LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-24-2007, 01:30 AM   #1
gregorian
Member
 
Registered: Apr 2006
Posts: 509

Rep: Reputation: 34
Mail Bomb!!!! Urgent


Ok, I found this script online:

Quote:
#!/usr/bin/perl


$to='xyz@gmail.com';
$from= 'xyz@gmail.com';
$subject='Using Sendmail';



open(MAIL, "|/usr/sbin/sendmail -t");
print MAIL "To: $to\n";
print MAIL "From: $from\n";
print MAIL "Subject: $subject\n\n";
print MAIL "Hello Friend\n";
print MAIL "It has been brought to our attention that you are interested in using the sendmail program.\n";
print MAIL "If you use the template script given here you should be sending email from your website today.\n";
print MAIL "Thank you.\n";
print MAIL "Create a Site\n";
close(MAIL);
I ran it but it didn't work. I logged onto root and typed:

service start sendmail

and ran it again.

Ok, I log onto my account and check my box to find 1000+ emails in my spam folder. I deleted all of them to find 50 more. I'm being bombed as type this! I type:

service stop sendmail


I'm still being bombed!

I restart my computer. I'm still being bombed!

How do I stop this!!!!?

Last edited by gregorian; 02-25-2007 at 08:33 AM.
 
Old 02-24-2007, 05:13 AM   #2
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
What prompted you to run a spam script, giving bad guys the IP address of your server?

If all of these posts are coming from tw-in-f99.Google.com, maybe you can contact google to get them to drop the gmail user.

You could block that IP address at the firewall, but they might just change locations or use a large number of bots in a denial of service attack.

Last edited by jschiwal; 02-24-2007 at 05:15 AM.
 
Old 02-24-2007, 07:04 AM   #3
gregorian
Member
 
Registered: Apr 2006
Posts: 509

Original Poster
Rep: Reputation: 34
Noooo! I didn't expect that to be a spam script. I still don't think that it is. Just look at the program.I ran it. I sent the mails to my inbox. The program looks simple enough. I don't see any reason why it will send too many mails to my inbox.

Now I'm scared to run sendmail. Maybe it'll start bombing me again? I've stopped sendmail and the bombing has stopped NOW. It did not stop earlier when I had stopped sendmail then, and it continued to bomb me even after I restarted my system. Is something wrong with that perl script?

The outputs in my previous posts are the snapshots of what happened WHILE the bombing was going on. I still dont know how it could continue bombing me even after stopping sendmail AND restarting my system.

P.S. Thank you for your response, but I'd appreciate it if you read the later part of the previous post too.

Last edited by gregorian; 02-24-2007 at 07:06 AM.
 
Old 02-24-2007, 01:14 PM   #4
v00d00101
Member
 
Registered: Jun 2003
Location: UK
Distribution: Devuan Beowulf
Posts: 514
Blog Entries: 1

Rep: Reputation: 37
Close off your email server.
Block the email port(s) at your router, or in your firewall.
Leave for a couple of days.

Then reactivate.

Hopefully when mail starts hitting the wall for a while, they'll give up.

You might want to send an email to your friends telling them your server is going to be offline for a couple of days, and not to send anything.

Also i'd look into spamassassin for filtering.

The email you keep receiving, is it a generic theme, like the usual drugs or porn stuff everyone gets, or something else?

If all else fails, then maybe change your email account name to something else then send an email to all your friends telling them of the change.

Get a yahoo/hotmail/gmail mailbox, and use that for signing up to forums, and giving out to general people. Only give your personal email to those you trust. I follow this method and receive 0 spam emails to my personal account every month. All the spam goes to my webmail accounts, where it can be dealt with by their system, and not mine.
 
Old 02-24-2007, 09:00 PM   #5
gregorian
Member
 
Registered: Apr 2006
Posts: 509

Original Poster
Rep: Reputation: 34
Man!!!!! Read my post completely lol.

I RAN THE PROGRAM. I SENT THE MAILS. I ACCIDENTLY BOMBED MYSELF.

I want to know why did a script that was supposed to send me a single mail, end up bombing me.

Last edited by gregorian; 02-25-2007 at 08:26 AM.
 
Old 02-24-2007, 10:40 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
found the script on the web: http://www.createafreewebsite.net/cg.../sendmail.html

i don't read perl, but it does indeed seem like its intended to be a simple sendmail test to be run on your webhost - but of course appearances can be deceiving - and you should never run any script you don't fully understand from an untrusted source...

that said, it would be great if someone who knows perl could read the script and give it a clean bill of health... i mean, perhaps there's a typo which causes it to go into an infinite loop or something... if the script checks-out then that would mean the cause for the mailbombing lies somewhere else...

Last edited by win32sux; 02-24-2007 at 10:52 PM.
 
Old 02-24-2007, 11:45 PM   #7
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
I didn't know that you were the recipient in the script. I thought that you ran the script and it sent an email to a spammer, who then launched a denial of service attack on your server.
 
Old 02-25-2007, 07:12 AM   #8
gregorian
Member
 
Registered: Apr 2006
Posts: 509

Original Poster
Rep: Reputation: 34
Well, at least there isn't any confusion now.

I really don't think that there is an infinite loop. The program takes one second to complete execution.I ran the program several times before I realised that sendmail had not been started. Is it possible that as soon as I started sendmail, the emails were listed somewhere as pending tasks and all of them began to be executed at once? I know I don't make sense, but does Linux have some sort of facility where all your pending jobs are stored somewhere automatically?

Thanks for your replies.


EDIT:


I'm 100% certain that the tasks are pending somewhere. I ran sendmail as root, and the bombing started again WITHOUT RUNNING THE PERL SCRIPT. I need to know where these pending tasks are stored and how to remove them.

Last edited by gregorian; 02-25-2007 at 08:27 AM.
 
Old 02-25-2007, 07:35 AM   #9
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
Is the "xyz@gmail.com" your own account? Where did you find that script? There still is something fishy going on.
It looks like a dummy email address, that was just used as an example.

Or did you substitute your own local email address in the TO: field?
Maybe your setup is faulty and you are are sending a negative receipt to yourself, which fails and causes another negative receipt, and on and on. I'm just guessing what might cause a "feedback" loop. Someone more familiar with email servers might have a better idea. Have you examined any of these messages in your spam box?
 
Old 02-25-2007, 08:25 AM   #10
gregorian
Member
 
Registered: Apr 2006
Posts: 509

Original Poster
Rep: Reputation: 34
win32sux already pointed out the source of the code a couple of posts above.

I replaced my username with xyz in "xyz@gmail.com" and tried to send myself an email to see if it really worked.

Regarding examining messages-- Yes, I did. I opened my spam folder to find a huge list of conversations containing 61 messages each from the same ID. If you're familiar with Gmail, you'll know what a conversation is. I'm guessing that 61 messages is the maximum size limit for a conversation.

Anyway, I get bombed whether the program is running or not. All I have to do is run sendmail from root and that's it. My spam folder will be continuously filled.

The setup is not faulty as I can send mails manually. (You know telnetting to port 25, typing the helo command etc.)

I'm certain that the emails are tasked somewhere.I just don't know where.

Last edited by gregorian; 02-25-2007 at 08:29 AM.
 
Old 02-25-2007, 10:02 AM   #11
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
Is the email from someone else's ID. If so, I don't think that it has anything to do with the script that you ran. The server wasn't started before you started the script. So it may be that someone is spamming you. You found out when you started the mail server.

Since the problem is being caused by a single user using gmail, you should be able to issue a complaint with google to stop it at it's source.
 
Old 02-25-2007, 10:24 AM   #12
gregorian
Member
 
Registered: Apr 2006
Posts: 509

Original Poster
Rep: Reputation: 34
I ran the script. I sent the mail from me to myself.

$to=my_id@gmail.com
$from=my_id@gmail.com

I received tons of emails from my ID. But since the mail was not routed through Gmail (i.e. Google did not attach its IP address to the mail as the email was from my computer), their server registered it as spam.

The thing is, the bombing starts from my computer. I've read the headers just to make sure it's from my IP. I'm a linux newbie, so I don't know where the pending tasks, if any, are stored. Do you have any idea of how and where tasks are stored in Linux?

It's like this:

If I send an email, when sendmail is off, nothing happens. However, if I switch on sendmail, the email which was to be sent originally gets sent. I think that there is some list of pending mails stored somewhere. I just don't know where it is.Please correct me if I'm mistaken.


