sendmail problem

slack66 · 06-22-2004, 07:03 AM

I have noticied something unusual in my sendmail logs lately. I see hosts connecting to my machine, trying to guess legitimate email accounts by issuing an obscene amount of rcpt to: commands with random names. Example:

Nov 2 10:27:19 mail sendmail[4138]: hA2FRCL1004138: < -- RCPT To:elias@coccia.com
Nov 2 10:27:19 mail sendmail[4138]: hA2FRCL1004138: --- 550 5.1.1 elias@coccia.com... User unknown
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: < -- RCPT To:andreas@coccia.com
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: --- 550 5.1.1 andreas@coccia.com... User unknown
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: < -- RCPT To:dewey@coccia.com
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: --- 550 5.1.1 dewey @coccia.com... User unknown
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: < -- RCPT To:dalton@coccia.com
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: --- 550 5.1.1 dalton @coccia.com... User unknown
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: < -- RCPT To:access@coccia.com
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: --- 550 5.1.1 access @coccia.com... User unknown
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: < -- RCPT To:devin@coccia.com
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: --- 550 5.1.1 devin @coccia.com... User unknown
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: < -- RCPT To:francois@coccia.com
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: --- 550 5.1.1 francois @coccia.com... User unknown

And so on. They try an average of 30 usernames per session and even if they find legitimate accounts, the email transmission never takes place.
These connections are coming from everywhere. it has already been a week since I started noticing it. Any info will be appreciated

ncorreia · 06-23-2004, 05:42 AM

Hi,

I would advise you doind something I always do when setting up sendmail, which is turning off vrfy command.
In your sendmail.mc file look for something like this:

define(`confPRIVACY_FLAGS', `needmailhelo,authwarnings,novrfy,noetrn,noverb,nobodyreturn,noexpn,restrictqrun')dnl

and add whichever flags you think apropriate.
I have these ones configured currently and have no complaints about this configuration.
Unless you really need vrfy on for something....

Hope this helps

ppuru · 06-23-2004, 05:56 AM

In /etc/mail/sendmail.cf set

O PrivacyOptions=goaway

slack66 · 06-23-2004, 09:05 AM

ok i will try that

thks guy!

slack66 · 06-24-2004, 02:11 AM

guys i tried....but i think it doesnt work

after a minute my log read this:

Jun 24 15:01:39 mail sm-mta[1070]: i5O71cK0001070: <douglas@mydomain.com>... User unknown
Jun 24 15:01:39 mail sm-mta[1070]: i5O71cK0001070: <elliott@mydomain.com>... User unknown
Jun 24 15:01:40 mail sm-mta[1070]: i5O71cK0001070: <fleming@mydomain.com>... User unknown
Jun 24 15:01:40 mail sm-mta[1070]: i5O71cK0001070: <fletcher@mydomain.com>... User unknown
Jun 24 15:01:41 mail sm-mta[1070]: i5O71cK0001070: from=<claribelstrobel@hotmail.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=HOST20917525277.hosts.lincon.net [209.175.252.77] (may be forged)
Jun 24 15:01:41 mail sm-mta[1070]: i5O71cK1001070: <graves@mydomain.com>... User unknown
Jun 24 15:01:42 mail sm-mta[1070]: i5O71cK1001070: <hammond@mydomain.com>... User unknown
Jun 24 15:01:42 mail sm-mta[1070]: i5O71cK1001070: from=<raguelyamat@logo2mob.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=HOST20917525277.hosts.lincon.net [209.175.252.77] (may be forged)