Re: spam from my server?

Fred Martin_1 · ‎07-01-2002

My unix server HP-UX 11, runs sedmail. I also have an NT4.0 webserver, which runs SMTP so that browsers on our website can send email (via the webpages) to internal addresses.

Recently we started recieving spam emails, appearing to come from our webserver. Today some users on my network are getting spam emails apparently coming from me.

I realize the "from address" could be spoofed and that they may not actually be sent from either of my servers, but I need to know.

I'm not sure where to begin looking; I know that my sendmail server cannot relay, but that's all I know.

Any assistance would be welcome, particularly if this has happened to you.

fmartin@applicatorssales.com

Christopher Caldwell · ‎07-01-2002

The full headers of the e-mail will show the entire e-mail path.

Look at an e-mail with vi/more or figure out how to show full headers in your POPmail client.

Vincent Fleming · ‎07-01-2002

An NT server sending spam sounds like a virus.... a common thing with Windoze. Have you virus-checked it?

No matter where you go, there you are.

Fred Martin_1 · ‎07-01-2002

Doh! We hadn't gotten around to installing A-V software on it yet; it's not in the same domain as our other PCs/Servers, and so didn't fit our "corporate A-V" solution. We're installing it now however.

Meantime, I closed a door in the firewall, too, although I'm not certain that's where the compromise came from. I watched the logs pretty closely. I had allowed a consultant to ftp to the server from the internet. Yeah, I know, vanilla ftp is insecure. Anyway - no more, I shut that door.

fmartin@applicatorssales.com

John Dvorchak · ‎07-01-2002

When I have ever had issues about what sendmail is doing, I refer to the:
/var/adm/syslog/mail.log
Reading the log can be somewhat boring but then what log is fun to read. If your HPUX box is being used for the "Spam email" then there will be an entry in the mail.log file for each mail that it sends/receives. At least this will tell you if your box is the culprit and wether you really have "relay" turned off.
Good luck,
John

If it has wheels or a skirt, you can't afford it.

Ulrich Deiters · ‎07-02-2002

Check your mail configuration file for protection against relaying. I have had a rather ugly case myself with a new workstation shipped with a pre-installed HP-UX: The mail
daemon was the latest version, but its configuation files were not ... You can test your relay protection at http://www.abuse.net/relay.html

Fred Martin_1 · ‎07-02-2002

sendmail is properly denying relays. I don't see any spurious messages in my mail.log, about any of this outgoing spam. So I'm strongly inclined to think that the NT webserver, which is running SMTP, is where the email is being generated.

fmartin@applicatorssales.com

Fred Martin_1 · ‎07-02-2002

I finally received one of the emails myself - apparently sent by me - here's the whole header...

>From fmartin@applicatorssales.com Tue Jul 2 13:32:40 EDT 2002
Received: from ARouen-102-1-2-200.abo.wanadoo.fr (ARouen-102-1-2-200.abo.wanadoo.fr [80.11.95.200])
by corp.applicatorssales.com (8.9.3 (PHNE_24419)/8.9.3) with SMTP id NAA01654;
Tue, 2 Jul 2002 13:32:32 -0400 (EDT)
X-Authentication-Warning: corp.applicatorssales.com: ARouen-102-1-2-200.abo.wanadoo.fr [80.11.95.200] didn't use HELO protocol
Message-Id: <3J2Q2.9L2L2W2IKAH.fmartin@applicatorssales.com>
From: fmartin@applicatorssales.com
Received: from applicatorssales.com by OW63EH3.applicatorssales.com with SMTP for fmartin@applicatorssales.com; Tue, 02 Jul 2002 13:36:13 -0500
Date: Tue, 02 Jul 2002 13:36:13 -0500
MIME-Version: 1.0
Subject: You're Paying Too Much

----
So maybe I'm wrong about my server not relaying? 80.11.95.200 seems to be the origination IP... and the "received from OW63EH3.applicatorssales.com" is bogus.

fmartin@applicatorssales.com

Fred Martin_1 · ‎07-02-2002

I created my sendmail.cf file with /usr/newconfig/etc/mail/cf/cf/gen_cf

I chosen options:

2 Relay OFF
6 Access DB

And in the access DB is the first three octets of my internal network address, like:

192.10.10 RELAY

fmartin@applicatorssales.com

Christopher Caldwell · ‎07-02-2002

Much of the e-mail header looks suspect. If you don't own
ARouen-102-1-2-200.abo.wanadoo.fr
I'd say the spam originated from there. They may using you as the from address (forged) because they don't want the bounce if there's a non-delivery opportunity. They're may be using you as the to address because they're spamming you.

Apparently this isn't a relay issue (there's no relay if you're the final recipient). To fix something like this, you have to add a reject rule for ARouen-102-1-2-200.abo.wanadoo.fr in the access database, block access for ARouen-102-1-2-200.abo.wanadoo.fr at a network or computer device, or subscribe to one of the blackhole lists and hope they include ARouen-102-1-2-200.abo.wanadoo.fr

Fred Martin_1 · ‎07-02-2002

Black hole lists? Not familiar with those.

fmartin@applicatorssales.com

Christopher Caldwell · ‎07-02-2002

See
http://www.mail-abuse.org
or
http://brightmail.com

Implementation details are at
http://www.sendmail.org/m4/features.html
{search for rbl}

and

http://mail-abuse.org/rbl/usage.html

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: spam from my server?

spam from my server?