pmcgrew7
asked on
Block inbound E-mail in AIX 4.3 Sendmail 8.x
I have never really worked with Sendmail much and never on an AIX platform. We seem to be besieged with a series of SPAM mailings that hit serveral of our mailists. The offending mail headers look like this:
Received: from 021401a.net (localhost [127.0.0.1]) by postmaster.myserver.org (AIX4.3/8.9.3/8.7) with SMTP id IAA26758 for <userseverywhere@postmaste
Date: Mon, 06 Sep 2004 08:08:30 -0500
To: "Userseverywhere" <userseverywhere@postmaste
From: "Everywhereuserseverywhere
Subject: Changes..
Message-ID: <agckuvehcezenfgrmep@postm
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------ttbugvel
Status:
Often there will be another SPAM but the Received: field will say 021401a.com. These appear to be bogus domains and I can not reslove them and I am not sure why it shows the localhost IP (127.0.0.1) -- but I have read posts where this is a spammer's ploy to avoid detection. I have no idea if there is a solution or how difficult it is to do this. I am not an AIX Sysadmin and the company is a not-for-profit so buying a third party solution will not be an easy sell. The AIX server probably runs an business app besides being the Mail server so I must avoid "Murphy's Law" at all cost! This company has several Open Source servers which are constant source of problems. The new IT management has come to realize that Open Source does not mean "free"...they still need support. Anyway, there is a moratorium on implementing any further Open Source solutions. So basically, I am stuck with trying to find a way to edit the sendmail.cf file to block/reject and log these types of e-mails.
TIA,
Perry
Received: from 021401a.net (localhost [127.0.0.1]) by postmaster.myserver.org (AIX4.3/8.9.3/8.7) with SMTP id IAA26758 for <userseverywhere@postmaste
Date: Mon, 06 Sep 2004 08:08:30 -0500
To: "Userseverywhere" <userseverywhere@postmaste
From: "Everywhereuserseverywhere
Subject: Changes..
Message-ID: <agckuvehcezenfgrmep@postm
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------ttbugvel
Status:
Often there will be another SPAM but the Received: field will say 021401a.com. These appear to be bogus domains and I can not reslove them and I am not sure why it shows the localhost IP (127.0.0.1) -- but I have read posts where this is a spammer's ploy to avoid detection. I have no idea if there is a solution or how difficult it is to do this. I am not an AIX Sysadmin and the company is a not-for-profit so buying a third party solution will not be an easy sell. The AIX server probably runs an business app besides being the Mail server so I must avoid "Murphy's Law" at all cost! This company has several Open Source servers which are constant source of problems. The new IT management has come to realize that Open Source does not mean "free"...they still need support. Anyway, there is a moratorium on implementing any further Open Source solutions. So basically, I am stuck with trying to find a way to edit the sendmail.cf file to block/reject and log these types of e-mails.
TIA,
Perry
Well, first, I recommend that you do NOT hand-edit sendmail.cf. Use the sendmail.mc m4 macro file to build your sendmail.cf. Take it from someone whom spent 9 years rolling his own sendmail.cf files - you'll be glad to use sendmail.mc; I'll certainly never go back.
Looking at the sendmail banner you gave above, I see your sendmail version is HORRIBLY outdated. I mean very badly backleveled. You seem to have the IBM-supplied version of sendmail, and so this is typical (IBM is not alone in this - most commercial *NIX vendors are very bad about letting their included versions of sendmail lag far behind current code). Your ancient sendmail version has numerous security holes and flaws and almost certainly is an open relay for spammers.
Since you have an old version of sendmail, then before you do ANYTHING else, I would upgrade it to v8.12.11, which is available from http://www.sendmail.org This is the last of the v8.12.xx line and is stable and secure. v8.13 has some enhancements, but no real improvements security-wise, and word on the street is that its still not quite as stable as 8.12.11. This is *critical* - I cannot stress enough that the problems you're seeing are almost certainly due to and ridiculously backdated version of sendmail you're running. Don't blame sendmail - blame IBM. And don't be surprised if you're not already on one or more E-Mail blacklists as an open relay.
