how to stop spam:sendmail

nabil · 09-06-2002, 08:25 PM

Spammers are killing me ...How in the world do I stop spammers from using my mail server to send out their mailers ???

I am using whatever sendmail version that came with RedHat 7.3

I gave up .. Please help ...

Thanks for any at all ...

pangfai · 09-06-2002, 09:47 PM

There are too many ways to stop spam. But if you are new to Sendmail, the steps below may be the simplest method :

1. cd /etc/mail
2. create or edit a file called 'access'
3. in 'access' file, add one or all of the following lines depends on your situation and change the word spammer / spam to your target :
spammer@spam.com REJECT
spam.com REJECT
spammer@ REJECT
4. in /etc/mail directory, run the following command:
makemap hash access.db < access
5. restart sendmail (or simply reboot the server)

Frankly, this is not a long-term solution as you have to add spammer record as long as you discover them. Usually, we set Sendmail to rely only mail from a particular domain name, but the setting is too complicated though it is one-off task.

Buy a Sendmail book and study it. Good luck.

pbharris · 09-06-2002, 11:26 PM

http://www.linuxquestion.org/questio...threadid=29786
also on the server issue - see the howto with spamasassin
http://www.peregrinehw.com/downloads/

acid_kewpie · 09-07-2002, 01:54 AM

also make sure you are only accepting resolvable domains in sendmail, and ensure you only accept mail for you personally.

nabil · 09-10-2002, 04:53 PM

Thank you all for replying,
I have had the access file already setup from before,.. The current problem I am having is that my IP keeps getting hit over and over ....Although all mail messages are being rejected with Access denied messages but I am losing all my bandwidth deal ing with it...

Here is some of the logs from sendmail:

Quote:

Sep 9 17:43:52 viper sendmail[18566]: g89LegC18566: ruleset=check_rcpt, arg1=<hirken@hotmail.com>, relay=[66.207.208.23], reject=550 5.7.1 <hirken@hotmail.com>... Relaying denied. IP name lookup failed [66.207.208.23]
Sep 9 17:43:52 viper sendmail[18566]: g89LegC18566: ruleset=check_rcpt, arg1=<hirkiz@hotmail.com>, relay=[66.207.208.23], reject=550 5.7.1 <hirkiz@hotmail.com>... Relaying denied. IP name lookup failed [66.207.208.23]
Sep 9 17:43:53 viper sendmail[18566]: g89LegC18566: ruleset=check_rcpt, arg1=<hirko1@hotmail.com>, relay=[66.207.208.23], reject=550 5.7.1 <hirko1@hotmail.com>... Relaying denied. IP name lookup failed [66.207.208.23]
Sep 9 17:43:53 viper sendmail[18566]: g89LegC18566: from=<calvin@notrix.ch>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[66.207.208.23]
Sep 9 17:43:55 viper sendmail[18585]: g89LhsC18585: ruleset=check_rcpt, arg1=<hoovacsc@cs.com>, relay=[66.207.208.23], reject=550 5.7.1 <hoovacsc@cs.com>... Relaying denied. IP name lookup failed [66.207.208.23]
Sep 9 17:43:55 viper sendmail[18585]: g89LhsC18585: ruleset=check_rcpt, arg1=<hoovahump@aol.com>, relay=[66.207.208.23], reject=550 5.7.1 <hoovahump@aol.com>... Relaying denied. IP name lookup failed [66.207.208.23]
Sep 9 17:43:55 viper sendmail[18585]: g89LhsC18585: ruleset=check_rcpt, arg1=<hoovaln@aol.com>, relay=[66.207.208.23], reject=550 5.7.1 <hoovaln@aol.com>... Relaying denied. IP name lookup failed [66.207.208.23]
Sep 9 17:43:55 viper sendmail[18585]: g89LhsC18585: ruleset=check_rcpt, arg1=<hoovas1234@msn.com>, relay=[66.207.208.23], reject=550 5.7.1 <hoovas1234@msn.com>... Relaying denied. IP name lookup failed [66.207.208.23]
Sep 9 17:43:55 viper sendmail[18585]: g89LhsC18585: ruleset=check_rcpt, arg1=<hoovbs5@aol.com>, relay=[66.207.208.23], reject=550 5.7.1 <hoovbs5@aol.com>... Relaying denied. IP name lookup failed [66.207.208.23]
Sep 9 17:43:56 viper sendmail[18585]: g89LhsC18585: from=<calvin@notrix.ch>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[66.207.208.23]
Sep 9 17:43:57 viper sendmail[18569]: g89LekC18569: ruleset=check_rcpt, arg1=<hisdabomb@hotmail.com>, relay=[66.207.208.23], reject=550 5.7.1 <hisdabomb@hotmail.com>... Relaying denied. IP name lookup failed [66.207.208.23]
Sep 9 17:43:58 viper sendmail[18563]: g89LeeC18563: ruleset=check_rcpt, arg1=<hirammx@hotmail.com>, relay=[66.207.208.23], reject=550 5.7.1 <hirammx@hotmail.com>... Relaying denied. IP name lookup failed [66.207.208.23]
Sep 9 17:43:58 viper sendmail[18563]: g89LeeC18563: ruleset=check_rcpt, arg1=<hiramp71@hotmail.com>, relay=[66.207.208.23], reject=550 5.7.1 <hiramp71@hotmail.com>... Relaying denied. IP name lookup failed [66.207.208.23]
Sep 9 17:43:58 viper sendmail[18563]: g89LeeC18563: from=<calvin@notrix.ch>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[66.207.208.23]
Sep 9 17:44:00 viper sendmail[18894]: g89LhxC18894: ruleset=check_rcpt, arg1=<hopkins@coralwaves.com>, relay=[66.207.208.23], reject=550 5.7.1 <hopkins@coralwaves.com>... Relaying denied. IP name lookup failed [66.207.208.23]
Sep 9 17:44:01 viper sendmail[18894]: g89LhxC18894: ruleset=check_rcpt, arg1=<hopkins@cyber-sante.org>, relay=[66.207.208.23], reject=550 5.7.1 <hopkins@cyber-sante.org>... Relaying denied. IP name lookup failed [66.207.208.23]

