LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-22-2004, 08:03 AM   #1
slack66
Member
 
Registered: Jul 2003
Location: manila
Distribution: slackware 8 to 9
Posts: 199

Rep: Reputation: 30
sendmail problem


I have noticied something unusual in my sendmail logs lately. I see hosts connecting to my machine, trying to guess legitimate email accounts by issuing an obscene amount of rcpt to: commands with random names. Example:


Nov 2 10:27:19 mail sendmail[4138]: hA2FRCL1004138: < -- RCPT To:elias@coccia.com
Nov 2 10:27:19 mail sendmail[4138]: hA2FRCL1004138: --- 550 5.1.1 elias@coccia.com... User unknown
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: < -- RCPT To:andreas@coccia.com
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: --- 550 5.1.1 andreas@coccia.com... User unknown
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: < -- RCPT To:dewey@coccia.com
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: --- 550 5.1.1 dewey @coccia.com... User unknown
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: < -- RCPT To:dalton@coccia.com
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: --- 550 5.1.1 dalton @coccia.com... User unknown
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: < -- RCPT To:access@coccia.com
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: --- 550 5.1.1 access @coccia.com... User unknown
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: < -- RCPT To:devin@coccia.com
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: --- 550 5.1.1 devin @coccia.com... User unknown
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: < -- RCPT To:francois@coccia.com
Nov 2 10:27:23 mail sendmail[4138]: hA2FRCL1004138: --- 550 5.1.1 francois @coccia.com... User unknown


And so on. They try an average of 30 usernames per session and even if they find legitimate accounts, the email transmission never takes place.
These connections are coming from everywhere. it has already been a week since I started noticing it. Any info will be appreciated
 
Old 06-23-2004, 06:42 AM   #2
ncorreia
Member
 
Registered: Apr 2003
Distribution: Red Hat
Posts: 37

Rep: Reputation: 15
Hi,

I would advise you doind something I always do when setting up sendmail, which is turning off vrfy command.
In your sendmail.mc file look for something like this:

define(`confPRIVACY_FLAGS', `needmailhelo,authwarnings,novrfy,noetrn,noverb,nobodyreturn,noexpn,restrictqrun')dnl

and add whichever flags you think apropriate.
I have these ones configured currently and have no complaints about this configuration.
Unless you really need vrfy on for something....

Hope this helps
 
Old 06-23-2004, 06:56 AM   #3
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
In /etc/mail/sendmail.cf set

O PrivacyOptions=goaway
 
Old 06-23-2004, 10:05 AM   #4
slack66
Member
 
Registered: Jul 2003
Location: manila
Distribution: slackware 8 to 9
Posts: 199

Original Poster
Rep: Reputation: 30
ok i will try that thks guy!
 
Old 06-24-2004, 03:11 AM   #5
slack66
Member
 
Registered: Jul 2003
Location: manila
Distribution: slackware 8 to 9
Posts: 199

Original Poster
Rep: Reputation: 30
guys i tried....but i think it doesnt work after a minute my log read this:

Jun 24 15:01:39 mail sm-mta[1070]: i5O71cK0001070: <douglas@mydomain.com>... User unknown
Jun 24 15:01:39 mail sm-mta[1070]: i5O71cK0001070: <elliott@mydomain.com>... User unknown
Jun 24 15:01:40 mail sm-mta[1070]: i5O71cK0001070: <fleming@mydomain.com>... User unknown
Jun 24 15:01:40 mail sm-mta[1070]: i5O71cK0001070: <fletcher@mydomain.com>... User unknown
Jun 24 15:01:41 mail sm-mta[1070]: i5O71cK0001070: from=<claribelstrobel@hotmail.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=HOST20917525277.hosts.lincon.net [209.175.252.77] (may be forged)
Jun 24 15:01:41 mail sm-mta[1070]: i5O71cK1001070: <graves@mydomain.com>... User unknown
Jun 24 15:01:42 mail sm-mta[1070]: i5O71cK1001070: <hammond@mydomain.com>... User unknown
Jun 24 15:01:42 mail sm-mta[1070]: i5O71cK1001070: from=<raguelyamat@logo2mob.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=HOST20917525277.hosts.lincon.net [209.175.252.77] (may be forged)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Sendmail problem hinetvenkat Linux - Networking 1 04-18-2005 08:55 AM
Problem with sendmail juanb Linux - Software 0 01-14-2004 11:18 AM
problem processing sendmail.mc to sendmail.cf ...help... lucastic Linux - Networking 1 09-21-2003 11:08 AM
Sendmail problem: sm-client permissions problem d3funct Linux - Software 0 08-12-2003 06:00 PM
please help me with a sendmail problem sthorp Linux - Networking 0 10-22-2001 02:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration