Help for SENDMAIL, . . . auto sending mail
 

Hi ...

Have you any to advice me !!!!

I have Web and FTP server which is use sendmail and MySQL server.
There is some script that to using sendmail command on my server.
Only send some e-mail to other user when user use mail sending web page.
All user information (registered user's e-mail address) has be registered on MySQL database table.

My Problem :

- On my server has some THINGS that is auto send BLANK mail to registered user on mysql .
- Mail sender is nobody@my-domain
- When I see "maillog" there is too many log that is nobody send some e-mail to all registered user and not registered user , ..... on maillog
- I am one of registered user, But i have recieved that blank mail.

What is it ? VIRUS ?

Take a look at your mail logs and see if you can find any information on the user sending mail. Also post a few examples from the log if possible.

Take a look at your system logs (including webserver and ftp logs) for anything abnormal such as errors or panics. Also look at the output of ps -aux for any processes that look abnormal. I would also highly recommend downloading and running rkhunter or chkrootkit.

Check the mail header's,looks like some of your user's sending through php ..try to enable phpsuexec then you can find the orginal user's

Thk u, Capt_Caveman

I have attached my server maillog some log which is I have think it NOD CORRECT.

*******************

Jul 3 07:43:58 pweb-srv2 sendmail[20654]: /etc/mail/submit.cf: WARNING: dangerous write permissions
Jul 3 07:43:58 pweb-srv2 sendmail[20654]: j62MhwGW020654: from=nobody, size=1869, class=0, nrcpts=1, msgid=<200507022243.j62MhwGW020654@pwe
b-srv2.other-server-domain>, relay=nobody@localhost
Jul 3 07:43:58 pweb-srv2 sm-mta[20656]: j62MhwhH020656: from=<nobody@my-server-domain>, size=2104, class=0, nrcpts=1, msgid=<200507022
243.j62MhwGW020654@my-server-domain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jul 3 07:43:58 pweb-srv2 sendmail[20654]: j62MhwGW020654: to=member@other-server-domain, ctladdr=nobody (99/99), delay=00:00:00, xdelay=00:00:00, m
ailer=relay, pri=30128, relay=localhost.localdomain. [127.0.0.1], dsn=2.0.0, stat=Sent (j62MhwhH020656 Message accepted for delivery)
Jul 3 07:43:58 pweb-srv2 sendmail[20659]: /etc/mail/submit.cf: WARNING: dangerous write permissions
Jul 3 07:43:58 pweb-srv2 sendmail[20659]: j62MhwtR020659: from=nobody, size=1894, class=0, nrcpts=1, msgid=<200507022243.j62MhwtR020659@pwe
b-srv2.other-server-domain>, relay=nobody@localhost
Jul 3 07:43:58 pweb-srv2 sm-mta[20661]: j62MhwhH020661: from=<nobody@my-server-domain>, size=2129, class=0, nrcpts=1, msgid=<200507022
243.j62MhwtR020659@my-server-domain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jul 3 07:43:58 pweb-srv2 sendmail[20659]: j62MhwtR020659: to=rin_2125@yahoo.co.jp, ctladdr=nobody (99/99), delay=00:00:00, xdelay=00:00:00,
mailer=relay, pri=30130, relay=localhost.localdomain. [127.0.0.1], dsn=2.0.0, stat=Sent (j62MhwhH020661 Message accepted for delivery)
Jul 3 07:43:59 pweb-srv2 sm-mta[20663]: j62MhwhH020661: to=<rin_2125@yahoo.co.jp>, ctladdr=<nobody@my-server-domain> (99/99), delay=00
:00:01, xdelay=00:00:01, mailer=esmtp, pri=30365, relay=mta08.mail.yahoo.co.jp. [202.93.87.210], dsn=2.0.0, stat=Sent (ok dirdel)
Jul 3 07:44:15 pweb-srv2 sm-mta[20658]: j62MhwhH020656: to=<member@other-server-domain>, ctladdr=<nobody@my-server-domain> (99/99), delay=00:0
0:17, xdelay=00:00:17, mailer=esmtp, pri=30363, relay=other-dns-name. [xxx.zzz.www.qqq], dsn=2.0.0, stat=Sent (ok 1120337504 qp 15957)
Jul 3 07:54:12 pweb-srv2 sendmail[20675]: /etc/mail/submit.cf: WARNING: dangerous write permissions
Jul 3 07:54:12 pweb-srv2 sendmail[20675]: j62MsCdf020675: from=nobody, size=2506, class=0, nrcpts=1, msgid=<200507022254.j62MsCdf020675@pwe


*******************

Also I attached BLANK mail which auto sending from nobody user:

> ------------------------------------------------------------
>
> Return-Path: <nobody@my-server-domain>
> Received: from virmxi04.aics.ne.jp ([157.205.253.20])
> by imlmta10.aics.ne.jp
> (InterMail vM.5.02.12.00 201-264-126-133-106-20040103) with ESMTP
> id
> <20050704083340.GHMA15096.imlmta10.aics.ne.jp@virmxi04.aics.ne.jp>
> for <okw@xxxxxxxxx.xxx>; Mon, 4 Jul 2005 17:33:40 +0900
> Received: from my-server-domain ([yyy.eee.ttt.rrr])
> by virmxi04.aics.ne.jp
> (InterMail vM.5.02.12.00 201-264-126-133-106-20040103) with ESMTP
> id
> <20050704083340.YDIT1273.virmxi04.aics.ne.jp@my-server-domain>
> for <okw@xxxxxxxxx.xxx>; Mon, 4 Jul 2005 17:33:40 +0900
> Received: from my-server-domain (localhost.localdomain [127.0.0.1])
> by my-server-domain (8.12.6/8.12.6) with ESMTP id j648kRhH031216
> for <okw@xxxxxxxxx.xxx>; Mon, 4 Jul 2005 17:46:27 +0900
> Received: (from nobody@localhost)
> by my-server-domain (8.12.6/8.12.6/Submit) id j648kRGU031214;
> Mon, 4 Jul 2005 17:46:27 +0900
> Date: Mon, 4 Jul 2005 17:46:27 +0900
> From: Nobody <nobody@my-server-domain>
> Message-Id: <200507040846.j648kRGU031214@my-server-domain>
> To: okw@xxxxxxxxx.xxx
> Subject: =?iso-2022-jp?B??=
>
>
> ------------------------------------------------------------
>

Sorry, I must change some IP address and my server domain name.
There are :
okw@xxxxxxxxx.xxx - person who is recieved this blank mail.
yyy.eee.ttt.rrr - My server IP address
my-server-domain - My server domain name with host name.

Those messages look like they're originating from outside your network with the nobody@your-domain being forged, so you should probably work on banning that host first rather than preventing the nobody user from sending mail (which may actually cause problems with local message delivery). From you the mail header, you can see the IP of the host that is sending these messages (157.205.253.20). So try blocking that host entirely with:

iptables -I INPUT -s 157.205.253.20 -j DROP