I don't even know what is the source IP that keep sending these emails ..????

I was forced to tun off port 25 in my firewall for a while although hits kept coming ...see some of the logs:

Quote:

Tues, 09/10/2002 06:55:05 - TCP connection dropped - Source:216.77.61.70, 48112, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 06:58:46 - TCP connection dropped - Source:202.129.67.106, 16401, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 06:59:50 - TCP connection dropped - Source:200.207.151.177, 3816, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:04:06 - TCP connection dropped - Source:200.61.6.50, 42587, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:07:42 - TCP connection dropped - Source:200.61.6.50, 43239, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:10:38 - TCP connection dropped - Source:200.168.106.201, 4421, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:12:06 - TCP connection dropped - Source:217.57.110.137, 21590, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:19:38 - TCP connection dropped - Source:200.168.106.201, 1425, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:21:15 - TCP connection dropped - Source:217.167.180.65, 1503, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:25:35 - TCP connection dropped - Source:209.11.23.226, 1836, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:29:45 - TCP connection dropped - Source:209.11.23.226, 2658, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:46:31 - TCP connection dropped - Source:63.207.202.131, 2743, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:47:23 - TCP connection dropped - Source:148.233.143.2, 4307, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:48:34 - TCP connection dropped - Source:200.40.206.134, 2973, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:49:48 - TCP connection dropped - Source:209.11.23.226, 1718, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:50:55 - TCP connection dropped - Source:217.97.123.85, 2860, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:54:03 - TCP connection dropped - Source:200.168.106.201, 1163, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:58:54 - TCP connection dropped - Source:63.207.202.131, 4617, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'
Tues, 09/10/2002 07:59:48 - TCP connection dropped - Source:202.129.67.106, 20121, WAN - Destination:24.208.235.226, 25, LAN - 'SMTP'

How can that be ??? it seems that source IP is different all over the logs ....

pangfai · 09-10-2002, 08:12 PM

If your e-mail server had been known that could be used for spam mail, it is not unusual to have more than 1 spammer !

Just take it easy and let your firewall / sendmail reject those mails, the spammer(s) will know it and a few days later, they will forget your server and look for others.

kaidoggy · 10-21-2002, 09:44 AM

What if you don't have a couple of days? I have the same problem but I need to be able to have web forms send mail so I can't really turn off connections to mail ports for an extended period of time. Any suggestions? The logs show nothing useful but I know the box is being used to send spam elsewhere.

Thanks.