hate spam mail

slack66 · 05-23-2004, 10:56 PM

hi! everyone

i just setup a new mail server using sendmail running at slackware 9.1
and build sendmail.cf using /usr/share/sendmail/cf/cf/sendmail.mc. there a line say:

dnl#these setting help protect against people verify email addresses at your site in order to send you email that you probably dont want:

define(`confPRIVACY_FLAGS' , `authwarning,novrfy,noexpn,restrictqrun')dnl

My problem is went i view my mailog there is someone random guesting my email account continously how do i stop this spammer??? he/she give me a bugos ip address randomly.... pls help me thanks!

Mara · 05-24-2004, 03:17 PM

It's nearly impossible if that person changes the IP address. All you can do is to make sure your server doesn't accept the mail.
There's also another solution, if you get huge number of connections per second - you can configure your firewall to accept maximum a certain number of SYN in a second/minute. The thing is that in such case also legitimate users may be blocked. If it's possible, you can also allow mail server access from a certain set of IPs.

J_Szucs · 05-25-2004, 01:37 AM

Checking the received headers of the spammer's and your legitimate mails and using a mail filter like procmail might help.

However, I did not understand your problem quite well. Could you post some more details? (E.g. sample "Received" header fields of both spams and legitimate mails)

benjithegreat98 · 05-25-2004, 02:14 PM

You say they gave you a bogus IP? Do you know that because they are using reserved IPs? Like 192.168.*.* and 10.*.*.*. If this is the case then why don't you creat some sort of filewall rule to deny the spoofed IPs.

Here is more info about spoofed IPs or bogons
http://www.linuxquestions.org/questi...hreadid=152230

slack66 · 05-28-2004, 06:05 AM

Sorry guys for late response....

this is my maillog....

May 28 01:39:42 mail sm-mta[1689]: i4RHdYnT001689: <ray@mydomain.com>... User unknown
May 28 01:39:43 mail sm-mta[1689]: i4RHdYnT001689: <robertson@mydomain.com>... User unknown
May 28 01:39:43 mail sm-mta[1689]: i4RHdYnT001689: <rios@mydomain.com>... User unknown
May 28 01:39:44 mail sm-mta[1689]: i4RHdYnT001689: <reyes@mydomain.com>... User unknown
May 28 01:39:45 mail sm-mta[1689]: i4RHdYnT001689: <reynolds@mydomain.com>... User unknown
May 28 01:39:46 mail sm-mta[1689]: i4RHdYnT001689: <porter@mydomain.com>... User unknown
May 28 01:39:46 mail sm-mta[1689]: i4RHdYnT001689: <pierce@mydomain.com>... User unknown
May 28 01:39:47 mail sm-mta[1689]: i4RHdYnT001689: from=<lytur@mixmail.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[61.109.48.41]
May 28 01:39:49 mail sm-mta[1689]: i4RHdYnU001689: <payne@mydomain.com>... User unknown
May 28 01:39:50 mail sm-mta[1689]: i4RHdYnU001689: <pena@mydomain.com>... User unknown
May 28 01:39:50 mail sm-mta[1689]: i4RHdYnU001689: <pearson@mydomain.com>... User unknown
May 28 01:39:51 mail sm-mta[1689]: i4RHdYnU001689: <perkins@mydomain.com>... User unknown
May 28 01:39:52 mail sm-mta[1689]: i4RHdYnU001689: <potter@mydomain.com>... User unknown
May 28 01:39:53 mail sm-mta[1689]: i4RHdYnU001689: <parks@mydomain.com>... User unknown
May 28 01:39:53 mail sm-mta[1689]: i4RHdYnU001689: <patton@mydomain.com>... User unknown
May 28 01:39:54 mail sm-mta[1689]: i4RHdYnU001689: <ramsey@mydomain.com>... User unknown
May 28 01:39:55 mail sm-mta[1689]: i4RHdYnU001689: <ramos@mydomain.com>... User unknown
May 28 01:39:56 mail sm-mta[1689]: i4RHdYnU001689: from=<zjygb@angelfire.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[61.109.48.41]

i hope this can be help

it cont. guessing my account
the ip address 61.109.48.41.... tomorow it will try again to guess my account user name with a different ip address

benjithegreat98 · 05-28-2004, 08:29 AM

Here is what I suspect the deal is. This is a virus and somebody has a high speed connection and everytime they get online with a new DHCP provide address they start flooding you out. It's happened to me before. (keep in mind I could be incorrect in my assumption) Based on the IP that you gave me, I think it is originatingfrom somewhere in Asia. Does the IP always have 61 as the 1st octect? Here is the IP block information from Sam Spade:

Quote:

05/28/04 08:12:03 IP block 61.109.48.41
Trying 61.109.48.41 at ARIN
Trying 61.109.48 at ARIN

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 61.0.0.0 - 61.255.255.255
CIDR: 61.0.0.0/8
NetName: APNIC3
NetHandle: NET-61-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: TINNIE.ARIN.NET

If it were me and I had no business w/ anybody in the Asia Pacific region I would just create either a firewall rule to block all incoming traffic to port 25 from 61.*.*.* or I would add 61.*.*.* to the access control list in Sendmail.

edit: You should also look into something like DNSBL (DNS Black List). They give blacklist of known spammer and open relays. It helps in some instances. It is not full proof, however. I have had a little bit of legitimate mail blocked from them. But in my opinion the mail it blocks outweighs the 2-3 occations where it backfired.

slack66 · 05-30-2004, 08:51 AM

iam late again for reply.... anyway in my bottom of my heart
thk! a lot guys!!! now i have a hint what to do

thk u again

J_Szucs · 05-30-2004, 09:55 AM

I think that the dnsbl tip is the right one because blocking the whole 61.0.0.0/8 network range might do more harm if you loose just one legal mail coming from that range.

As an alternative, if you have a little bash script knowledge (or you are willing to learn it), you could write your own script to periodically check your maillog, grep out (or resolve) the sender IP of those mails and add a corresponding deny rule to your firewall on the fly. This could help if those mails sent from a limited number of sender hosts (i.e. not each mail from a different host).

There is, however, one important thing to doublecheck: if your mail server acts as a viral mail relay or not.

Please, check what happens when your mail server receives a mail to an non-existing user (like those in your maillog).
The default of many MTAs (like Sendmail, Postfix, etc.) is that they RETURN THE WHOLE MAIL to the sender.

That is a totally WRONG behaviour!!!

The sender address is always spoofed in those mails, so your mail server will return the whole viral mails to the wrong addresses. This means that your mail server will act as a viral mail relay, and inadvertently helps the virus in spreading, while the real sender of the virus may hide behind your mail server.
Many who have a mail server are not yet aware or this fact, and that may be the reason why they persistently get so many viral mails to non-existing users. (The virus sender always reaches its goal: it may accidentally send one of his viral mails to an existing user, but, when not, then your server will send the viral mail to the spoofed sender, where it has an other, greater chance, as there you will seem to be the sender.)

If you have not done so, then please configure your mail server so that it will never return the whole mail but only the mail header to the sender when it receives an illegal mail.