You may be able to find an AIX-binary install of sendmail v8.12.11 - I dunno, I'm a Solaris/SUSE Linux jock. If you can't, you'll need to get the source from that link above and compile and install it. I've never done that on AIX, so I can't offer you many pointers. IBM might have a resources page for AIX that could include a link to something like that.
Anyway, barring that happy circumstance, you'll need to download the latest sendmail from http://www.sendmail.org. Get the sources - you'll need a C compiler; gcc will do fine. Then, go to your fave bookstore and grab a copy of _Sendmail_3rd_Edition_ by Bryan Costales (ISBN 1-56592-839-3). Its a huge book, but its not a "How to" or "For Dummies" sort of thing. Its a reference you should consult while following the build and install instructions that come with the sendmail source. Note that the 3rd Edition only covers thru sendmail v8.12 (so if you really want to move to v8.13, you'll either have to wait - which I don't recommend - for the new edition, or upgrade later).
You need to take a few days to absorb and understand how to build sendmail. I confess it took awhile for me. Brandon Hutchinson's sendmail-related pages may be helpful, altho they are written for a Solaris environment and I'm not sure how well some of it will translate. http://www.brandonhutchinson.com (scroll down to the "Sendmail" entries). It will give you an idea of the tasks you must perform. Together with the sendmail docs and the "Bat Book" (the Costales tome - you'll understand when you see it), you should be able to work out a reliable build-and-install procedure for your environment.
Once you get it installed, use the m4 macro system to compile your sendmail.mc into a sendmail.cf. Again, the Costales book is invaluable - the included sendmail docs don't really help with this, and even Brandon's page is a bit sparse. I posted the bulk of my sendmail.mc file in another Question --> https://www.experts-exchange.com/questions/21110879/How-can-I-use-sendmail-instead-of-smtp.html
I really think your problems stem from the fact you have a literally ancient sendmail installation. You need to update it to something recent, and that will address a lot of your issues. If you do this, and you're still having the problems, then there's something else wrong and sendmail is an innocent victim instead of the culprit (you still shouldn't run such an old version on an Internet-connected machine).
Looking at the sendmail banner you gave above, I see your sendmail version is HORRIBLY outdated. I mean very badly backleveled. You seem to have the IBM-supplied version of sendmail, and so this is typical (IBM is not alone in this - most commercial *NIX vendors are very bad about letting their included versions of sendmail lag far behind current code). Your ancient sendmail version has numerous security holes and flaws and almost certainly is an open relay for spammers.
Since you have an old version of sendmail, then before you do ANYTHING else, I would upgrade it to v8.12.11, which is available from http://www.sendmail.org This is the last of the v8.12.xx line and is stable and secure. v8.13 has some enhancements, but no real improvements security-wise, and word on the street is that its still not quite as stable as 8.12.11. This is *critical* - I cannot stress enough that the problems you're seeing are almost certainly due to and ridiculously backdated version of sendmail you're running. Don't blame sendmail - blame IBM. And don't be surprised if you're not already on one or more E-Mail blacklists as an open relay.
You may be able to find an AIX-binary install of sendmail v8.12.11 - I dunno, I'm a Solaris/SUSE Linux jock. If you can't, you'll need to get the source from that link above and compile and install it. I've never done that on AIX, so I can't offer you many pointers. IBM might have a resources page for AIX that could include a link to something like that.
Anyway, barring that happy circumstance, you'll need to download the latest sendmail from http://www.sendmail.org. Get the sources - you'll need a C compiler; gcc will do fine. Then, go to your fave bookstore and grab a copy of _Sendmail_3rd_Edition_ by Bryan Costales (ISBN 1-56592-839-3). Its a huge book, but its not a "How to" or "For Dummies" sort of thing. Its a reference you should consult while following the build and install instructions that come with the sendmail source. Note that the 3rd Edition only covers thru sendmail v8.12 (so if you really want to move to v8.13, you'll either have to wait - which I don't recommend - for the new edition, or upgrade later).
You need to take a few days to absorb and understand how to build sendmail. I confess it took awhile for me. Brandon Hutchinson's sendmail-related pages may be helpful, altho they are written for a Solaris environment and I'm not sure how well some of it will translate. http://www.brandonhutchinson.com (scroll down to the "Sendmail" entries). It will give you an idea of the tasks you must perform. Together with the sendmail docs and the "Bat Book" (the Costales tome - you'll understand when you see it), you should be able to work out a reliable build-and-install procedure for your environment.
Once you get it installed, use the m4 macro system to compile your sendmail.mc into a sendmail.cf. Again, the Costales book is invaluable - the included sendmail docs don't really help with this, and even Brandon's page is a bit sparse. I posted the bulk of my sendmail.mc file in another Question --> https://www.experts-exchange.com/questions/21110879/How-can-I-use-sendmail-instead-of-smtp.html
I really think your problems stem from the fact you have a literally ancient sendmail installation. You need to update it to something recent, and that will address a lot of your issues. If you do this, and you're still having the problems, then there's something else wrong and sendmail is an innocent victim instead of the culprit (you still shouldn't run such an old version on an Internet-connected machine).
Whoops! That link I gave you above is to my site.Config.m4 file. Just as well - it should prove helpful in building sendmail.
This is the correct link to my annotated sendmail.mc file --> https://www.experts-exchange.com/questions/21116293/Relay-mail-to-specific-addresses-ONLY-from-a-specific-domain.html
This is the correct link to my annotated sendmail.mc file --> https://www.experts-exchange.com/questions/21116293/Relay-mail-to-specific-addresses-ONLY-from-a-specific-domain.html
ASKER
Thanks for the replies. I am quite aware of the ancient release of Sendmail the organization is running and I did not mean to imply that the Sendmail server is not the "victim" here. I am not an AIX admin....spent the last few years as a Solaris jockey -- basically supporting the firewall and DNS/DHCP/DDNS apps that ran on those platforms. I have an old copy of the O'Reilly Sendmail book, but I have not had the opportunity to look into it. I just started at this location and believe me, I cannot believe how neglected the IT infrastructure is. I have a multitude of issues and it is a large effort just to keep the network stable. I joined this forum to help me solve large issues in areas I feel I do not have suffiecient expertise to solve the problem in a quick manner.
1) How do I check for "renegade" apps on an AIX server that could caiuse this behavior? I'll check ORBs lists to see if we are listed...
2) I will search for the log files and look for the transactions for this msg...they every day from the same apparent source - 021401a.net and post it in the forum.
3) I am very reluctant to attempt upgrade of Sendmail on this AIX server. I am sure it runs an application and since I do not have any test machine to try it on so I think I would be asking for a lot of trouble. I have no IBM support contract to rely on if I have any problems. I have some basic AIX skills and have experience on other *NIX platforms -- just not with Sendmail...
4) Is there a way to monitor Sendmail performance? Can I tell if this Server is getting hammered. Most clients are config'd as IMAP and use Outlook Express. There is not a huge amount of mail stored on the server's RAID array, but e-mail performance is alwys a complaint from the company's users.
So, in the meantime, I appreciate if someone can point out ways I can config the Sendmail not to process mail from certain addresses like from the one I originally posted.
1) How do I check for "renegade" apps on an AIX server that could caiuse this behavior? I'll check ORBs lists to see if we are listed...
2) I will search for the log files and look for the transactions for this msg...they every day from the same apparent source - 021401a.net and post it in the forum.
3) I am very reluctant to attempt upgrade of Sendmail on this AIX server. I am sure it runs an application and since I do not have any test machine to try it on so I think I would be asking for a lot of trouble. I have no IBM support contract to rely on if I have any problems. I have some basic AIX skills and have experience on other *NIX platforms -- just not with Sendmail...
4) Is there a way to monitor Sendmail performance? Can I tell if this Server is getting hammered. Most clients are config'd as IMAP and use Outlook Express. There is not a huge amount of mail stored on the server's RAID array, but e-mail performance is alwys a complaint from the company's users.
So, in the meantime, I appreciate if someone can point out ways I can config the Sendmail not to process mail from certain addresses like from the one I originally posted.
As to:
(1) Basically you are looking for applications that shouldn't be there or running. A part of that, obviously, is going to be figuring out what that server does and what the valid compnents are. Another possibility is that the renegade S/W isn't on the server at all but exists on one of the windows boxes that uses this server. Do all of the windows boxes have an up to date Anti Virus scanner that's run at least once a day?
(2) Keep in mind that the professed name of the sender is 021401a.net and what we are interested in is what IP Sendmail sees the SMTP connection from. A spammer can forge a bunch of stuff to hide their identity (including the offered hostname), but the IP of the source can't be faked.
(3) While an upgrade would be desireable, I don't know that it is mandatory. And, there's a certain amount of risk in doing so.
(4) Yes, watch the log file, and as a last resort tell sendmail to log everything (sendmail -bd -q15m -X /path-to-logfile). Be warned that running sendmail in that mode logs everything and the log files can get really big, really fast, on a busy server. Another useful technique is to use a network sniffer to capture all of the SMTP traffic to/from the server.
Since the configuration of this server is an open question at this point I'd suggest that you run a check to see if it is operating as a promiscous relay. If it is that could explain why it seems slow and these messages. There are sites on the Internet that you can use to do this check, or post the hostname/IP and I'll run a check for you.
(1) Basically you are looking for applications that shouldn't be there or running. A part of that, obviously, is going to be figuring out what that server does and what the valid compnents are. Another possibility is that the renegade S/W isn't on the server at all but exists on one of the windows boxes that uses this server. Do all of the windows boxes have an up to date Anti Virus scanner that's run at least once a day?
(2) Keep in mind that the professed name of the sender is 021401a.net and what we are interested in is what IP Sendmail sees the SMTP connection from. A spammer can forge a bunch of stuff to hide their identity (including the offered hostname), but the IP of the source can't be faked.
(3) While an upgrade would be desireable, I don't know that it is mandatory. And, there's a certain amount of risk in doing so.
(4) Yes, watch the log file, and as a last resort tell sendmail to log everything (sendmail -bd -q15m -X /path-to-logfile). Be warned that running sendmail in that mode logs everything and the log files can get really big, really fast, on a busy server. Another useful technique is to use a network sniffer to capture all of the SMTP traffic to/from the server.
Since the configuration of this server is an open question at this point I'd suggest that you run a check to see if it is operating as a promiscous relay. If it is that could explain why it seems slow and these messages. There are sites on the Internet that you can use to do this check, or post the hostname/IP and I'll run a check for you.
ASKER
1) Frankly, I have not heard or seen a "renegade" virus infecting a *NIX box. I would suspect that there is a renegade MS client. We have a mix of clients -- 95, 98, 98SE, 2000 and XP. We have made an effort to get each machine patched with the MS updates and install a Symantec Corp Edition software A/V on the clients -- configed to do LiveUpdate and scan every day.
2) Apparently, the sendmail is not set up to log. The process display shows: sendmail -q30m. They run Trend Micro's AntiVirus Wall since it is one of the few products that runs on AIX 4.3. Looking at the isscn.log, I see many, many connections from a Road Runner address. Most of the files contain the WORM_BAGEL.Z virus -- which are deleted. The timestamps listied in the InterScan logs coincide with the another email I received this morning with the same "sender" address. It is a Road Runner Business class IP and I e-mailed the "abuse" address I found in ARIN. Also appears that the Trend product controls the start / stop of sendmail daemon.
3) I agree on doing the upgrade... It looks like a wholesale replaecment will be a better solution. The people who set this up are no longer here...not much in documentation exists. Unfortunately, it does not look like this will be a project that can be started soon. So I am looking to get a tactical solution in place -- blocking certain offenders -- until the strategic solution - email upgrade / replacement -- can be scehduled and funded.
4) I will look into possibly hooking up my laptop which has Ethereal on it. I will talk to our ISP andlook at possibly asking them to see if they can put in an ACL and log inbound SMTP to a Syslog server.
I checked MAPS site and our mailserver IP is not listed...which is good! It seems strange that these e-mails I listed appear to be "sent" at the same time each day. It seems that I always receive one of these msgs around 6am.
Hopefully I will have more to post soon....meanwhile, let me know if there is anything I can do to shut off these e-mails.
2) Apparently, the sendmail is not set up to log. The process display shows: sendmail -q30m. They run Trend Micro's AntiVirus Wall since it is one of the few products that runs on AIX 4.3. Looking at the isscn.log, I see many, many connections from a Road Runner address. Most of the files contain the WORM_BAGEL.Z virus -- which are deleted. The timestamps listied in the InterScan logs coincide with the another email I received this morning with the same "sender" address. It is a Road Runner Business class IP and I e-mailed the "abuse" address I found in ARIN. Also appears that the Trend product controls the start / stop of sendmail daemon.
3) I agree on doing the upgrade... It looks like a wholesale replaecment will be a better solution. The people who set this up are no longer here...not much in documentation exists. Unfortunately, it does not look like this will be a project that can be started soon. So I am looking to get a tactical solution in place -- blocking certain offenders -- until the strategic solution - email upgrade / replacement -- can be scehduled and funded.
4) I will look into possibly hooking up my laptop which has Ethereal on it. I will talk to our ISP andlook at possibly asking them to see if they can put in an ACL and log inbound SMTP to a Syslog server.
I checked MAPS site and our mailserver IP is not listed...which is good! It seems strange that these e-mails I listed appear to be "sent" at the same time each day. It seems that I always receive one of these msgs around 6am.
Hopefully I will have more to post soon....meanwhile, let me know if there is anything I can do to shut off these e-mails.
> Frankly, I have not heard or seen a "renegade" virus infecting a *NIX box
I have. They weren't viruses in the windows since but were the result of the system bing cracked and a spamming engine installed. But, new information suggests that may not be the problem here. See below.
> They run Trend Micro's AntiVirus Wall since it is one of the few products that runs on AIX 4.3.
That explains the localhost IP in the message headers. The Trend S/W effectively re-mails scanned messages to sendmail so the source, from Sendmail's viewpoint, becomes the local machine. I don't know if Trend logs transactions like Sendmail would do where you can see the original source IP. In the sample above did you show all of the Received: headers?
> meanwhile, let me know if there is anything I can do to shut off these e-mails.
First we have to find out what the source is. You might be able to get that from Trend's logs and you'd certainly be able to do so from an ethereal run. Blocking them will have to be done in Trend, since it hides the real source, or via an upstream control control (router, firewall, or a sendmail relay).
I have. They weren't viruses in the windows since but were the result of the system bing cracked and a spamming engine installed. But, new information suggests that may not be the problem here. See below.
> They run Trend Micro's AntiVirus Wall since it is one of the few products that runs on AIX 4.3.
That explains the localhost IP in the message headers. The Trend S/W effectively re-mails scanned messages to sendmail so the source, from Sendmail's viewpoint, becomes the local machine. I don't know if Trend logs transactions like Sendmail would do where you can see the original source IP. In the sample above did you show all of the Received: headers?
> meanwhile, let me know if there is anything I can do to shut off these e-mails.
First we have to find out what the source is. You might be able to get that from Trend's logs and you'd certainly be able to do so from an ethereal run. Blocking them will have to be done in Trend, since it hides the real source, or via an upstream control control (router, firewall, or a sendmail relay).
Don'tcha just love it when you inherit an incompetently-administered
I really don't think there is much risk in upgrading the sendmail installation - you can always preserve the old files, and switch back if that critcal app breaks. You should take advantage of the modular nature of *NIXes (if this were Windoze, I'd understand your reluctance much more).
Upgrading the sendmail and introducing competent logging to the environment may allow you to track down the source of your problem. I agree that a renegade/botted Windoze box is the most likely culprit; altho I think the spammer angle should not be overlooked. I'm glad to hear you're not in the MAPS RBL (altho they're only one of the 6 major RBLs). Given that your current sendmail install blithely reports its version, and that version is so old & vulnerable, I think it'll just be a matter of time before some spammer scanning the 'Net looking for vulnerable relays finds you.
At the very least, quickly hack sendmail.cf to not report its version to everyone who connects.
I have an older edition of the Costales _Sendmail_ book, as well as the newer 3rd Edition. There are a LOT of changes between the two editions, and IMHO, the 3rd Edition is much better organized, and much more useful. I recommend you get it - it continues to support the older Sendmail versions (that is, it contains all the info that the older edition has).
Once you identify the source of the problem, an access DB is probably the way to go in blocking it. Depends on what you discover.
I really don't think there is much risk in upgrading the sendmail installation - you can always preserve the old files, and switch back if that critcal app breaks. You should take advantage of the modular nature of *NIXes (if this were Windoze, I'd understand your reluctance much more).
Upgrading the sendmail and introducing competent logging to the environment may allow you to track down the source of your problem. I agree that a renegade/botted Windoze box is the most likely culprit; altho I think the spammer angle should not be overlooked. I'm glad to hear you're not in the MAPS RBL (altho they're only one of the 6 major RBLs). Given that your current sendmail install blithely reports its version, and that version is so old & vulnerable, I think it'll just be a matter of time before some spammer scanning the 'Net looking for vulnerable relays finds you.
At the very least, quickly hack sendmail.cf to not report its version to everyone who connects.
I have an older edition of the Costales _Sendmail_ book, as well as the newer 3rd Edition. There are a LOT of changes between the two editions, and IMHO, the 3rd Edition is much better organized, and much more useful. I recommend you get it - it continues to support the older Sendmail versions (that is, it contains all the info that the older edition has).
Once you identify the source of the problem, an access DB is probably the way to go in blocking it. Depends on what you discover.
> Given that your current sendmail install blithely reports its version, and that version is so old &
> vulnerable, I think it'll just be a matter of time before some spammer scanning the 'Net looking for
> vulnerable relays finds you.
Since he's running the Trend A/V gateway if front of Sendmail the Internet can never see his Sendmail. So security flaws in Sendmail aren't that big of an issue. In a like manner the information that Sendmail will log is limited since Sendmail will never see the source of the message directly. Everything goes through Trend.
> vulnerable, I think it'll just be a matter of time before some spammer scanning the 'Net looking for
> vulnerable relays finds you.
Since he's running the Trend A/V gateway if front of Sendmail the Internet can never see his Sendmail. So security flaws in Sendmail aren't that big of an issue. In a like manner the information that Sendmail will log is limited since Sendmail will never see the source of the message directly. Everything goes through Trend.
Ah. Didn't realize that Trend was an MTA interposed between sendmail and the 'Net. I figgered it was scanning after receipt.
ASKER
I have been looking into Trend logs. I cannot tell much from them at all...very minimal amount of info. I did not install the product so I do not know if there is a setting to enable more detail in the logs. We sent a tech over to a PC that appeared to be sending out quite a bit of mail. Checked for the BAGEL worm since that is what the logs were showing. The PC was clean... So I am stumped....looking for a better way to debug these messages.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There is a "sandwich mode" config document on Trend site to help see the originating sender IP. At the moment, given the age of our AIX and Sendmail releases, I rather not screw around with it. The bottom line issue is that the Trend product on the UNIX platforms will forward the body of the email even if the attachment had the virus which Trend will strip off. In the Windows version of AntiVirus Wall, you can quarantine the message body...so the users are not innundated with these bogus emails gerneated by the current crop of viruses. Trend Micro will not update the UNIX platform so it will match what the Windows version will do. Looks like we will have to purchase another product...
If you are looking for another product you might want to consider using a Linux box + Sendmail/MailScanner/SpamA
What does the maillog show as transactions for queue ID IAA26758?