCARD

I have created the mailertable file , but I don't have this option as
"Kmailertable dbm /etc/mail/mailertable"
or can I just add it , if I need to add this line where should I add this under etc: Options or Mailer .
I have another options like mailertriple.

Thanks again.

Email

Michael Elleby III_1 · ‎04-24-2002

alman-

Can you send me a copy of your sendmail.cf file? Typically, the Kmailertable dbm /etc/mail/mailertable entry is included in this file.

Mike-

Knowledge Is Power

alman · ‎04-26-2002

Mike can you give me your email address , please

Email

alman · ‎04-26-2002

If you want me to post the cf, which part do you want me to post .

Email

alman · ‎04-26-2002

currently I've configured on the access db , by DISCARD options , still the same
other ip's are coming in.
How do I check whether the DISCARD options are working

Email

alman · ‎04-26-2002

the error messages like noqueque :
212.166.67.47 MAIl/EXPN/VRFY/ETRN during connection to MTA

is appering in my server log , but destination is not there.I can only see the source.

Email

Michael Elleby III_1 · ‎04-26-2002

Alman,

You can post these files to this thread.. Look for the attachment option below when you go to reply to this message.

Files I would like to look at:

/etc/mail/sendmail.cf
/etc/mail/access
/etc/mail/mailertable

Knowledge Is Power

alman · ‎04-26-2002

Hi Mike , I have attached , those files that you need .

Email

alman · ‎04-26-2002

attched another file

Email

alman · ‎04-27-2002

access file

Email

Michael Elleby III_1 · ‎04-30-2002

Alman-

First things first.

It looks like you have a bogus sendmail.cf file. It looks like multiple sendmail.cf's have been concatenated together. If this is in fact your original sendmail.cf file, then do the following:

1. Rename your sendmail.cf file to sendmail.cf.orig
2. Copy a standard sendmail.cf to the '/etc/mail' directory from '/usr/newconfig/etc/mail/sendmail.cf'
3. Modify the new sendmail.cf file accordingly, making sure you set your domain (Dj macro) and specifically the relay host (DS macro) to where mail is supposed to be routed to when it comes in to your server.
4. Rerun the makemap command for the access table that you built
5. (Don't worry about mailertable at this point)
6. start and stop sendmail

Let me know the results.

Mike Elleby

Knowledge Is Power

alman · ‎05-03-2002

Mike, I have done that , what's next you want me to do

Email

Michael Elleby III_1 · ‎05-06-2002

Alman-

What I need to know is, what is going on with your mail flow.

Send me the last 20-30 lines of this file:

/var/adm/syslog/mail.log

Also, your mailertable is incorrect, as you are indicating inappropriate ip address range and host that is supposed to be handling the mail that you are trying to .redirect'.

The information I gave you about in my example on creating the mailertable were examples, not the actual entries to be made...

Mike-

Knowledge Is Power

alman · ‎05-08-2002

Mike, I've atth the maillog to you. from this log you can see spammer's with different ip , keep on coming .

mydomain , is not my origional domain. It's example.
I will modify the mailertable again.

Email

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Senmail MTA open

Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open

Re: Senmail MTA open