Re: how to handle sendmail spoof

K.C. Chan · ‎04-29-2005

All,
I am getting spoof email from outside, the from field: fake.user@mydomain, shows that the email is coming from us; how would one counter measure this sort of spoof? Thanks.

Reputation of a thousand years can be determined by the conduct of an hour

Stuart Browne · ‎04-29-2005

Does the 'mydomain' exist?

There's an option in the sendmail configuration to not accept mail from unresolvable domains. Start by making sure you don't have that enabled.

Next is to enable spam filtering using spamassassin or some other method.

There should be RPM's for any RedHat/Fedora system to do this, and the instructions are fairly easy to follow.

One long-haired git at your service...

renarios · ‎04-29-2005

Hi KC,

To block unwanted domains, I put the following entry in my sendmail.mc:
dnl # Anti spam
FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl

In that list there are world-wide rejected domains. Very handy dandy!
Don't forget to rebuild your sendmail.cf with the new configuration!

Cheers,

Renarios

Nothing is more successfull as failure

K.C. Chan · ‎04-30-2005

All,
I am using spamassassin, it catches most of the spam. But if a user is spoofing my sendmail, for example:
the domain which my mail server answer to is "mydomain.com". What happen is mail from outside is faking my mail server out by having the from field set to someuser@mydomain.com. Isn't there something in the sendmail config which makes sure that email from outside of my network that have mydomain.com in it is a spoof email?

Reputation of a thousand years can be determined by the conduct of an hour

Stuart Browne · ‎04-30-2005

remove 'mydomain.com' from /etc/mail/access, and re-make the access db (cd /etc/mail;make).

You should only relay based on local-net subnet's only, and 'accept' for 'mydomain.com' only (which isn't done in 'access').

One long-haired git at your service...

K.C. Chan · ‎05-01-2005

Stuart,
I have done that already, and I noticed two other which have the mydomain entry in it:

local-host-names
relay-domains

I would think it would be o.k to take it out from there? Thanks.

Reputation of a thousand years can be determined by the conduct of an hour

Stuart Browne · ‎05-01-2005

Remove it from 'relay-domains'.. but assuming you've updated Sendmail recently, it should be in use.

One long-haired git at your service...

K.C. Chan · ‎05-02-2005

Stuart,
I believe I need "mydomain.com" to be in "relay-domains" file, otherwise user (users on our network, mydomain.com) will get 550 error when trying to send mail out.

Reputation of a thousand years can be determined by the conduct of an hour

Steven E. Protter · ‎05-02-2005

There are lots of indirect counter measures.

One of the best is to see if the sender has a reverse lookup domain. Here is a thread that tells how to do that.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=450771

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Stuart Browne · ‎05-02-2005

If it's a recent version of sendmail (i.e. less than 3 years old), then no. you should only need the IP's that the users are sending from in the access as a 'relay'.

If they are sending from the outside world, not just internally, then you need to implement some other verification steps, i.e. SMTP auth for those external connections.

One long-haired git at your service...

K.C. Chan · ‎05-03-2005

Stuart,
so if all my servers are NATED, e.g: network of "192.168.10.", then putting this in the relay-domain file will allow all internal pc/servers to mail outside of our network and still be able to recieve email from outside? This will stop the spoof of "mydomain.com" from outside, if they try, they will get a 550 error? Please confirm before I attempt to modify the relay-domain file. Thanks.

Reputation of a thousand years can be determined by the conduct of an hour

Stuart Browne · ‎05-03-2005

It should.

But given the names of the files involved, I'd start by updating Sendmail.

Many many versions ago, all the access and relay information was combined into the single database 'access.db' (via 'access'), using the keywords 'RELAY' and 'OK'.

It also has the control to allow 'To:' acceptance i.e. from my box:

xxx.29.19.45 RELAY
xxx.29.19.46 RELAY
To:bekar.xx.xx OK

But I also have my box using SMTPAuth for my mobile phone.. :)

One long-haired git at your service...

K.C. Chan · ‎05-04-2005

Stuart,
in the relay-domain file, could I use something like: "192.168.10." and "10.10.10." in place of "mydomain.com"? Thanks.

Reputation of a thousand years can be determined by the conduct of an hour

Stuart Browne · ‎05-04-2005

That should be fine, yes.

Just don't forget to re-make the hash-databases after changing the contents.

One long-haired git at your service...

K.C. Chan · ‎05-05-2005

Thanks,
I will see if I can make the changes Today; will let you know it goes.

Reputation of a thousand years can be determined by the conduct of an hour

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: how to handle sendmail spoof

how to handle sendmail spoof