[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sendmail hijacked?

To: "'Chuck Yerkes'" <chuck@snew.com>
Subject: Re: sendmail hijacked?
From: Ken Walling <ken@cybercede.net>
Date: Fri, 8 Mar 2002 12:05:51 -0500
Cc: "'misc@openbsd.org'" <misc@openbsd.org>
Organization: CyberCede Corporation

Thanks again  for your response.

I can't kill the MX - I have it there for a friend...

I looked at some of the .cf files that use, as I recall from over a month 
ago when I first started looking into it, mail-abuse.org to filter spam. 
 But, I got the impression somewhere along the way, that it was a 'pay for' 
service.  Was my impression wrong?  Or is there a free equiv?

I already use the 'relay-domains' file to dictate who can send mail through 
me - which I thought would stop them from being able to spawn a sendmail 
server... but I guess I was wrong.

Would the hosts allow/hosts deny thing be different from that?  I guess I 
have a lot of reading to do - it isn't always easy when you are doing it 
all yourself, ya know?  Thanks again for your comments.

I also want to get the functionality so I can have users log on in order 
send mail through me - because they don't have static IP addresses - and 
right now they can't send mail through me.  I see that I have to install 
some extra libraries and re-compile for that - so I suppose I should get 
all my ducks in a row, before I embark on this re-compilation exercise.  I 
plan on getting web access to the mail as well - but I may do that on a 
separate server - I'm not to keen on running web services on my mail 
server.  I have a decent book on open source mail security - now I just 
need time to get through another few chapters :) .

Thanks again,

          Ken
Aka Captain Weenie


-----Original Message-----
From:	'Chuck Yerkes' [SMTP:chuck@snew.com]
Sent:	Thursday, March 07, 2002 11:31 PM
To:	Ken Walling
Subject:	Re: sendmail hijacked?

Quoting Ken Walling (ken@cybercede.net):
> Thanks -
>
> It was there (in my ps output)  for quite a while - which was why I 
thought
> something was wrong -
> and the domain was a spam host
>
> after looking at the logs - I see that it was attempting to send a very
> large list of mail through me
>
> they were all denied (thanks to the new default config of sendmail) due 
to
> unkown user
Well, new as of 1997, yeah.

> very cool - except it seems I have a large number of spam sites 
attempting
> to use me as a relay - because one of my customers used to be used as a
> relay --  and his mx record is now pointing at my server.

Kill the MX?

> could I use pf to drop stuff from those domains before the connection to
> port 25 is made and the child process forked?

Better is to block with the RBL (mail-abuse.org) or compile sendmail
with tcp_wrappers and use hosts.allow/hosts.deny.  Blocking it in the
kernel seems silly (slows everything down, hard to maintain,etc)

Prev by Date: Re: Time Zones and their settings
Next by Date: Re: OpenSSH 3.1 and OpenBSD 2.7/2.8
Prev by thread: Re: sendmail hijacked?
Next by thread: Keeping dhcp from overwriting /etc/resolve.conf
Index(es):
- Date
- Thread