[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: sendmail hijacked?
Thanks again for your response.
I can't kill the MX - I have it there for a friend...
I looked at some of the .cf files that use, as I recall from over a month
ago when I first started looking into it, mail-abuse.org to filter spam.
But, I got the impression somewhere along the way, that it was a 'pay for'
service. Was my impression wrong? Or is there a free equiv?
I already use the 'relay-domains' file to dictate who can send mail through
me - which I thought would stop them from being able to spawn a sendmail
server... but I guess I was wrong.
Would the hosts allow/hosts deny thing be different from that? I guess I
have a lot of reading to do - it isn't always easy when you are doing it
all yourself, ya know? Thanks again for your comments.
I also want to get the functionality so I can have users log on in order
send mail through me - because they don't have static IP addresses - and
right now they can't send mail through me. I see that I have to install
some extra libraries and re-compile for that - so I suppose I should get
all my ducks in a row, before I embark on this re-compilation exercise. I
plan on getting web access to the mail as well - but I may do that on a
separate server - I'm not to keen on running web services on my mail
server. I have a decent book on open source mail security - now I just
need time to get through another few chapters :) .
Aka Captain Weenie
From: 'Chuck Yerkes' [SMTP:email@example.com]
Sent: Thursday, March 07, 2002 11:31 PM
To: Ken Walling
Subject: Re: sendmail hijacked?
Quoting Ken Walling (firstname.lastname@example.org):
> Thanks -
> It was there (in my ps output) for quite a while - which was why I
> something was wrong -
> and the domain was a spam host
> after looking at the logs - I see that it was attempting to send a very
> large list of mail through me
> they were all denied (thanks to the new default config of sendmail) due
> unkown user
Well, new as of 1997, yeah.
> very cool - except it seems I have a large number of spam sites
> to use me as a relay - because one of my customers used to be used as a
> relay -- and his mx record is now pointing at my server.
Kill the MX?
> could I use pf to drop stuff from those domains before the connection to
> port 25 is made and the child process forked?
Better is to block with the RBL (mail-abuse.org) or compile sendmail
with tcp_wrappers and use hosts.allow/hosts.deny. Blocking it in the
kernel seems silly (slows everything down, hard to maintain,etc)