LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-20-2006, 09:19 PM   #1
cereal83
Member
 
Registered: Feb 2004
Location: Canada
Distribution: Slackware
Posts: 479

Rep: Reputation: 30
Spammers using my sendmail to send thier junk, need help please!


Hey all

Well I am in control of a smtp server and people are using it to send spam. I have no idea on how to lock it down to only allow who I want to, to be able to send the emails out using my server. I am running slackware and using sendmail.

Authentication would be fine but I really don't have a clue on how to do it so any help would be great.

Thanks all
 
Old 09-21-2006, 08:39 AM   #2
cereal83
Member
 
Registered: Feb 2004
Location: Canada
Distribution: Slackware
Posts: 479

Original Poster
Rep: Reputation: 30
Hey all just checking in. Maybe I put this in the wrong section as I know tons of people so this answer so if I did could a mod move it? Thanks
 
Old 09-21-2006, 10:39 AM   #3
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
What is in your /etc/mail/access file?

If you want to implement authentication in sendmail you can start here:
http://www.linuxquestions.org/questi...=sendmail+auth
 
Old 09-21-2006, 12:13 PM   #4
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
I think people's reluctance to answer would be due, in part, to this having a fairly obvious answer - like the results that I got googling for "securing sendmail", "sendmail relay", the Sendmail HOWTO available in numerous locations etc.

The questions arises, however, on exactly why you are running an SMTP server:

Quote:
Originally Posted by cereal83
Well I am in control of a smtp server... I have no idea on how to lock it down... I really don't have a clue on how to do it
It doesn't sound like you're in control!

Before you do anything, you absolutely must take it off the Internet while testing - or at least restrict access to the SMTP ports to your own IP - this way you instantly stop the spam that you are firing at other people. Chances are that your ISP will do this for you if you don't (i.e. by cutting your connection).

How did you discover that this was the case, anyway, and how long has it been running in that configuration?
 
Old 09-21-2006, 03:04 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If you are simply relaying spam due to misconfiguration, then locking the system down would be the appropriate response. If you've been compromised and the spam is just a symptom of the compromise, then you need to take more significant measures.

First take the system offline and isolate where the email is being sent from. Do you see anything in the mail logs? If not then widen the search to include all other system and daemon logs, especially http/apache logs. Essentially go through every log file in /var/log and its subdirs looking for anything abnormal. Get a list of all processes running on the system with: ps aux and a list of all network sockets with: netstat -pantu. Check the /etc/passwd file for new users or any non-root users with UID/GID of 0. Check last login times with: last -i. Look for any strang files in /tmp. Look at the files in /etc/cron* for any suspicious looking cron jobs (/var/log/cron is a good place to look too). Look for any SUID/SGID root file on the system. Lastly, download and run rkhunter or chkrootkit on the system. Post any relevant results and make sure to ask if you have any questions about the above (the only stupid question is the one not asked).
 
Old 09-22-2006, 03:48 AM   #6
operator10001
Member
 
Registered: Mar 2006
Distribution: debian sarge
Posts: 222

Rep: Reputation: 30
use gmail. gmail is hard to compromise.
 
0 members found this post helpful.
Old 09-24-2006, 12:25 PM   #7
cereal83
Member
 
Registered: Feb 2004
Location: Canada
Distribution: Slackware
Posts: 479

Original Poster
Rep: Reputation: 30
Sorry I never provided more info.

We own a www. website. I am not in 100% in charge of it but they are trying to put me in charge of it so I have been readying alot of info on it. That is one problem that I see with our server. We have the smtp server because we send out all our email with this server so isn't that just the proper way of doing things? I am pretty new to the email scene so I am trying to learn as much as I can. I can't take the system offline as we use this on a daily basis. We don't really have an ISP that controls our email as we control it all. Allowing only our IP address might be a good way but I would like to implement a more secure way maybe with a username and password as this just seems better. The server has not been hacked, I do know slackware pretty good I just don't know about email stuff yet but I am learning. I will have a better look at the system on Monday and see what I can come up with.

People who tell me to use gmail, well thats just ignorant as everybody starts somewhere except for you.
 
Old 09-24-2006, 12:28 PM   #8
cereal83
Member
 
Registered: Feb 2004
Location: Canada
Distribution: Slackware
Posts: 479

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by ledow
I think people's reluctance to answer would be due, in part, to this having a fairly obvious answer - like the results that I got googling for "securing sendmail", "sendmail relay", the Sendmail HOWTO available in numerous locations etc.

The questions arises, however, on exactly why you are running an SMTP server:



It doesn't sound like you're in control!

Before you do anything, you absolutely must take it off the Internet while testing - or at least restrict access to the SMTP ports to your own IP - this way you instantly stop the spam that you are firing at other people. Chances are that your ISP will do this for you if you don't (i.e. by cutting your connection).

How did you discover that this was the case, anyway, and how long has it been running in that configuration?
Sorry for just asking here as I thought somebody might have a better hint as to where I should start. I did find some info but not exactly what I was looking for. I am looking into more HOWTO pages now and they seem they should be able to help me, if I have other questions, I can ask here.

Thanks
 
Old 09-24-2006, 11:21 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by cereal83
Sorry for just asking here as I thought somebody might have a better hint as to where I should start.
Thanks
I'm still waiting for you to post any info regarding the results of the questions I posted above. If you are confused about what you are looking for, then ask.
 
Old 09-25-2006, 06:35 AM   #10
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
Talking

Quote:
Originally Posted by cereal83
I can't take the system offline as we use this on a daily basis.
And all the while you are spamming everyone in the world until you get on a global blocklist and find that you can no longer send email to ~50-80% of the world because you've been blocked. This is not exaggeration - go look your IP's up on something like SpamHaus, which a lot of ISP's use to determine whether or not to accept your emails (i.e. your customers, contacts, third-parties etc. won't even see anything from you if you get on this).

