LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-19-2003, 05:21 AM   #1
vittibaby
LQ Newbie
 
Registered: Aug 2003
Posts: 19

Rep: Reputation: 0
Unhappy Forged Email address from my domain!


Someone forged an email address from my domain (e.g. admin@mydomain.com) and send a mail to one of my users (e.g. user@mydomain.com). The email attachment contains virus!!!

I reviewed the email logs and found the following:

Nov 19 15:28:44 mail sendmail[28805]: xxxxx: from=<admin@mydomain.com>, size=xxxx, class=0, nrcpts=1, msgid=<xxxx.xxxx@mydomain.com>, protocol=SMTP, daemon=MTA, relay=<a host name> [an IP address]

Not sure if I should disclose the relay info here...

A few questions which I hope you can help me out:

- how to prevent this in the future?
- how can this be done? apparently, it's simply?!!?
- Should i do sth to follow up on this incident?

Thank you for all your help!!! Much Much Much appreciated!!!

Vittibaby
 
Old 11-19-2003, 09:51 AM   #2
vittibaby
LQ Newbie
 
Registered: Aug 2003
Posts: 19

Original Poster
Rep: Reputation: 0
Can someone please give me some advice?

thanks thanks!
 
Old 11-19-2003, 09:55 AM   #3
jkobrien
Member
 
Registered: Jun 2003
Location: Dublin, Ireland
Distribution: Slackware, LFS, Ubuntu, RedHat, Slamd64
Posts: 507

Rep: Reputation: 30
I don't know anything about mail server admin, so I can't really help with your questions but have a suggestion.

Our administrators here in work have the same problem and have recently informed us that all mails from them (ie the genuine ones) will be electronically signed. This kind of implies, they don't know how to stop it either, but at least we can tell the forgeries apart from real mails.

John
 
Old 11-19-2003, 10:11 AM   #4
vittibaby
LQ Newbie
 
Registered: Aug 2003
Posts: 19

Original Poster
Rep: Reputation: 0
Thanks John for your suggestion. I'll certainly look into this option...

anyone else who has an idea on how to stop this from happening?
 
Old 11-25-2003, 06:57 PM   #5
scorpatron
Member
 
Registered: Nov 2003
Location: New Zealand
Distribution: Redhat 9 2.4.20-8 Athlon, Windows 2000 Professional, FreeBSD
Posts: 122

Rep: Reputation: 15
yeah dude

firstly, on your smtp server, only allow reversable dns names..

secondly, you've given everyone access to send mail on your server, as in.. it's probably an 'open-relay'

open-relays are also used for spam

you should prehaps be thankful that this dude alerted you to the problem!

- also... when a user sends an email, they have can specify any email address they like as the 'from" email address, this is because the user may wish to recieve the reply on another email, and also when email was created.. there was no decent way to check the from email address...

thus electronic signitures were born!
 
Old 11-25-2003, 07:04 PM   #6
vittibaby
LQ Newbie
 
Registered: Aug 2003
Posts: 19

Original Poster
Rep: Reputation: 0
Hi Scorpatron,

Thanks for your tips...

1) how do i only allow reversable DNS names on Sendmail? In my case, the hostname actually matches the IP. Therefore, only allowing reversable DNS names will not stop the problem.

2) I do not believe I have an open-relay. How can i double check?

3) yes, i have read a lot of the net and there is really no way to stop him from forging the "From" field. I have written to the owner of the host, (presumably the ISP) but have not had a reply for a week! Anywhere else I can report this issue?

Thanks a lot again!
 
Old 11-25-2003, 07:36 PM   #7
scorpatron
Member
 
Registered: Nov 2003
Location: New Zealand
Distribution: Redhat 9 2.4.20-8 Athlon, Windows 2000 Professional, FreeBSD
Posts: 122

Rep: Reputation: 15
1) FEATURE(`accept_unresolvable_domains')dn1

That line is in your sendmail.mc

you need to m4 that file.. basically the .mc is a simple version of the .cf file... the actual config of sendmail if over 700 lines!

2) Well... search for "stopping spam on your sendmail"... i actually have no idea, all I know is that to receive mail you need to open up your server to the entire world.. that same server sends mail too.. prehaps you could run 2 sendmail servers, one for getting, and one for sending? or prehaps theres a setting somewhere... im a newb

3) did you check the email header? im guessing you did... if you have the persons ISP & IP & Time of send... then legally they have an obligation to follow it up. Talk to the police they should be able to tell you more.. because the laws are different in certain countries..
 
Old 11-25-2003, 09:43 PM   #8
vittibaby
LQ Newbie
 
Registered: Aug 2003
Posts: 19

Original Poster
Rep: Reputation: 0
Hi scorpatron,

2) I don't think I have 'Open relay' on my sendmail. The Relay feature means someone can use your SMTP server to send mail to others (i.e. relay = a mail comes in but not destinated for my domain and my mail server relay it onto the destinated server). On my sendmail, I only allow people from my internal network to do so, therefore, it shouldn't be "OPEN" to everyone.

I use squirrelmail... that works even when I'm at a public network and my sendmail does not allow relay from public network. Does anyone know why?

thanks.
 
Old 11-27-2003, 10:31 PM   #9
scorpatron
Member
 
Registered: Nov 2003
Location: New Zealand
Distribution: Redhat 9 2.4.20-8 Athlon, Windows 2000 Professional, FreeBSD
Posts: 122

Rep: Reputation: 15
what does your /etc/mail/access file look like?
 
Old 11-30-2003, 06:53 PM   #10
vittibaby
LQ Newbie
 
Registered: Aug 2003
Posts: 19

Original Poster
Rep: Reputation: 0
Hi scorpatron

I RELAY for the following networks:

mail.mydomain.com
mydomain.com
127.0.0.1
192.168.1

Is this ok? thanks.
 
Old 11-30-2003, 07:00 PM   #11
scorpatron
Member
 
Registered: Nov 2003
Location: New Zealand
Distribution: Redhat 9 2.4.20-8 Athlon, Windows 2000 Professional, FreeBSD
Posts: 122

Rep: Reputation: 15
yeah thats fine,
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Guarding Against Forged Email Bounces kemplej Linux - Networking 5 08-05-2005 09:16 PM
Forged email inaki Linux - Security 6 07-21-2005 06:08 PM
Creating A Second Email Address For Email Account On Sendmail treedstang Linux - Software 1 04-27-2004 10:31 PM
sending an email to a email address after a perl operation meluser Programming 9 04-07-2003 01:26 PM
procmail forged ip address aBl_tR3kr Linux - Networking 1 03-26-2003 10:09 AM


All times are GMT -5. The time now is 06:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration