Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Someone forged an email address from my domain (e.g. admin@mydomain.com) and send a mail to one of my users (e.g. user@mydomain.com). The email attachment contains virus!!!
I reviewed the email logs and found the following:
Nov 19 15:28:44 mail sendmail[28805]: xxxxx: from=<admin@mydomain.com>, size=xxxx, class=0, nrcpts=1, msgid=<xxxx.xxxx@mydomain.com>, protocol=SMTP, daemon=MTA, relay=<a host name> [an IP address]
Not sure if I should disclose the relay info here...
A few questions which I hope you can help me out:
- how to prevent this in the future?
- how can this be done? apparently, it's simply?!!?
- Should i do sth to follow up on this incident?
Thank you for all your help!!! Much Much Much appreciated!!!
I don't know anything about mail server admin, so I can't really help with your questions but have a suggestion.
Our administrators here in work have the same problem and have recently informed us that all mails from them (ie the genuine ones) will be electronically signed. This kind of implies, they don't know how to stop it either, but at least we can tell the forgeries apart from real mails.
Distribution: Redhat 9 2.4.20-8 Athlon, Windows 2000 Professional, FreeBSD
Posts: 122
Rep:
yeah dude
firstly, on your smtp server, only allow reversable dns names..
secondly, you've given everyone access to send mail on your server, as in.. it's probably an 'open-relay'
open-relays are also used for spam
you should prehaps be thankful that this dude alerted you to the problem!
- also... when a user sends an email, they have can specify any email address they like as the 'from" email address, this is because the user may wish to recieve the reply on another email, and also when email was created.. there was no decent way to check the from email address...
1) how do i only allow reversable DNS names on Sendmail? In my case, the hostname actually matches the IP. Therefore, only allowing reversable DNS names will not stop the problem.
2) I do not believe I have an open-relay. How can i double check?
3) yes, i have read a lot of the net and there is really no way to stop him from forging the "From" field. I have written to the owner of the host, (presumably the ISP) but have not had a reply for a week! Anywhere else I can report this issue?
Distribution: Redhat 9 2.4.20-8 Athlon, Windows 2000 Professional, FreeBSD
Posts: 122
Rep:
1) FEATURE(`accept_unresolvable_domains')dn1
That line is in your sendmail.mc
you need to m4 that file.. basically the .mc is a simple version of the .cf file... the actual config of sendmail if over 700 lines!
2) Well... search for "stopping spam on your sendmail"... i actually have no idea, all I know is that to receive mail you need to open up your server to the entire world.. that same server sends mail too.. prehaps you could run 2 sendmail servers, one for getting, and one for sending? or prehaps theres a setting somewhere... im a newb
3) did you check the email header? im guessing you did... if you have the persons ISP & IP & Time of send... then legally they have an obligation to follow it up. Talk to the police they should be able to tell you more.. because the laws are different in certain countries..
2) I don't think I have 'Open relay' on my sendmail. The Relay feature means someone can use your SMTP server to send mail to others (i.e. relay = a mail comes in but not destinated for my domain and my mail server relay it onto the destinated server). On my sendmail, I only allow people from my internal network to do so, therefore, it shouldn't be "OPEN" to everyone.
I use squirrelmail... that works even when I'm at a public network and my sendmail does not allow relay from public network. Does anyone know why?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.