EDIT:

I saw one more thing. I logged on as root and saw the contents of /var/spool/mqueue. There were hundreds of emails waiting to be sent! I deleted all of them. As soon as I deleted, a fresh stack of new mails came out. I have no idea from where they came. Somebody tell me what exactly is going on.


No matter how many times I delete the mails, it keeps coming back!!! I'm in serious troble here. Everytime I start sendmail, I start bombing. This is urgent!!!!


I saved a copy of one of the mails in /usr/var/mqueue so that you could see it:
Code:
V6
T1171248052
K0
N0
P30316
Fbs
$_localhost.localdomain [127.0.0.1]
$rESMTP
$slocalhost.localdomain
${daemon_flags}
${if_addr}127.0.0.1
S<foobar2@localhost.localdomain>
A<>
rRFC822; foobar1@gmail.com
RPFD:<foobar1@gmail.com>
H?P?Return-Path: <g>
H??Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by localhost.localdomain (8.12.8/8.12.8) with ESMTP id l1C2dZ2O018366
	for <foobar1@gmail.com>; Mon, 12 Feb 2007 08:10:52 +0530
H?x?Full-Name: foobar2
H??Received: (from foobar2@localhost)
	by localhost.localdomain (8.12.8/8.12.8/Submit) id l1C2Y9H6008710;
	Mon, 12 Feb 2007 08:04:09 +0530
H??Date: Mon, 12 Feb 2007 08:04:09 +0530
H??Message-Id: <200702120234.l1C2Y9H6008710@localhost.localdomain>
H??To: foobar1@gmail.com
H??From: example@com.com
H??Subject: Using Sendmail
.


Look at that date-- 12th February. Yes, I might have run the program at that time. I've been trying to run it ever since. That explains why I got so many mails. Now my question is--- if deleting the mails in mqueue does not do the job, what will?

Last edited by gregorian; 02-25-2007 at 11:04 AM.
 
Old 02-25-2007, 11:35 AM   #13
gregorian
Member
 
Registered: Apr 2006
Posts: 509

Original Poster
Rep: Reputation: 34
PROBLEM SOLVED:


Delete all the mails in /var/spool/clientmqueue and /var/spool/mqueue


I had, hold your breath, 4781 pending emails in there!

My explanation:

Anytime you try and send a mail using sendmail, and it is not running, two files are generated in the clientmailque folder-- one containing the message instruction and the other containing the body.As soon as you start sendmail, the message is sent and the files are removed from the clientmqueue folder. If you want to remove them without sending the mail, delete the files. I've tested what I just explained.

I request you guys to add tags to this thread. I do not want anyone to go through the trouble I've taken. Thank you for all your help.

I finally feel like a non-noob.
 
Old 02-25-2007, 03:33 PM   #14
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
glad you were able to stop the mailbombing... i'm still curious as to why so many emails got generated in the first place... anyone have an explanation??
 
Old 02-25-2007, 07:55 PM   #15
gregorian
Member
 
Registered: Apr 2006
Posts: 509

Original Poster
Rep: Reputation: 34
I have no idea, but you'll find it interesting to note that the rm -f * command did not work. It said that the argument list was too large (4781 files). I had to log in as root, go to the folder and delete all the files. It took about a minute to delete the files!

If you want to delete such a large number of files, how do you proceed? Should you write a shell program?

One more question-- You've already seen how powerful the script is. A simple addition of a loop will convert it into a mail bomber. Now if someone places this loop in my system startup folder, will it execute on startup without giving any prompt? What are the system startup folders? I know one:
~/.kde/autostart

Are there any other?

Last edited by gregorian; 02-25-2007 at 08:05 PM.
 
  


Reply

Tags
local, sendmail, spam, spamming


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Urgent help for Postfix mail server (please Read it) pushpraj Linux - Server 4 09-17-2006 09:51 PM
urgent: mail server down 2 days I_AM Linux - General 2 07-29-2005 09:59 AM
Mail Bomb(s) Arcane Kidd Linux - Software 6 04-29-2003 12:11 PM
Mail Problem Pls Help Me -- URGENT jaishivaya Linux - General 0 03-20-2002 11:43 PM
URGENT ! PLS HELP :Mail problem kcwoo Linux - General 3 01-29-2002 11:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration