LinuxQuestions.org - sendmail being used as agent??

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - sendmail being used as agent?? (https://www.linuxquestions.org/questions/linux-security-4/sendmail-being-used-as-agent-360002/)

sendmail being used as agent??

Hi

I have detected some strange sendmail activity from Korea, Taiwan Ips. I have verifed my sendmail setup and it is not an open relay. The activity detected through tail maillog shows that mayority of attempt were denied (Ralaying Denied).

I have previously hardened sendmail which various filters. However how I prevent a message from being processed by sendmail if the message specify another ip as relay??? Some messages appears to be processed by my sendmail agent (those specifying another relay).

I have run rkhunter and system seems fine. Also I have veried with:
http://dshield.org/warning_explanation.php

and system is clear.

Previously I installed APF and BFD some months back. Today I turned on APF DS usage.

Later

:study:

Redhat should be configured by default to not allow relaying, so you would need to specifically enable it. Could you post a few example messages from your maillog?

Hi here are some examples from maillog:

Sep 4 08:00:04 mysite sendmail[27951]: j84D00Yq027951: from=<qnbngnbunjeak@libra.seed.net.tw>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=61-31-167-22.dynamic.tfn.net.tw [61.31.167.22]

Sep 4 08:23:09 mysite sendmail[29361]: j84DM6n8029359: to=<liverpool_dugger@hotmail.com>, delay=00:00:54, xdelay=00:00:01, mailer=esmtp, pri=184956, relay=mx2.hotmail.com. [65.54.166.230], dsn=5.1.1, stat=User unknown

Sep 4 08:52:46 mysite sendmail[30924]: j84DqiE4030924: from=<tymfimxtzk@altec.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=61-31-28-127.static.tfn.net.tw [61.31.28.127]

Sep 4 08:55:13 mysite sendmail[30931]: j84DtCfv030931: from=<doietompboycgs@rtpco.com.tw>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31]

Sep 4 08:55:14 mysite sendmail[30931]: j84DtCfw030931: ruleset=check_rcpt, arg1=<sib01845@ms28.hinet.net>, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31], reject=550 5.7.1 <sib01845@ms28.hinet.net>... Relaying denied

Sep 4 08:55:14 mysite sendmail[30931]: j84DtCfw030931: from=<rypekuwhqqzxet@ms24.url.com.tw>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31]

Sep 4 08:55:15 mysite sendmail[30931]: j84DtCfx030931: ruleset=check_rcpt, arg1=<teyq@yahoo.com.tw>, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31], reject=550 5.7.1 <teyq@yahoo.com.tw>... Relaying denied

Sep 4 08:55:15 mysite sendmail[30931]: j84DtCfx030931: from=<dvlrmge@card.chinatrust.com.tw>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31]

Sep 4 08:55:16 mysite sendmail[30931]: j84DtCg0030931: ruleset=check_mail, arg1=<lophcvhenagtk@qts.ucs.com.tw>, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31], reject=553 5.1.8 <lophcvhenagtk@qts.ucs.com.tw>... Domain of sender address lophcvhenagtk@qts.ucs.com.tw does not exist

Sep 4 08:55:16 mysite sendmail[30931]: j84DtCg0030931: from=<lophcvhenagtk@qts.ucs.com.tw>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31]

Sep 4 08:55:16 mysite sendmail[30931]: j84DtCg1030931: ruleset=check_rcpt, arg1=<sib03767@ms18.hinet.net>, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31], reject=550 5.7.1 <sib03767@ms18.hinet.net>... Relaying denied

Sep 4 08:55:17 mysite sendmail[30931]: j84DtCg1030931: from=<binow@netvigator.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31]

Any specific setting in sendmail configuration to check. Any possibility of server penetration ?? or this could be an attack on sendmail??

Later

Hmmm check these :

Sep 4 13:07:14 mysite sendmail[10130]: j84I2NVv010130: to=<sss.fff@msa.hinet.net>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30000, relay=msa-mx6.hinet.net. [168.95.5.148], dsn=2.0.0, stat=Sent (CAA24499 Message accepted for delivery)

Sep 4 13:07:16 mysite sendmail[10130]: j84I2NVw010130: to=<sss.fff@msa.hinet.net>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=30000, relay=msa-mx6.hinet.net. [168.95.5.148], dsn=2.0.0, stat=Sent (CAA24503 Message accepted for delivery)

Sep 4 13:07:17 mysite sendmail[10130]: j84I2NVx010130: to=<sss.fff@msa.hinet.net>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30000, relay=msa-mx6.hinet.net. [168.95.5.148], dsn=2.0.0, stat=Sent (CAA24514 Message accepted for delivery)

Sep 4 13:07:19 mysite sendmail[10130]: j84I2NW0010130: to=<sss.fff@msa.hinet.net>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=30000, relay=msa-mx6.hinet.net. [168.95.5.148], dsn=2.0.0, stat=Sent (CAA24527 Message accepted for delivery)

:( I dunno what is happening...

Later

In your first set of log messages, you can see the incoming relay attempt getting denied. If you follow the message ID (j84DtCfv030931), you'll see the message "Relaying denied". So it looks like your smtp config doesn't allow relaying.

The second set of log messages shows an outgoing message actually being delivered, but I can't really tell what that is without seeing the rest of the log. If I had to guess, I'd say it's a bounce message getting sent back to the originating server. Look through your maillog for other entries with the message ID (j84I2NW0010130) or with that sender (sss.fff@msa.hinet.net).