There are hundreds of these and they share information - one of the spams gets forwarded to them (by, e.g., people like me who report spam to them) and you get listed on them all - and the majority of ISP's, email providers etc. will then AUTOMATICALLY block any email from yourself ever arriving.

Quote:
Originally Posted by cereal83
We don't really have an ISP that controls our email as we control it all.
You control your email, yes, but unfortunately they will be controlling your transit - they will know if you are spamming and if you are then you are violating their terms and, if it causes them trouble such as getting their IP addresses on a blocklist, they WILL just terminate your connection (this is the usual "bargain" they have to get themselves off the blacklists). How will that affect your business?

Quote:
Originally Posted by cereal83
Allowing only our IP address might be a good way but I would like to implement a more secure way maybe with a username and password as this just seems better.
Of course you do. But until that time you are spamming the world and annoying more and more people who will report your IP to blocklists etc. in the hope of getting you cut-off by your transit providers. The suggestion for IP-control is quick, simple, makes sure that stuff can only come from your own network and lets you tweak your email config (to add stuff like authentication) on your own time.

Also, if the computers on your internal network are the ones that are spamming via your servers (because of spyware, viruses, trojans etc.), then authentication will not help as they will most probably be able to pick up the username/password. This was a stopgap measure to give you time to sort out the real problem.

Seriously, people who treat problems like this so lightly are the ones that cause 90% of the spam problem. Just leave it running another week or so while you look up how to fix it? That could be another million-odd spam emails.

It's costing you bandwidth, it could be a sign of virus infection, it could cost you days of downtime, your entire connection, your customers and/or your reputation (if your company is supposed to be "up" on IT).

Give whoever IS in charge of it a big slap from me. :-)

Last edited by ledow; 09-25-2006 at 06:41 AM.
 
Old 09-25-2006, 12:38 PM   #11
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,902

Rep: Reputation: 8015Reputation: 8015Reputation: 8015Reputation: 8015Reputation: 8015Reputation: 8015Reputation: 8015Reputation: 8015Reputation: 8015Reputation: 8015Reputation: 8015
Spammers using my sendmail to send thier junk, need help please!

I agree with the above posts. If you're in control of that particular piece of your environment, I'd set some relay-access rules, that will only relay/send mail for certain address/hosts.

If you have a badly documented environment, or don't know where alot of your mail is coming from (internally), get your managers blessing, then turn on the ACL's, and listen for the screams. It's easy to add someone who is 'broken' all of a sudden to the relay allow lists, and that will shut out the spammers.
 
Old 09-26-2006, 10:51 PM   #12
cereal83
Member
 
Registered: Feb 2004
Location: Canada
Distribution: Slackware
Posts: 479

Original Poster
Rep: Reputation: 30
Just a little update.

We are looking into postfix now as the manager who passed me the rights to the server wants me to use this as it seems more secure. I am still trying to figure out how to stop it with sendmail but I haven't had alot of time due to traveling for work.

1st I will be working on it tomorrow pretty much all day.
2nd, our ISP which is Bell Canada is not going to cut use off as our bill for just Bell Canada is several hundred thousand dollars a month so if they cut us off, then they would suffer more then us.
3rd I know lots of people are getting spammed because of the server I took control of but I am working on it as fast as I can.
4th I don't have the time to find out who people email in my company so I am working on username/password but I haven't been understanding what I have been reading without accually being logged into the server and looking at those config files.

So thanks for all your suggestions and I will try to answer more questions as I have more time.

Thanks
 
Old 09-26-2006, 10:52 PM   #13
cereal83
Member
 
Registered: Feb 2004
Location: Canada
Distribution: Slackware
Posts: 479

Original Poster
Rep: Reputation: 30
One more thing, all the spamming is coming from outside sources, we run slackware on every internal computer and I am pretty sure they don't have any virus's.
 
Old 09-29-2006, 10:57 PM   #14
cereal83
Member
 
Registered: Feb 2004
Location: Canada
Distribution: Slackware
Posts: 479

Original Poster
Rep: Reputation: 30
Well I found out the guy who told me what the problem is doesn't know how to explain crap. Basically nobody is using our smtp server to send spam. We get alot of spam and they want me to be able to stop it so sorry for wasting your time but thanks for the help
 
Old 02-22-2007, 04:10 PM   #15
petcherd
Member
 
Registered: Dec 2006
Location: Portland, OR - USA
Distribution: Formerly Slackware; now RH, SuSE, Debian/Ubuntu, & Asianux
Posts: 55

Rep: Reputation: 15
Quote:
Originally Posted by cereal83
Well I found out the guy who told me what the problem is doesn't know how to explain crap. Basically nobody is using our smtp server to send spam. We get alot of spam and they want me to be able to stop it so sorry for wasting your time but thanks for the help
We used to use SpamAssassin and AmavisD, but spam still got through.

I have a lot fewer headaches and a lot less bandwidth wasted since I outsourced our company's spam filtering to another company. (Postini) I edited my DNS to give their incoming address pool as my MX record, then I edited my firewall's iptables rules to reject any SMTP traffic not coming from them.

I still get the occasional bit of crap breaking through, but I just send that back to the service to help them sharpen their filter further.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Sendmail doesn't send emails Bodyweb Linux - Software 5 07-18-2006 08:53 AM
Sendmail cannot send mail rubenscript Linux - Networking 2 01-05-2006 04:38 AM
sendmail doesn't send emails outside dev_mohamed Linux - Networking 2 08-28-2005 03:42 PM
sendmail won't send email robmainella Linux - Software 0 09-10-2003 04:54 PM
cdrecord junk; /proc junk lackluster Linux - Software 5 08-06-2003 10:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration