LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Stupid, stupid spoofing (https://www.linuxquestions.org/questions/linux-server-73/stupid-stupid-spoofing-496363/)

teejaytimms 10-28-2006 10:15 AM
Stupid, stupid spoofing
 
*New to Linux*

My company is a victim of spoofing. When i checked the sendmail.mc file, there were no actual options in it.. just a bunch of lines saying "You are blacklisted because you are a damn spammer" `dnsl' ..was this caused by the spoofer?

Also, I ran netstat -pantu to see all the ports open and i can see ports that the spammer are connected to. For exmaple, on my sendmail port (25) it says 31397/sendmail: k9s

I tried closing all the ports that the spammers were connected to, but every time i close the ports.. they just connect to others. I have no idea how to stop this. Is there anyway i could block outgoing mail from a user that starts with k9?

Sorry for not being clear. That's the best i can explain.

osor 10-28-2006 12:07 PM
You should not let your server be an open relay.

Also, you might want to use SPF to reduce spoofing.

teejaytimms 10-29-2006 01:17 PM
Ok, but how do i make it to where it won't be an open relay?

osor 10-29-2006 09:04 PM
Here's some links you might find helpful:

http://en.wikipedia.org/wiki/Open_ma...st_open_relays
http://en.wikipedia.org/wiki/SMTP-AUTH
http://en.wikipedia.org/wiki/Extended_SMTP
http://en.wikipedia.org/wiki/Sender_Policy_Framework
http://en.wikipedia.org/wiki/DNSBL
http://www.mail-abuse.com/an_sec3rdparty.html
http://www.sendmail.org/~ca/email/auth.html
http://www.jonfullmer.com/smtpauth

osor 10-29-2006 09:15 PM
Quote:
Originally Posted by teejaytimms
Also, I ran netstat -pantu to see all the ports open and i can see ports that the spammer are connected to. For exmaple, on my sendmail port (25) it says 31397/sendmail: k9s

I tried closing all the ports that the spammers were connected to, but every time i close the ports.. they just connect to others. I have no idea how to stop this. Is there anyway i could block outgoing mail from a user that starts with k9?
One point of contention here: they are connecting to the same port (25). The ports that change are those from which they are connecting. It is useless to try to block connections from user-level ports (i.e., > 1024) since any user might happen to connect from it. Blocking the port they are connecting to doesn't make sense, since your actual users will require it.


Aside: One of the problems with plain-old SMTP auth is that it basically authorizes anyone in the system to spoof from your domain. This is not a problem if you have only a few trustworthy users, but becomes a problem if you serve a lot (e.g., After learning only one user's username/password combination, I could spoof emails that seem to originate from any of your users). Of course there are ways around this, but the protocol alone is insecure (and inconsistent).

osor 10-29-2006 09:22 PM
Another point: after you get this setup, you're only halfway done... You need to go to the various popular blacklists, and get your name off their list (usually by some process that ends up in your clicking a button that says "Check if domain is still an open relay" or something).

teejaytimms 10-30-2006 10:25 AM
So, changing the passwords for all my users (i don't have THAT many). Would that help something? I know that when i came to this company, the passwords were rather simple. Thanks for your patience with me. I am a makeshift network admin and you guys are helping me take up a lot of slack.


All times are GMT -5. The time now is 12:55 AM.