LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 11-15-2010, 09:54 AM   #1
rexjenny
LQ Newbie
 
Registered: Apr 2006
Posts: 18

Rep: Reputation: 0
Sendmail Compromised?


Thanks in advance for the help. We have a "sendmail" mailserver in our organization which is accepting mails from senders who are blacklisted in the "access" file. For testing I blacklisted my gmail address and it works as it should be. Added "spamhaus","spamcop","sorbs" rbls but with no effect. This a huge problem as our server is relaying spam mails from the above said blacklisted senders.Can somebody please point out why is this happening. Is sendmail compromised? Can a complete removal and installation of sendmail will solve the problem? Please help us out.
 
Old 11-15-2010, 12:26 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by rexjenny View Post
Can a complete removal and installation of sendmail will solve the problem?
That's Wintendo behaviour. Reinstalling isn't efficient and doesn't teach you anything.


Quote:
Originally Posted by rexjenny View Post
For testing I blacklisted my gmail address and it works as it should be.
Show us the relevant configs ('cat config|grep -v ^#|grep .;') and the relevant part of the log(s)?
 
Old 11-15-2010, 08:56 PM   #3
rexjenny
LQ Newbie
 
Registered: Apr 2006
Posts: 18

Original Poster
Rep: Reputation: 0
Thanks for your help.

# cat /etc/mail/access

From:no-reply@rolex.com REJECT
FromSN@localhost REJECT
From:myemail@gmail.com REJECT

In the above entries the first two addresses are able to send mail through our server despite being blacklisted. I added myemail@gmail.com for testing and it is getting blocked.

# tail /var/log/maillog

/var/log/maillog-20101114:Nov 12 13:03:59 mail sendmail[30967]: oAC7Xrim030967: ruleset=check_mail, arg1=<myemail@gmail.com>, relay=mail-yw0-f54.google.com [209.85.213.54], reject=550 5.7.1 <myemail@gmail.com>... Access denied

Am not that much familiar with sendmail and am just roped into solve this problem due to the guy in charge being away for holidays.

# mailq | wc -l

346

Out of this 346 messages none does not originate from our domain.And 5 days ago we had around 45000 messages!! in the mailqueue.

Mails similar to one below are plaguing our mail server.

oAEFJaM7030453 2660 Sun Nov 14 20:49 <mrs.daisy00@ymail.com>
(reply: read error from gmailyahoo.com.)
<chrsitan@gmailyahoo.com>
<rossalmanzar@gmeil.com>
<frqtpie@gmial.com>
<ekrebs1@gmial.com>
<derosilamcost@gmial.com>
<cferrantello@gmial.com>
<boykin.regina7@gmial.com>
<gmanuel@gmconsulting.net>
<reshannn@gmaul.com>
<racollins1950@gmaul.com>
<mostisangie@gmaul.com>
<mmjacobs1975@gmaul.com>
<kfc100@gmaul.com>
<johnzulu@gmaul.com>
<anormanrsc@gmaul.com>
<sandralvarez67@phx1-ss-2-lb.cnet.com>
<lordsurvey@phx1-ss-2-lb.cnet.com>

Last edited by rexjenny; 11-15-2010 at 08:59 PM.
 
Old 11-16-2010, 05:22 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by rexjenny View Post
Out of this 346 messages none does not originate from our domain.
Maybe you mean "not one originates from our domain"? If you want to investigate an email in the queue you can open up one /var/spool/mqueue/qf* message control file and /var/spool/mqueue/companion df* message body in your text editor (or use 'less'). If you want to postpone looking at it you could copy the queue, clean it out and restart Sendmail with: 'cp --preserve=all -r /var/spool/mqueue /var/spool/mqueue.old && rm -f /var/spool/mqueue/{d,q}f*; /etc/init.d/sendmail restart'. Else if you have found these are deferred emails based on non-existent sender and recipient addresses ("gmailyahoo", "gmeil", gmial" and "gmaul" are all malformed domain names looking like "gmail") here's some Perl scripts for deleting deferred email.


Quote:
Originally Posted by rexjenny View Post
/var/log/maillog-20101114:Nov 12 13:03:59 mail sendmail[30967]: oAC7Xrim030967: ruleset=check_mail, arg1=<myemail@gmail.com>, relay=mail-yw0-f54.google.com [209.85.213.54], reject=550 5.7.1 <myemail@gmail.com>... Access denied
...which is good. A result of "reject=550 5.7.1" means "relaying denied". Sendmail denies relaying by default.


Quote:
Originally Posted by rexjenny View Post
In the above entries the first two addresses are able to send mail through our server despite being blacklisted. I added myemail@gmail.com for testing and it is getting blocked.
- Please see Anti-Spam Configuration Control because your /etc/mail/access seems not well-formatted. It also explains which other /etc/mail/sendmail.mc features you should check.
- Did you rebuild the /etc/mail/*.db databases after modifying them?
- Does your mail server require users to authenticate themselves before being able to send email?
- Can you attach as plain text or post in BB code tags the outcome from running 'grep -v ^'dnl.*#' /etc/mail/sendmail.mc'?
 
Old 11-16-2010, 09:57 AM   #5
rexjenny
LQ Newbie
 
Registered: Apr 2006
Posts: 18

Original Poster
Rep: Reputation: 0
unSpawn thank you very much. Like you said I analyzed one of the message control qf* files and find the spam messages are originating from one of the email ids from our email domain. seems his mail address password has been compromised.

Last edited by rexjenny; 11-16-2010 at 09:04 PM.
 
Old 11-16-2010, 01:41 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Good you investigated things and found out.

Last edited by unSpawn; 11-18-2010 at 05:41 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Compromised? Jukas Linux - Security 6 12-06-2006 07:16 PM
Compromised ? ./2[1].6.12 DaveQB Linux - Security 4 10-10-2006 06:47 PM
Compromised??? redice Linux - Security 5 02-25-2006 01:14 PM
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 07:33 AM
Am I compromised? dripter Linux - Security 5 01-27-2004 12:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 01:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration