Sendmail admins.. help! My sendmail server is getting pwnd

gro0v · 11-26-2013, 09:36 PM

Hi everyone, first post here at LQ. Seems like a great community.

I'll get to the point: my sendmail server is getting used by spammers big time. I'm just not very experienced with sendmail, and I'm not sure where I'm lacking in my config. If I tail /var/log/maillog there is a TON of activity. Like, page-scrolling so fast you can't even read it activity. This server, mind you, is for a small ISP that services maybe 200 e-mail accounts.

My Setup: CentOS // MailScanner + dovecot + SpamAssassin + sendmail

What I'm doing:
-I'm using RBL checks with SpamAssassin
-iptables is only allowing internal network IP addresses on the INPUT chain (10.0.0.0/8), and a few public /32 IP addresses for out of state e-mail users.
-Requiring SMTP AUTH (PLAIN and LOGIN trusted mechs)
-Only allowing domains that I host to RELAY using the /etc/mail/access file.
-Using latest version of sendmail.

Even with all of the above, I am getting listed on blacklists left and right. Going through the maillog file, I can't tell WHO is sending. I'm guessing that it has to be an internal network user that has their username and password compromised to even be able to connect to my sendmail server since I'm using iptables with SMTP AUTH. Even with this, when I look at my netstat, I have a TON of outgoing SYN_SENT connections on port 25, like probably 100+ at any given moment.

There is a lot of activity going to .fr servers, .cn servers, .mx servers.. you name it. I am in the US.

I've read pages like this one:

http://www.sendmail.com/sm/open_sour...anti_spam.html

about ten times, but still no luck. My only thought now is if I could find out WHO is connecting to my server and auth'ing with SMTP then I could look on their computer for some malicious spam software. Other than that, I suppose it's possible my sendmail server has been compromised and I have malicious spam software running on the server. Any thoughts, or where I should look to figure this out? I appreciate everyone's help big time! Thank you!!

gro0v

unSpawn · 11-27-2013, 01:47 AM

Stop your mail server and configure your web server to use another docroot only containing a static HTML page for maintenance. Then check what software you use for your website and if it and any of its themes, plugins or any other 3rd party add-ons are all up to date. Also check your original docroot, /tmp and /home for any anomalous or changed files (LMD, short for Linux Malware Detect would be a good choice) and check your web servers log files and login records for clues. If unsure post as much nfo as possible.

Habitual · 11-27-2013, 09:19 AM

Welcome to LQ too, btw, it is a Great Community, as you shall see.

It's possible too, that one of your "out of state e-mail users" credentials have been stolen.
Accessing email over "free" WiFI is my first guess.

Which RBLs are you using?
Some are notoriously unforgiving.

in docroot as maintenance.html

Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
	<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=iso-8859-1">
	<TITLE></TITLE>
	<META NAME="CREATED" CONTENT="20131031;14445300">
	<META NAME="CHANGED" CONTENT="20131031;14461100">
	<STYLE TYPE="text/css">
	<!--
		@page { margin: 0.79in }
		P { margin-bottom: 0.08in }
		A:link { so-language: zxx }
	-->
	</STYLE>
</HEAD>
<BODY LANG="en-US" DIR="LTR">
<P STYLE="margin-bottom: 0in">Our site is down for routine security and maintenance.</P>
<P STYLE="margin-bottom: 0in">Please come back later, or contact us at info@yourdomain.com</P>
<P STYLE="margin-bottom: 0in"><BR>
</P>
<P STYLE="margin-bottom: 0in">Thank you,</P>

in docroot as .htaccess:

Code:

# Maintenance Mode #

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REMOTE_HOST} !^ipa\.dre\.ss\.abc
RewriteCond %{REMOTE_HOST} !^ipa\.dre\.ss\.xyz
RewriteCond %{HTTP_HOST} ^domain.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.domain.com$
RewriteCond %{REQUEST_URI} !=/maintenance.html
RewriteRule ^ /maintenance.html [L,R=302]
</IfModule>

ipa\.dre\.ss\.abc and
ipa\.dre\.ss\.xyz would be allowed IPs to visit the site and NOT receive the maintenance.html page.

Hope that helps.

Subscribed with interest...

YankeePride13 · 11-27-2013, 10:48 AM

I would also check to see if your susceptible to backscatter. This will land you on all of the blacklists.

gro0v · 11-27-2013, 04:59 PM

unSpawn: thanks for your help, that's some great advice as far as the security battle goes. That would have been/will be my next thing to do.

However, I think I may have solved most of my issues with some sendmail software (sendmail analyzer) that was telling me who was sending to what. My boss's email (surprise) was obviously compromised, with about 50k e-mails attempting to go out every day, along with a few other users. I just shut their e-mail off with a REJECT line for the usernames in the /etc/mail/access file. That, along with clearing my current mail queue (didn't think of that) dropped my mail server down to about 50 e-mails per hour. MAJOR progress considering I was at about 500+ per hour. If I continue to suspect my local system is compromised, I will follow your recommendations. It makes me laugh you just assumed, correctly, that my sendmail server is also a web server. In fact, it's MAINLY a web server, as we serve quite a few pages.

Habitual: I will definitely be doing this if I have continued issues, thanks for your help.

YankeePride13: I will also look into this, thanks for your help.

You've proven to be quite an excellent community here. I will help as many people as I can, as I'm sure I will be using the forums again to ask a question here and there.

Thanks again!!

unSpawn · 11-27-2013, 05:54 PM

You're welcome and thanks for posting your detailed feedback.