LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   sendmail sending fake e-mails (https://www.linuxquestions.org/questions/linux-security-4/sendmail-sending-fake-e-mails-4064/)

klaus geld 07-08-2001 02:12 PM

sendmail sending fake e-mails
 
Our mail server is being telneted by someone who then sends fake e-mail messages to people in our company. How do I stop this?

jharris 07-08-2001 02:14 PM

Disable external telnet. Either turn off the daemon (use ssh instead!) or firewall the telnet port.

If someone who isn't with the company is getting into your server then I'd be looking for more than just email problems.

HTH

Jamie...

raz 07-09-2001 08:30 AM

I agree with Jamie,

How do you know they are getting a shell.
It's more likely they are using the command "telnet your_emails_servers_ip 25" and then spoofing the HELO and from address info to your internal users email addresses.

Sounds like your email server is set-up incorrectly and allows relaying.

Supply more info on email server type, version and what makes you think they have telnet access.

/Raz

klaus geld 07-18-2001 08:13 AM

sendmail sending fake emails
 
Sorry for the wait time, we have found the following(after looking at logs for days).

It was not an external telnet, it came from a machine inside our intranet. This was found out after some time. The original person(s) logged into one machine, telneted another, and then sent the e-mails. This way, the machine name in the sendmail log showed the second machine's name. Then after looking for a telnet session in the logs, did we find that that machine was telneted to(OOOoohhh, tricky).

The user name of the person from who the e-mail was not a valid user name at our company.

The account that was used to login with is a student account that has been used for months now.(I know, I know, that was one of the other sys admins idea, he's taking the heat for that now). That is a dead end since we have no cameras or records.

We cannot block the internal telnet for the student machine since it is used in the class.

Sendmail is blocked on the classroom machines, so it could not have been used, hense the "telnet" lead.

There must be some sendmail config that will not except connections like this???

We are using sendmail ver. 8.8.3, later, after gettting some more machines up, this will change, but not for a few months, you know with this kick ass economy and all, were just spending away, not.

So how do I get rid of relaying?

raz 07-18-2001 09:45 AM

I would start by reading http://www.sendmail.org/m4/anti-spam.html and deciding with option meets your criteria.

I would look at the FEATURE(`relay_mail_from') option where you specify real user names that are allowed to relay

or
FEATURE(`access_db')
FEATURE(`access_db', `hash /etc/mail/access')

The access_bd feature where you build up a list of users who are allowed access to the mail services, a fake user would be rejected.
Also a check from the Header id to confirm user id so faking a known user is rejected with an incorrect message id.

Someone who knows more about sendmail then I do, could give you more info on these options then in the anti spam FAQ.

/Raz


All times are GMT -5. The time now is 03:00 PM.