Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello. I work for a small ISP, and am having trouble with our e-mail server continually getting blacklisted. It has happened 2 nights in a row now (and I'm not very Linux Savvy). We're running Redhat 5.6.
I think I can see why it is happening, I just don't know how to prevent it. Someone is sending e-mail, using an e-mail address not associated with our server. They are doing it every 15 seconds or so, and their IP address changes every time. Here is two examples.... [pvbb.net is one of our domains, but the usernames are totally unknown]
Quote:
Originally Posted by maillog
May 18 01:01:40 mail sendmail[11126]: p4I81cYU011126: <steven_judy_d@pvbb.net>... User unknown
May 18 01:01:40 mail sendmail[11126]: p4I81cYU011126: lost input channel from [182.177.146.164] to MTA after rcpt
May 18 01:01:40 mail sendmail[11126]: p4I81cYU011126: from=<steven_judy_d@pvbb.net>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[182.177.146.164]
May 18 01:02:02 mail sendmail[11204]: p4I81w85011204: <stevenson@pvbb.net>... User unknown
May 18 01:02:02 mail sendmail[11204]: p4I81w85011204: lost input channel from s129-247.star.net.pl [89.17.247.129] to MTA after rcpt
May 18 01:02:02 mail sendmail[11204]: p4I81w85011204: from=<stevenson@pvbb.net>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=s129-247.star.net.pl [89.17.247.129]
Any help or advice will be very helpful... I'm not the one that set this server up, but do have a grasp of Linux.
Let us know how you can configured your mail server. I mean using postfix or sendmail?
Also it appears that someone is using your server as a relay agent. Which means they are connecting directly to the server from a workstation by typing: telnet server_name 25 and then typing in bogus From name and sending email.
If you have configured postfix I would be interested in seeing:
In addition to the telnet approach, I would also ask what form of authentication are you requiring of your users? The two most common ones that I can think of from an ISP perspective would be IP address being "my network" and a user name - password approach like SASL. My first thought was that you are a semi-open relay in that anyone using blah-blah@pvbb.net, the @pvbb.net being the crucial part are being accepted. BTW, you can't rely on header envelop or HELO information as this is easily spoofed.
Got in touch with the guy that set it up. He found the user 'spam' (a customers account, with a weak password) was somehow able to get shell access, using a .php installed into their home directory. We removed the account, and the trouble has stopped.
Got in touch with the guy that set it up. He found the user 'spam' (a customers account, with a weak password) was somehow able to get shell access, using a .php installed into their home directory. We removed the account, and the trouble has stopped.
Thanks for your quick responses, though!!
Weak passwords will cause lots of problems, believe me I have managed 5,500 accounts and it is like trying to 'get blood from a turnip' trying to make people understand the reason for strong passwords.
With Postfix there is policyd you can install to limit the number of emails sent in 24 hours, this will get you blacklisted in a hurry.
I went with another Linux mail server due to this very problem, I can limit the number of emails sent in 24hr, so if it does get exploited (it will happen). This non-sense stopped instantly, plus I could view the IP and the amount of emails sent I knew it was compromised so I just lock the account and notify the helpdesk it is locked and cannot be used again until the password is changed.
You may check and see if there is a package like policyd for sendmail, also to I put rate-limiting rules in iptables in the input chain to stop malicious attackers from running scripts/mail-bombing hitting the server with denial of service attacks.
It is better to stop the attack with iptables and let the email server do what it does best relaying email. The rouge attackers just go to a black-hole now.
90% of all of the spam is sent via exploited email accounts with weak passwords, people don't care they do not have to deal with the administrative headahces and/or clean up.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.