HPE Community
Operating System - Linux
1820882 Members
3566 Online
109628 Solutions
New Discussion юеВ

how to handle sendmail spoof

 
K.C. Chan
Trusted Contributor

тАО04-29-2005 04:14 AM

тАО04-29-2005 04:14 AM

how to handle sendmail spoof

All,
I am getting spoof email from outside, the from field: fake.user@mydomain, shows that the email is coming from us; how would one counter measure this sort of spoof? Thanks.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
14 REPLIES 14
Stuart Browne
Honored Contributor

тАО04-29-2005 11:40 AM

тАО04-29-2005 11:40 AM

Re: how to handle sendmail spoof

Does the 'mydomain' exist?

There's an option in the sendmail configuration to not accept mail from unresolvable domains. Start by making sure you don't have that enabled.

Next is to enable spam filtering using spamassassin or some other method.

There should be RPM's for any RedHat/Fedora system to do this, and the instructions are fairly easy to follow.
One long-haired git at your service...
0 Kudos
Reply
renarios
Trusted Contributor

тАО04-29-2005 11:50 PM

тАО04-29-2005 11:50 PM

Re: how to handle sendmail spoof

Hi KC,

To block unwanted domains, I put the following entry in my sendmail.mc:
dnl # Anti spam
FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl

In that list there are world-wide rejected domains. Very handy dandy!
Don't forget to rebuild your sendmail.cf with the new configuration!

Cheers,

Renarios
Nothing is more successfull as failure
0 Kudos
Reply
K.C. Chan
Trusted Contributor

тАО04-30-2005 02:46 AM

тАО04-30-2005 02:46 AM

Re: how to handle sendmail spoof

All,
I am using spamassassin, it catches most of the spam. But if a user is spoofing my sendmail, for example:
the domain which my mail server answer to is "mydomain.com". What happen is mail from outside is faking my mail server out by having the from field set to someuser@mydomain.com. Isn't there something in the sendmail config which makes sure that email from outside of my network that have mydomain.com in it is a spoof email?

Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО04-30-2005 03:47 AM

тАО04-30-2005 03:47 AM

Re: how to handle sendmail spoof

remove 'mydomain.com' from /etc/mail/access, and re-make the access db (cd /etc/mail;make).

You should only relay based on local-net subnet's only, and 'accept' for 'mydomain.com' only (which isn't done in 'access').
One long-haired git at your service...
0 Kudos
Reply
K.C. Chan
Trusted Contributor

тАО05-01-2005 02:21 AM

тАО05-01-2005 02:21 AM

Re: how to handle sendmail spoof

Stuart,
I have done that already, and I noticed two other which have the mydomain entry in it:

local-host-names
relay-domains

I would think it would be o.k to take it out from there? Thanks.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО05-01-2005 11:58 AM

тАО05-01-2005 11:58 AM

Re: how to handle sendmail spoof

Remove it from 'relay-domains'.. but assuming you've updated Sendmail recently, it should be in use.
One long-haired git at your service...
0 Kudos
Reply
K.C. Chan
Trusted Contributor

тАО05-02-2005 05:34 AM

тАО05-02-2005 05:34 AM

Re: how to handle sendmail spoof

Stuart,
I believe I need "mydomain.com" to be in "relay-domains" file, otherwise user (users on our network, mydomain.com) will get 550 error when trying to send mail out.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО05-02-2005 08:34 AM

тАО05-02-2005 08:34 AM

Re: how to handle sendmail spoof

There are lots of indirect counter measures.

One of the best is to see if the sender has a reverse lookup domain. Here is a thread that tells how to do that.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=450771

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО05-02-2005 01:10 PM

тАО05-02-2005 01:10 PM

Re: how to handle sendmail spoof

If it's a recent version of sendmail (i.e. less than 3 years old), then no. you should only need the IP's that the users are sending from in the access as a 'relay'.

If they are sending from the outside world, not just internally, then you need to implement some other verification steps, i.e. SMTP auth for those external connections.
One long-haired git at your service...
0 Kudos
Reply
K.C. Chan
Trusted Contributor

тАО05-03-2005 02:58 AM

тАО05-03-2005 02:58 AM

Re: how to handle sendmail spoof

Stuart,
so if all my servers are NATED, e.g: network of "192.168.10.", then putting this in the relay-domain file will allow all internal pc/servers to mail outside of our network and still be able to recieve email from outside? This will stop the spoof of "mydomain.com" from outside, if they try, they will get a 550 error? Please confirm before I attempt to modify the relay-domain file. Thanks.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО05-03-2005 12:26 PM

тАО05-03-2005 12:26 PM

Re: how to handle sendmail spoof

It should.

But given the names of the files involved, I'd start by updating Sendmail.

Many many versions ago, all the access and relay information was combined into the single database 'access.db' (via 'access'), using the keywords 'RELAY' and 'OK'.

It also has the control to allow 'To:' acceptance i.e. from my box:

xxx.29.19.45 RELAY
xxx.29.19.46 RELAY
To:bekar.xx.xx OK

But I also have my box using SMTPAuth for my mobile phone.. :)
One long-haired git at your service...
0 Kudos
Reply
K.C. Chan
Trusted Contributor

тАО05-04-2005 10:14 AM

тАО05-04-2005 10:14 AM

Re: how to handle sendmail spoof

Stuart,
in the relay-domain file, could I use something like: "192.168.10." and "10.10.10." in place of "mydomain.com"? Thanks.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО05-04-2005 12:24 PM

тАО05-04-2005 12:24 PM

Re: how to handle sendmail spoof

That should be fine, yes.

Just don't forget to re-make the hash-databases after changing the contents.
One long-haired git at your service...
0 Kudos
Reply
K.C. Chan
Trusted Contributor

тАО05-05-2005 01:29 AM

тАО05-05-2005 01:29 AM

Re: how to handle sendmail spoof

Thanks,
I will see if I can make the changes Today; will let you know it goes.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.