LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-04-2005, 01:49 AM   #1
latino
Member
 
Registered: Aug 2003
Location: Puerto Rico
Distribution: Centos 6.6
Posts: 142

Rep: Reputation: 15
sendmail being used as agent??


Hi

I have detected some strange sendmail activity from Korea, Taiwan Ips. I have verifed my sendmail setup and it is not an open relay. The activity detected through tail maillog shows that mayority of attempt were denied (Ralaying Denied).

I have previously hardened sendmail which various filters. However how I prevent a message from being processed by sendmail if the message specify another ip as relay??? Some messages appears to be processed by my sendmail agent (those specifying another relay).

I have run rkhunter and system seems fine. Also I have veried with:
http://dshield.org/warning_explanation.php

and system is clear.

Previously I installed APF and BFD some months back. Today I turned on APF DS usage.

Later

 
Old 09-04-2005, 12:32 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Redhat should be configured by default to not allow relaying, so you would need to specifically enable it. Could you post a few example messages from your maillog?
 
Old 09-04-2005, 01:21 PM   #3
latino
Member
 
Registered: Aug 2003
Location: Puerto Rico
Distribution: Centos 6.6
Posts: 142

Original Poster
Rep: Reputation: 15
Hi here are some examples from maillog:

Sep 4 08:00:04 mysite sendmail[27951]: j84D00Yq027951: from=<qnbngnbunjeak@libra.seed.net.tw>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=61-31-167-22.dynamic.tfn.net.tw [61.31.167.22]

Sep 4 08:23:09 mysite sendmail[29361]: j84DM6n8029359: to=<liverpool_dugger@hotmail.com>, delay=00:00:54, xdelay=00:00:01, mailer=esmtp, pri=184956, relay=mx2.hotmail.com. [65.54.166.230], dsn=5.1.1, stat=User unknown

Sep 4 08:52:46 mysite sendmail[30924]: j84DqiE4030924: from=<tymfimxtzk@altec.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=61-31-28-127.static.tfn.net.tw [61.31.28.127]

Sep 4 08:55:13 mysite sendmail[30931]: j84DtCfv030931: from=<doietompboycgs@rtpco.com.tw>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31]

Sep 4 08:55:14 mysite sendmail[30931]: j84DtCfw030931: ruleset=check_rcpt, arg1=<sib01845@ms28.hinet.net>, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31], reject=550 5.7.1 <sib01845@ms28.hinet.net>... Relaying denied

Sep 4 08:55:14 mysite sendmail[30931]: j84DtCfw030931: from=<rypekuwhqqzxet@ms24.url.com.tw>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31]

Sep 4 08:55:15 mysite sendmail[30931]: j84DtCfx030931: ruleset=check_rcpt, arg1=<teyq@yahoo.com.tw>, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31], reject=550 5.7.1 <teyq@yahoo.com.tw>... Relaying denied

Sep 4 08:55:15 mysite sendmail[30931]: j84DtCfx030931: from=<dvlrmge@card.chinatrust.com.tw>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31]

Sep 4 08:55:16 mysite sendmail[30931]: j84DtCg0030931: ruleset=check_mail, arg1=<lophcvhenagtk@qts.ucs.com.tw>, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31], reject=553 5.1.8 <lophcvhenagtk@qts.ucs.com.tw>... Domain of sender address lophcvhenagtk@qts.ucs.com.tw does not exist

Sep 4 08:55:16 mysite sendmail[30931]: j84DtCg0030931: from=<lophcvhenagtk@qts.ucs.com.tw>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31]

Sep 4 08:55:16 mysite sendmail[30931]: j84DtCg1030931: ruleset=check_rcpt, arg1=<sib03767@ms18.hinet.net>, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31], reject=550 5.7.1 <sib03767@ms18.hinet.net>... Relaying denied

Sep 4 08:55:17 mysite sendmail[30931]: j84DtCg1030931: from=<binow@netvigator.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=219-87-192-31.static.tfn.net.tw [219.87.192.31]

Any specific setting in sendmail configuration to check. Any possibility of server penetration ?? or this could be an attack on sendmail??

Later

Last edited by latino; 09-04-2005 at 01:23 PM.
 
Old 09-04-2005, 02:16 PM   #4
latino
Member
 
Registered: Aug 2003
Location: Puerto Rico
Distribution: Centos 6.6
Posts: 142

Original Poster
Rep: Reputation: 15
Hmmm check these :

Sep 4 13:07:14 mysite sendmail[10130]: j84I2NVv010130: to=<sss.fff@msa.hinet.net>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30000, relay=msa-mx6.hinet.net. [168.95.5.148], dsn=2.0.0, stat=Sent (CAA24499 Message accepted for delivery)

Sep 4 13:07:16 mysite sendmail[10130]: j84I2NVw010130: to=<sss.fff@msa.hinet.net>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=30000, relay=msa-mx6.hinet.net. [168.95.5.148], dsn=2.0.0, stat=Sent (CAA24503 Message accepted for delivery)

Sep 4 13:07:17 mysite sendmail[10130]: j84I2NVx010130: to=<sss.fff@msa.hinet.net>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30000, relay=msa-mx6.hinet.net. [168.95.5.148], dsn=2.0.0, stat=Sent (CAA24514 Message accepted for delivery)

Sep 4 13:07:19 mysite sendmail[10130]: j84I2NW0010130: to=<sss.fff@msa.hinet.net>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=30000, relay=msa-mx6.hinet.net. [168.95.5.148], dsn=2.0.0, stat=Sent (CAA24527 Message accepted for delivery)

I dunno what is happening...

Later
 
Old 09-04-2005, 02:56 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
In your first set of log messages, you can see the incoming relay attempt getting denied. If you follow the message ID (j84DtCfv030931), you'll see the message "Relaying denied". So it looks like your smtp config doesn't allow relaying.

The second set of log messages shows an outgoing message actually being delivered, but I can't really tell what that is without seeing the rest of the log. If I had to guess, I'd say it's a bounce message getting sent back to the originating server. Look through your maillog for other entries with the message ID (j84I2NW0010130) or with that sender (sss.fff@msa.hinet.net).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Best mail transfer agent (Sendmail? Qmail? Other?) 60s TV Batman Linux - Software 5 05-29-2005 11:28 AM
firmware.agent [LAG] Prude Linux - Wireless Networking 2 04-01-2005 12:29 PM
can't find ide.agent & block.agent for hotplug for 2.6 jg167 Linux - Newbie 1 06-23-2004 06:20 PM
Hotplug problems: RH 9, 2.6.6, PCMCIA-CS 3.2.7 (missing ide.agent & block.agent) jg167 Red Hat 1 06-23-2004 06:18 PM
Agent Author? emsmom Linux - Newbie 1 03-21-2004 06:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration