LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 06-15-2004, 12:19 AM   #1
sanjibgupta
Member
 
Registered: Apr 2003
Location: Kolkata
Posts: 206

Rep: Reputation: 30
Virus mail


I have a Linux redhat 9.0 & 8.0 server running with sendmail but i have been reciving mails from complains from different persons saying that they receive mails as bellow.
But I donot allow my machine to relay any mails nor is the address a valid address of my server though the Ip belongs to me. Can any one tell me if this mails are really originated from my server if so how do i block them.

thanking you
sanjib gupta
Received: from sidroy3.net ([202.141.148.23]) by mx.isti.cnr.it (PMDF V6.2-X27
#30838) with SMTP id <01LBA2SC3Z3EAMI7SJ@mx.isti.cnr.it
 
Old 06-16-2004, 04:10 AM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
If the ip address is yours, they are coming from an infected machine inside your network...

All the other details can be easily faked..
 
Old 06-16-2004, 01:08 PM   #3
massoo
LQ Newbie
 
Registered: Mar 2004
Posts: 12

Rep: Reputation: 0
Surely originating from you

hi,

if the other servers are saying the originating point is you then it is definately you.....

try installing messagewall or amavisd with spamassassin with the help of this pdf from @ your server

www.spenneberg.com

and try to scan your pc's inside your LAN with the online virus scanners from symantec or trendmicro

Prashant
 
Old 06-16-2004, 04:40 PM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
As far as blocking them is concerned,
make an iptables rule that redirects all outgoing port 25 traffic, off to your smtp server to control the traffic.

eg.
iptables -t nat -I PREROUTING -i eth~ -p tcp --dport 25 -j REDIRECT
service iptables save

This will send it to 127.0.0.1 port 25 (Your smtp server should be listening on 127.0.0.1 (localhost)
 
Old 06-16-2004, 07:58 PM   #5
paeng16
Member
 
Registered: May 2004
Posts: 47

Rep: Reputation: 15
HI,

I have also experience the same thing! My IP was in the DSBL.org because they say I was an open Relay. I have trendmicro scanning incoming and outgoing mails plus Norton 2004 on all workstations. But still some people still complains that my server is sending SPAM. I made body checks in mail post dropping emails with attachments ending in .com, .exe, .bat. But still some SPAM with an attachment ending in .com can still pass through.

HELP! HELP! HELP!
 
Old 06-17-2004, 12:55 AM   #6
sanjibgupta
Member
 
Registered: Apr 2003
Location: Kolkata
Posts: 206

Original Poster
Rep: Reputation: 30
my machine doesnot relay any mails to outside even not from the internal network . Is it is till possible
 
Old 06-17-2004, 03:00 AM   #7
dalek
Senior Member
 
Registered: Jul 2003
Location: Mississippi USA
Distribution: Gentoo
Posts: 2,058
Blog Entries: 2

Rep: Reputation: 65
I have read where people have their e-mail addresses spoofed by spammers. I had someone that got one from me and I don't run windoze. Someone that has my e-mail address, and uses windoze, has been infected with a virus. That virus got my e-mail address from their address book and used it to send spam. It can happen and have absolutly nothing to do with you or really with the person that was infected. They don't know they are doing it either.

If your system is not infected, then it is likely coming from someone else using your address.

Hope that helps.

 
Old 06-17-2004, 11:20 AM   #8
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
Quote:
If your system is not infected, then it is likely coming from someone else using your address.
No, if the person that is logging your IP address then it is coming from you. IP addresses are not easly faked. There is something wrong. If a machine in your network has a virus then it will start sending out mails using your external address. You should maybe set your external router/firewall to log outgoing traffic on port 25. This may help catch the unwanted mail going out.


paeng16, maybe you should give us more info. Your mail config probably needs to be changed so your system will no longer act as an open relay. Have you checked into your access control file? The only people that should be able to relay is localhost and possibly your internal network.
 
Old 06-17-2004, 07:29 PM   #9
paeng16
Member
 
Registered: May 2004
Posts: 47

Rep: Reputation: 15
benjithegreat98

Below is my SETUP!


SENDING EMAIL
client Server 1 SERVER 2 SERVER 3
W2K >>> RH7.2 >>>>>>> FEDORA >>>> FEDORA >>>>>> INTERNET
TRENDMICRO MailPost SQUID

RECEIVING EMAIL
INTERNET>>>>>SERVER 3>>>>>>SERVER 1 >>>>> SERVER2 >>>>> CLIENT

Specs..
Server 1
- RH7.2
- TrendMicro Anti-Virus w/ SPAM Guard
- Basic Firewall (IPTABLES)
- IBM X200 Series

SERVER 2
- FEDORA
- MAILPOST, LDAP,Posfix,SPAMAssassin
- Firewall (IPTABLES)
- IBM X230 Series, hardware RAID 2 (mirror)

SERVER 3
- FEDORA
- Squid
- Fetchmail
- Firewall (IPTABLES)
- BASTILLE
- 2 NIC (eth0=DSL & eth1=SWITCH)
- CLONE PC (hehe!)


Hope to hear from you soon! and thank you for your kind actions.



 
Old 06-18-2004, 03:22 AM   #10
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
I don't think your problem is with your servers..

If a workstation sends mail, it will use your mail servers..

However if a virus sends mail, it will go directly to the internet..
This is why your ip address shows up, but with strange enail addresses.
It is quite possible to fix a virus but leave a spam programme installed..

One protection is to force ALL port 25 traffic into your server 1
eg using an iptables DNAT rule on server 1
iptables -t nat -I PREROUTING -i eth~ -p tcp --dport 25 -j REDIRECT
This forces all client traffic to be checked..
change the eth~ number to match the internal interface.

As benjithegreat98 suggested, do some logging on Server 1 on port 25 to see what's happening
iptables -t nat -I PREROUTING -i eth~ -p tcp --dport 25 -j LOG --log-prefix "mail_out "
and look in /var/log/messages
 
Old 06-18-2004, 03:42 AM   #11
paeng16
Member
 
Registered: May 2004
Posts: 47

Rep: Reputation: 15
Quote:
Originally posted by peter_robb
I don't think your problem is with your servers..

However if a virus sends mail, it will go directly to the internet..
This is why your ip address shows up, but with strange enail addresses.
It is quite possible to fix a virus but leave a spam programme installed..

this is something new to me!

You guys are the F'CKN MASTER! I will try this tonight and will get back to you guys!

MANY THANKS!

_______________________________________________---
man is our friend my friend!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Mail clients and virus scanners as plugins? J_Szucs Linux - Software 0 09-20-2004 07:34 AM
OTW. Got a virus in e-mail today. dalek General 23 05-30-2004 07:43 PM
Spam/Virus fIlter mail gateway tarballedtux Linux - Software 0 02-24-2004 06:23 AM
Virus protection for Mail Server nemesisza Linux - Security 1 02-22-2004 08:33 AM
virus protection of e-mail gateway Gavin Linux - Security 3 12-18-2002 11:57 AM


All times are GMT -5. The time now is 01:55 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration