LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Virus mail (http://www.linuxquestions.org/questions/linux-security-4/virus-mail-193633/)

sanjibgupta 06-15-2004 01:19 AM

Virus mail
 
I have a Linux redhat 9.0 & 8.0 server running with sendmail but i have been reciving mails from complains from different persons saying that they receive mails as bellow.
But I donot allow my machine to relay any mails nor is the address a valid address of my server though the Ip belongs to me. Can any one tell me if this mails are really originated from my server if so how do i block them.

thanking you
sanjib gupta
Received: from sidroy3.net ([202.141.148.23]) by mx.isti.cnr.it (PMDF V6.2-X27
#30838) with SMTP id <01LBA2SC3Z3EAMI7SJ@mx.isti.cnr.it

peter_robb 06-16-2004 05:10 AM

If the ip address is yours, they are coming from an infected machine inside your network...

All the other details can be easily faked..

massoo 06-16-2004 02:08 PM

Surely originating from you
 
hi,

if the other servers are saying the originating point is you then it is definately you.....

try installing messagewall or amavisd with spamassassin with the help of this pdf from @ your server

www.spenneberg.com

and try to scan your pc's inside your LAN with the online virus scanners from symantec or trendmicro

Prashant

peter_robb 06-16-2004 05:40 PM

As far as blocking them is concerned,
make an iptables rule that redirects all outgoing port 25 traffic, off to your smtp server to control the traffic.

eg.
iptables -t nat -I PREROUTING -i eth~ -p tcp --dport 25 -j REDIRECT
service iptables save

This will send it to 127.0.0.1 port 25 (Your smtp server should be listening on 127.0.0.1 (localhost)

paeng16 06-16-2004 08:58 PM

HI,

I have also experience the same thing! My IP was in the DSBL.org because they say I was an open Relay. I have trendmicro scanning incoming and outgoing mails plus Norton 2004 on all workstations. But still some people still complains that my server is sending SPAM. I made body checks in mail post dropping emails with attachments ending in .com, .exe, .bat. But still some SPAM with an attachment ending in .com can still pass through.

HELP! HELP! HELP!

sanjibgupta 06-17-2004 01:55 AM

my machine doesnot relay any mails to outside even not from the internal network . Is it is till possible

dalek 06-17-2004 04:00 AM

I have read where people have their e-mail addresses spoofed by spammers. I had someone that got one from me and I don't run windoze. Someone that has my e-mail address, and uses windoze, has been infected with a virus. That virus got my e-mail address from their address book and used it to send spam. It can happen and have absolutly nothing to do with you or really with the person that was infected. They don't know they are doing it either.

If your system is not infected, then it is likely coming from someone else using your address.

Hope that helps.

:D :D :D :D

benjithegreat98 06-17-2004 12:20 PM

Quote:

If your system is not infected, then it is likely coming from someone else using your address.
No, if the person that is logging your IP address then it is coming from you. IP addresses are not easly faked. There is something wrong. If a machine in your network has a virus then it will start sending out mails using your external address. You should maybe set your external router/firewall to log outgoing traffic on port 25. This may help catch the unwanted mail going out.


paeng16, maybe you should give us more info. Your mail config probably needs to be changed so your system will no longer act as an open relay. Have you checked into your access control file? The only people that should be able to relay is localhost and possibly your internal network.

paeng16 06-17-2004 08:29 PM

benjithegreat98

Below is my SETUP!


SENDING EMAIL
client Server 1 SERVER 2 SERVER 3
W2K >>> RH7.2 >>>>>>> FEDORA >>>> FEDORA >>>>>> INTERNET
TRENDMICRO MailPost SQUID

RECEIVING EMAIL
INTERNET>>>>>SERVER 3>>>>>>SERVER 1 >>>>> SERVER2 >>>>> CLIENT

Specs..
Server 1
- RH7.2
- TrendMicro Anti-Virus w/ SPAM Guard
- Basic Firewall (IPTABLES)
- IBM X200 Series

SERVER 2
- FEDORA
- MAILPOST, LDAP,Posfix,SPAMAssassin
- Firewall (IPTABLES)
- IBM X230 Series, hardware RAID 2 (mirror)

SERVER 3
- FEDORA
- Squid
- Fetchmail
- Firewall (IPTABLES)
- BASTILLE
- 2 NIC (eth0=DSL & eth1=SWITCH)
- CLONE PC (hehe!)


Hope to hear from you soon! and thank you for your kind actions.



:D

peter_robb 06-18-2004 04:22 AM

I don't think your problem is with your servers..

If a workstation sends mail, it will use your mail servers..

However if a virus sends mail, it will go directly to the internet..
This is why your ip address shows up, but with strange enail addresses.
It is quite possible to fix a virus but leave a spam programme installed..

One protection is to force ALL port 25 traffic into your server 1
eg using an iptables DNAT rule on server 1
iptables -t nat -I PREROUTING -i eth~ -p tcp --dport 25 -j REDIRECT
This forces all client traffic to be checked..
change the eth~ number to match the internal interface.

As benjithegreat98 suggested, do some logging on Server 1 on port 25 to see what's happening
iptables -t nat -I PREROUTING -i eth~ -p tcp --dport 25 -j LOG --log-prefix "mail_out "
and look in /var/log/messages

paeng16 06-18-2004 04:42 AM

Quote:

Originally posted by peter_robb
I don't think your problem is with your servers..

However if a virus sends mail, it will go directly to the internet..
This is why your ip address shows up, but with strange enail addresses.
It is quite possible to fix a virus but leave a spam programme installed..


this is something new to me!

You guys are the F'CKN MASTER! I will try this tonight and will get back to you guys!

MANY THANKS!

_______________________________________________---
man is our friend my friend! :) :newbie:


All times are GMT -5. The time now is 09:22 AM.