Hi everyone, first post here at LQ. Seems like a great community.
I'll get to the point: my sendmail server is getting used by spammers big time. I'm just not very experienced with sendmail, and I'm not sure where I'm lacking in my config. If I tail /var/log/maillog there is a TON of activity. Like, page-scrolling so fast you can't even read it activity. This server, mind you, is for a small ISP that services maybe 200 e-mail accounts.
My Setup: CentOS // MailScanner + dovecot + SpamAssassin + sendmail
What I'm doing:
-I'm using RBL checks with SpamAssassin
-iptables is only allowing internal network IP addresses on the INPUT chain (10.0.0.0/8), and a few public /32 IP addresses for out of state e-mail users.
-Requiring SMTP AUTH (PLAIN and LOGIN trusted mechs)
-Only allowing domains that I host to RELAY using the /etc/mail/access file.
-Using latest version of sendmail.
Even with all of the above, I am getting listed on blacklists left and right. Going through the maillog file, I can't tell WHO is sending. I'm guessing that it has to be an internal network user that has their username and password compromised to even be able to connect to my sendmail server since I'm using iptables with SMTP AUTH. Even with this, when I look at my netstat, I have a TON of outgoing SYN_SENT connections on port 25, like probably 100+ at any given moment.
There is a lot of activity going to .fr servers, .cn servers, .mx servers.. you name it. I am in the US.
I've read pages like this one:
http://www.sendmail.com/sm/open_sour...anti_spam.html
about ten times, but still no luck. My only thought now is if I could find out WHO is connecting to my server and auth'ing with SMTP then I could look on their computer for some malicious spam software. Other than that, I suppose it's possible my sendmail server has been compromised and I have malicious spam software running on the server. Any thoughts, or where I should look to figure this out? I appreciate everyone's help big time! Thank you!!
gro0v