LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-20-2007, 11:16 PM   #1
latino
Member
 
Registered: Aug 2003
Location: Puerto Rico
Distribution: Centos 6.6
Posts: 142

Rep: Reputation: 15
forged - spoofed through sendmail


Hi:

How I can prevent this?

Jan 19 21:11:56 mysitename sendmail[30159]: l0K2VZ4s029040: to=<ppcvp@aol.com>, delay=00:40:04, xdelay=00:00:02, mailer=esmtp, pri=210103, relay=mailin-01.mx.aol.com. [64.12.137.249], dsn=2.0.0, stat=Sent (OK)

My sendmail configuration blocks relaying fine. BUT, spammers seems to be using my sendmail port to redirect email to open relays. The above example the email appears as sent.

I use dnsbl to block spammers but, recently this have increased.

I even recieved a complaint because one of those forged emails was 'sent' from my server when it was'nt. Anyway to prevent this? Or at least how to prevent sendmail to 'sent' or transport emails from specific emails?? How I can specify a list of emails that sendmail should not manage??

PLEASE ADVICE OR GIVE A HINT!!!

TIA

 
Old 01-21-2007, 05:08 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
What do you mean it wasn't "sent" from your Sendmail server? It certainly appears to have been... are you allowing anyone to relay mail as long as it claims to be sent from your domain? If so, then you are basically an open relay. You need to lock down relaying to only be allowed from specific IP addresses, or after authentication.
 
Old 01-21-2007, 11:02 AM   #3
latino
Member
 
Registered: Aug 2003
Location: Puerto Rico
Distribution: Centos 6.6
Posts: 142

Original Poster
Rep: Reputation: 15
Hi

Well I have test the site for Open Relay and it pass ok those test. This server have been operating since august 2003 and it even is not listed in black lists.

What I think is that the email is sent through mailin-01.mx.aol.com... But I am not sure since email is not my strenght. Will check setup to consider your advise.

Well, seems most direct way of prevention is IPTABLES.

UPDATE:

I am trying with hosts.deny since I can specify smtp port and ip to block.. Still testing..

#
# deny_hosts
#
# Trust based rule file to define addresses that are denied all or specific
# traffic.
#
# Format of this file is line-seperated addresses, IP masking is supported.
# Example:
# 24.202.16.11
# 24.202.11.0/24
#
# advanced usage
#
# The trust rules can be made in advanced format with 4 options
# (proto:flowort:ip);
# 1) protocol: [packet protocol tcp/udp]
# 2) flow in/out: [packet direction, inbound or outbound]
# 3) s/d=port: [packet source or destination port]
# 4) s/d=ip(/xx) [packet source or destination address, masking supported]
#
# Syntax:
# proto:flow:[s/d]=port:[s/d]=ip(/mask)
# s - source , d - destination , flow - packet flow in/out
#
# Examples:
# outbound to destination port 23 to destination 0.0.0.0 (any)
# tcput:d=23:d=0.0.0.0
#
# inbound to destination port 80 from source 24.202.11.3
# in:d=80:s=24.202.11.3
#
# inbound to destination port 27015 from 24.202.11.0/24
# d=27015:s=24.202.11.0/24
#
## 2005 CLeanout ###
# 030105 dictionary attack (South Korea)
tcp:in:s=210.100.202.60

--------------------------------------------------------------------------------
http://forums.fedoraforum.org/archiv...p/t-31003.html


Thanks.

Last edited by latino; 01-21-2007 at 12:14 PM.
 
Old 01-21-2007, 01:21 PM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
I believe you have it backwards. I'm no Sendmail expert, but it appears the log entry is for an e-mail that your server sent to ppcvp@aol.com via the relay mailin-01.mx.aol.com.

You would need to identify the e-mail that is coming in that is causing this outbound mail, then you could stop it. It's also possible that if you run any websites or webservers, they may have been compromised and they're being used to send e-mail through your Sendmail server. Check for suspicious connections coming in to your Sendmail box and then trace it from there.
 
Old 01-21-2007, 01:46 PM   #5
latino
Member
 
Registered: Aug 2003
Location: Puerto Rico
Distribution: Centos 6.6
Posts: 142

Original Poster
Rep: Reputation: 15
Hi:

Thank you very much for the help.

Here is what netstat -a shows. Please note the conections through:
tcp 0 1 mysitedomain:33600 yg.mx.aol.com:smtp SYN_SENT
tcp 0 1 mysitedomain:33596 ya.mx.aol.com:smtp SYN_SENT
udp 0 0 *:824

So, the email is being sent through udp port 824???

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:11110 *:* LISTEN
tcp 0 0 *:mysql *:* LISTEN
tcp 0 0 localhost:783 *:* LISTEN
tcp 0 0 *:1935 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:19350 *:* LISTEN
tcp 0 0 *:1111 *:* LISTEN
tcp 0 0 *:ipp *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:830 *:* LISTEN
tcp 0 0 localhost:32769 localhost:19350 ESTABLISHED
tcp 0 0 localhost:19350 localhost:32769 ESTABLISHED
tcp 0 0 *:imaps *:* LISTEN
tcp 0 0 *:49127 *:* LISTEN
tcp 0 0 *:imap *:* LISTEN
tcp 0 0 *:990 *:* LISTEN
tcp 0 48 mysitedomain:990 ::ffff:1.1.1.1:60111 ESTABLISHED
tcp 0 1 mysitedomain:33600 yg.mx.aol.com:smtp SYN_SENT
tcp 0 1 mysitedomain:33596 ya.mx.aol.com:smtp SYN_SENT
udp 0 0 *:824 *:*
udp 0 0 *:827 *:*
udp 0 0 *:sunrpc *:*
udp 0 0 *:ipp *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 45278 /var/run/dovecot-login/default
unix 2 [ ACC ] STREAM LISTENING 24410 /tmp/.font-unix/fs7100
unix 2 [ ] DGRAM 24286 /opt/macromedia/fms/tmp/21602.pid
unix 2 [ ACC ] STREAM LISTENING 24352 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 5028 /var/run/acpid.socket
unix 21 [ ] DGRAM 4723 /dev/log
unix 2 [ ] DGRAM 24509 @/var/run/hal/hotplug_socket
unix 2 [ ACC ] STREAM LISTENING 24462 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 24698 /var/lib/mysql/mysql.sock
unix 2 [ ] DGRAM 3171 @udevd
unix 2 [ ] DGRAM 77102
unix 3 [ ] STREAM CONNECTED 48582
unix 3 [ ] STREAM CONNECTED 48581
unix 3 [ ] STREAM CONNECTED 48580
unix 3 [ ] STREAM CONNECTED 48579
unix 2 [ ] DGRAM 48565
unix 2 [ ] STREAM CONNECTED 45688
unix 2 [ ] DGRAM 45300
unix 3 [ ] STREAM CONNECTED 45303 /var/run/dovecot-login/default
unix 3 [ ] STREAM CONNECTED 45299
unix 3 [ ] STREAM CONNECTED 45302 /var/run/dovecot-login/default
unix 3 [ ] STREAM CONNECTED 45296
unix 3 [ ] STREAM CONNECTED 45301 /var/run/dovecot-login/default
unix 3 [ ] STREAM CONNECTED 45295
unix 2 [ ] DGRAM 45290
unix 2 [ ] DGRAM 45289
unix 2 [ ] DGRAM 45288
unix 3 [ ] STREAM CONNECTED 45287
unix 3 [ ] STREAM CONNECTED 45286
unix 3 [ ] STREAM CONNECTED 45285
unix 3 [ ] STREAM CONNECTED 45284
unix 3 [ ] STREAM CONNECTED 45283
unix 3 [ ] STREAM CONNECTED 45282
unix 3 [ ] STREAM CONNECTED 45281
unix 3 [ ] STREAM CONNECTED 45280
unix 2 [ ] DGRAM 45272
unix 3 [ ] STREAM CONNECTED 25939
unix 3 [ ] STREAM CONNECTED 25938
unix 3 [ ] STREAM CONNECTED 24507 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 24506
unix 2 [ ] DGRAM 24480
unix 3 [ ] STREAM CONNECTED 24465
unix 3 [ ] STREAM CONNECTED 24464
unix 2 [ ] DGRAM 24415
unix 2 [ ] DGRAM 24369
unix 2 [ ] DGRAM 24351
unix 2 [ ] DGRAM 24330
unix 2 [ ] DGRAM 24276
unix 2 [ ] DGRAM 24261
unix 2 [ ] DGRAM 24250
unix 2 [ ] DGRAM 24194
unix 2 [ ] DGRAM 24175
unix 2 [ ] DGRAM 24123
unix 3 [ ] STREAM CONNECTED 4922
unix 3 [ ] STREAM CONNECTED 4921
unix 2 [ ] DGRAM 4799
unix 2 [ ] DGRAM 4731

How I can know exactly how this bastards are doing this? Please note that my connection to the server is this one (changed ip to 1.1.1.1):
tcp 0 48 mysitedomain:990 ::ffff:1.1.1.1:60111 ESTABLISHED

TIA


Last edited by latino; 01-21-2007 at 01:48 PM.
 
Old 01-21-2007, 02:13 PM   #6
latino
Member
 
Registered: Aug 2003
Location: Puerto Rico
Distribution: Centos 6.6
Posts: 142

Original Poster
Rep: Reputation: 15
Hi Again:

Altough I can filter the suspect IP with FIREWALL, I want to know how this is happening. Here is a screen from netstat -aptn

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:11110 0.0.0.0:* LISTEN 21828/fmsadmin
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 21987/mysqld
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 10083/spamd.pid
tcp 0 0 0.0.0.0:1935 0.0.0.0:* LISTEN 21599/fmsedge
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2325/portmap
tcp 0 0 serverip:80 0.0.0.0:* LISTEN 1788/httpd
tcp 0 0 0.0.0.0:19350 0.0.0.0:* LISTEN 21599/fmsedge
tcp 0 0 0.0.0.0:1111 0.0.0.0:* LISTEN 21828/fmsadmin
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 21426/cupsd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 21551/sendmail: acc
tcp 0 0 0.0.0.0:830 0.0.0.0:* LISTEN 2344/rpc.statd
tcp 0 0 127.0.0.1:32769 127.0.0.1:19350 ESTABLISHED 21602/fmscore
tcp 0 0 127.0.0.1:19350 127.0.0.1:32769 ESTABLISHED 21599/fmsedge
tcp 0 0 serverip:80 1.1.1.1:60565 TIME_WAIT -
tcp 0 0 serverip:80 1.1.1.1:60570 FIN_WAIT2 -
tcp 0 0 serverip:80 1.1.1.1:60569 TIME_WAIT -
tcp 0 0 serverip:80 1.1.1.1:60568 TIME_WAIT -
tcp 0 67 serverip:25 213.1.255.148:18843 ESTABLISHED 2057/sendmail: serv
tcp 0 0 :::993 :::* LISTEN 9345/dovecot
tcp 0 0 :::49127 :::* LISTEN 9442/java
tcp 0 0 :::143 :::* LISTEN 9345/dovecot
tcp 0 0 :::990 :::* LISTEN 21514/sshd
tcp 0 48 ::ffff:serverip:990 ::ffff:1.1.1.1:60111 ESTABLISHED 22614/sshd: AdrianJ
tcp 0 0 ::ffff:serverip:49127 ::ffff:24.186.163.165:3365 ESTABLISHED 9442/java
tcp 0 1 ::ffff:serverip:34080 ::ffff:205.188.155.89:25 SYN_SENT 21557/l0JGTjUP01177
tcp 0 1 ::ffff:serverip:34079 ::ffff:64.12.138.57:25 SYN_SENT 1595/l0JHTWNS014399

Last two connections seems the bad boy also notethat the port changes (34080).
 
Old 01-21-2007, 03:41 PM   #7
latino
Member
 
Registered: Aug 2003
Location: Puerto Rico
Distribution: Centos 6.6
Posts: 142

Original Poster
Rep: Reputation: 15
Hi Again:

This spammers have so many tricks. I have discovered mail sent with some BAD FILE DESCRIPTOR seems to be managed by sendmail and put into the /var/spool/mqueue as status displays as Deffered.

Well, looking into my /var/spool/mqueue there were 1500 emails there.

Browsing the Internet I found this:
http://www.brandonhutchinson.com/del...ail_queue.html

I created three perl files from that source. Files are able to show emails at /var/spool/mqueue/ even by domain. Also, one of the scripts is able to DELETE the emails from /var/spool/mqueue.

PLEASE NOTE IT REQUIERES QTOOL.PL (available with sendmail --> contrib)

I turned off cups and added some more rules to firewall. Now /var/log/maillog show significant less activity and rbls are more effective. Will continue researching this.

By the way, I also added:

service@paypal.com DISCARD

to /etc/access

Since my host complaint was originated from a phishing email. I am now 99.5% sure it was a forged / spoofed email. With that action no more emails with the from service@paypal.com are shown at maillog.

Will keep update this as it could help others.

Later
 
Old 01-21-2007, 07:20 PM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Er, well showing netstat snapshots doesn't really track down where the mail is coming from, although I noticed that you have MySQL bound to all the IP addresses on your box... that's not so great. What is with all the connections to 1.1.1.1? Is that you masking out some other IP address?

Any way, what you really need to look at is your Sendmail logs to see where inbound messages are coming from. The log you showed at the beginning is an e-mail be delivered to AOL from your server. What you need to find is where the e-mails are coming from that are being delivered to your server going to an AOL address (or maybe from an AOL address and then bouncing).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Forged email inaki Linux - Security 6 07-21-2005 07:08 PM
postfix ? (may be forged) emetib Linux - Software 2 01-08-2005 02:05 PM
Forged Email address from my domain! vittibaby Linux - Newbie 10 11-30-2003 08:00 PM
procmail forged ip address aBl_tR3kr Linux - Networking 1 03-26-2003 11:09 AM
Localhost 127.0.0.1 may be forged ?? Mzee Linux - Networking 14 03-20-2003 02:51 PM


All times are GMT -5. The time now is 05:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration