Solved

Help!  Spammers took over Sendmail!!!

Posted on 2004-10-04
26
413 Views
Last Modified: 2013-11-30
Hello,

It looks like some spammers are having a good time on my Sub Colbalt Qube3 appliance (Linux). As a result, it's causing trouble on our email (users often cannot authenticate) and slowing down our ftp. Sometimes it brings down the entire Internet to the company!

I'm sure it's sendmail. If I look at the maillog file, we're sending out several thousand fake emails a day. If I look at PS, I see 4 to 8 sendmail processes working at a time. This is not right, since we only send out about 30 emails a day tops.

I'm new to this whole sendmail business, so I'm a little lost. I think the problem is relaying, but how can I check that it's on? (isn't it off by default?). We ONLY send emails from within the company, so I don't think we need relaying at all. Is this right?

Any ideas would be greatly appreciated!!!

Thanks
0
Comment
Question by:MasterWoodsman
  • 12
  • 12
  • +1
26 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 12219372
"I think the problem is relaying, but how can I check that it's on? (isn't it off by default?)"

Yes, in newer versions, it is. However, Sun is BAD about shipping old, outdated versions of sendmail. Even in the latest Recommended Patches for Solaris 8, for example, the sendmail install is at least a YEAR out of date. I'm not familiar with the Cobalt appliance environment, so I can't speak directly to that, but my experience with Sun over the past 10 years has been they are *very* slow to update 3rd party products like sendmail. Also, the installs they do provide (in Sol v8, at least, the package names are SUNWsndmu and SUNWsndmr) are typically crippled (for example, they usually don't contain the necessary support files that you would need to rebuild sendmail).

So, I strongly suspect the problem is you're running an old, outdated and vulnerable version of sendmail. You need to replace it.
0
 
LVL 3

Expert Comment

by:cagri
ID: 12219397
Dear MasterWoodsman,

As you said, you need no relaying at all. Please check whether it is on or not:

telnet server.ip.address 25
HELO test
MAIL FROM: test@hotmail.com
RCPT TO: test@yahoo.com
DATA
abc
abc
.

You use a period as you see to finish. Here you should get a "relaying denied" message. If not you had to check your configuration.

Is it possible for you to give us a hint about your Sendmail version ? As you said all of the never sendmail denies relaying.

Do you offer AUTH SMTP (which overrides the relay restriction after authentication, this might one of the possible spam sources).

Do you mind dropping a few lines of the fake mails in the log file.

Kind Regards,
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 12219424
I don't think relaying would account for the multiple processes.  (I could be wrong about that.)  While there are good odds that you have relaying on, and you're right that you want it turned off, that may not be the only problem.

0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12219428
First, see how bad the situation is. Telnet to port 25 on the server and copy the banner that is displayed. Post it here. Anything less than sendmail v8.12.10 is considered outdated/vulnerable. I'd be willing to lay money that your version is v8.11 or even worse. We could start a pool on the exact version, but that doesn't help you.

Again, I don't know the Cobalt environment specifically, so I can't give you precise instructions for it. I'm writing from the more-generic Solaris v7-10 perspective.

IF you have a compiler, then you want to go to http://www.sendmail.org and download the latest code, or at least v8.12.11. This fellow named Brandon Hutchinson has a good page about installing sendmail on Solaris --> http://www.brandonhutchinson.com/sendmail_solaris.html.  That will get you started.

If you don't have a compiler for the Cobalt, then either go get one and use the previous paragraph, or go to somewhere like http://www.sunfreeware.com and get a precompiled modern version of sendmail (v8.12.10 or later) appropriate to the OS on the Cobalt (you didn't say what its running) and use that.

When you get an updated sendmail installed, here is an annotated sendmail.mc configuration file that contains a lot of anti-spam measures. http://www.experts-exchange.com/Networking/Email_Groupware/Sendmail/Q_21116293.html
0
 
LVL 1

Author Comment

by:MasterWoodsman
ID: 12219937
Wow, lots of responses!

Sorry for taking so long.... Had to reset the server.

Okay, I did caqri's test.  It looks like relaying is on. (note that I telnetted from within the company)

MAIL FROM: test@hotmail.com
250 2.1.0 test@hotmail.com... Sender ok
RCPT TO: test@yahoo.com
250 2.1.5 test@yahoo.com... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
abc
abc
.
250 2.0.0 i94IVmc02501 Message accepted for delivery

Okay, when I connect via telnet, the version is Sendmail 8.10.2/8.10.2

I'll post some lines of the maillog soon.  I had my account capturing all the bounce-backs as a test, so I want to turn that off and show the results as they should be.

As for installing the lastest verison, I'm scared to death of doing this.  The Sun Cobalt has a complete intergrated GUI which manages every part of the server, and I'm worried that changing the sendmail version will cause other problems!



0
 
LVL 1

Author Comment

by:MasterWoodsman
ID: 12219982
Here's the tail of maillog... (the name of our company is kayjon, and Qube3 is the email server)


Oct  4 14:42:00 qube3 sendmail[2217]: i947FaY27158: to=<hecbv@ngjbgee.info>, del
ay=11:25:17, xdelay=00:13:09, mailer=esmtp, pri=3091891, relay=ngjbgee.info. [22
2.222.48.35], dsn=4.0.0, stat=Deferred: Connection timed out with ngjbgee.info.
Oct  4 14:42:00 qube3 sendmail[2218]: i94E0bY13620: to=<isdtanpy@bdjhnid.info>,
delay=04:26:46, xdelay=00:13:09, mailer=esmtp, pri=751880, relay=bdjhnid.info. [
222.222.48.35], dsn=4.0.0, stat=Deferred: Connection timed out with bdjhnid.info
.
Oct  4 14:42:00 qube3 sendmail[2219]: i94DFbY11505: to=<ewnfidcbblvcqg@lmdhnjb.i
nfo>, delay=04:57:20, xdelay=00:13:09, mailer=esmtp, pri=841890, relay=lmdhnjb.i
nfo. [222.222.48.35], dsn=4.0.0, stat=Deferred: Connection timed out with lmdhnj
b.info.
Oct  4 14:42:01 qube3 in.qpopper[3281]: (v?) POP login by user "lif" at (192.168
.2.104) 192.168.2.104
Oct  4 14:42:01 qube3 sendmail[2220]: i94E0bY13619: to=<guwebliokeb@ehnehkk.info
>, delay=04:13:49, xdelay=00:13:10, mailer=esmtp, pri=661893, relay=ehnehkk.info
. [61.240.131.228], dsn=4.0.0, stat=Deferred: Connection timed out with ehnehkk.
info.
Oct  4 14:43:51 qube3 in.qpopper[3356]: (v?) POP login by user "dej" at (192.168
.2.5) 192.168.2.5
Oct  4 14:44:13 qube3 in.qpopper[3380]: (v?) POP login by user "noa" at (192.168
.2.50) 192.168.2.50
Oct  4 14:44:35 qube3 in.qpopper[3404]: (v?) POP login by user "jos" at (192.168
.2.89) 192.168.2.89
Oct  4 14:44:41 qube3 in.qpopper[3405]: (v?) POP login by user "jos" at (192.168
.2.89) 192.168.2.89
Oct  4 14:44:41 qube3 in.qpopper[3405]: jos at 192.168.2.89 (192.168.2.89): -ERR
 Unknown command: "xsender".
[admin log]$
0
 
LVL 1

Author Comment

by:MasterWoodsman
ID: 12219996
Great!  Another problem!

I turned off the SMTP this morning.  Then I turned it off and restarted it to do the test shown above.  The test went through, but now none of the users can send an email.  Keeps giving an authentication error.  I swear I didn't change ANY of the settings!
0
 
LVL 1

Author Comment

by:MasterWoodsman
ID: 12219998
Whoops.  I mean "Then I turned it ON to do the test......"
0
 
LVL 1

Author Comment

by:MasterWoodsman
ID: 12220037
Hmmm.  Just tried the telnet test again... didn't work...

telnet:  Unable to connect to remote host: Connection refused

I just did this 10 minutes ago and it worked.  I'll go restart the server again!
0
 
LVL 1

Author Comment

by:MasterWoodsman
ID: 12220294
Okay, the server is back up...

I noticed that one of the settings I can do in the GUI is to turn on POP Authenticated Relaying.  We have NO dial-up accounts.  Everyone from emails from within the comany.  Would this do the trick?

0
 
LVL 1

Author Comment

by:MasterWoodsman
ID: 12220307
Also, is there a way to enable Real-Time Blacklisting?
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12220719
" Also, is there a way to enable Real-Time Blacklisting?"

Yes. Its in the annotated sendmail.mc that I referred you to earlier today. I list entries for 5 RBLs.
0
 
LVL 1

Author Comment

by:MasterWoodsman
ID: 12220730
I noticed that I don't have a sendmail.mc file in my /etc/mail directory.  Is this normal?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 34

Expert Comment

by:PsiCop
ID: 12220749
"Okay, when I connect via telnet, the version is Sendmail 8.10.2/8.10.2"

gahhh!!!!!!

That is an ANCIENT version. And its the source of your problems. That is old, outdated and VULNERABLE. No wonder spammers are all over you. And I dunno if half the anti-spam entries in that sendmail.mc file will even work with that old a version of sendmail.

You need to UPGRADE YOUR SENDMAIL. You might as well go to v8.13.1 now that you're on every spammer's list of relay-friendly sites. They're probably crashing your server.
0
 
LVL 34

Accepted Solution

by:
PsiCop earned 500 total points
ID: 12220767
" I noticed that I don't have a sendmail.mc file in my /etc/mail directory.  Is this normal?"

Yes, because the Sun-supplied version of sendmail is CRIPPLED. It does not have all the management tools you need to properly manage the sendmail environment. I *think* it has the necessary m4 macros to let you build a new sendmail.cf, if you write a sendmail.mc file. I don't recall where those are, tho.

Get yourself the new sendmail. I cannot stress this advice enough.
0
 
LVL 1

Author Comment

by:MasterWoodsman
ID: 12227919
PsiCop,

Okay, you've convinced me.  But I just spent the last hour reading what I have to do to install it and I'm terrified of bringing down the whole server.  As I said, I'm rather weak on Unix, and this is a working server doing our firewall, ftp, etc....

I'm considering getting a new email appliance with the latest sendmail to replace this.  In the meantime, is there an easy way to turn off relaying or am I completely screwed?
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12228456
"In the meantime, is there an easy way to turn off relaying or am I completely screwed"

If you can determine the IP addresses, or ranges, from which the SPAM is originating, then I'd use your firewall to block the port 25 connections from those nets until you can upgrade sendmail.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12228481
And yes, it looks intimidating. But when you get thru it, you'll look back and realize it wasn't that bad.

As a Sun customer, I'd be on the phone, raising cain about them shipping such an old, vulnerable version of sendmail, making it crippled (i.e. lacking the macro support to rebuild or properly manage it), and not updating it in the Recommended Patches.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12228491
0
 
LVL 1

Author Comment

by:MasterWoodsman
ID: 12230327
I tried something else....

I turned off SMTP on the qube server, and configured another server for SMTP.  Thus the spammed server is only running POP and another server is running SMTP.  Sending is working great, but I can't seem to send emails to myself or other employees from within the company or from hotmail.

Am I missing something?  Does the receiving POP server need SMTP?????
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12230675
SMTP is a method of transferring E-Mail from server to server.

POP is a method for a client to access an E-Mail mailbox on a server.

Without knowing a LOT more about how your network is architected, your mail client software, and what you're trying to do, I can't really diagnose your problem. YOuneed to provide a LOT more information.
0
 
LVL 1

Author Comment

by:MasterWoodsman
ID: 12230841
Basically, we want one server to run POP and the other SMTP.


How can I set this up....

Cobalt Linux running POP incomming only.  This computer has all the client accounts.  It is also our gateway to the network.  Thus when people send an email to mycompany.com, it resolves itself to this server.  This server will hold all the email until the clients check their inboxes with Outlook express.

The second server is an Apple Xserve.  It is running SMTP only.  The outlook clients are set to connect to this server for outgoing.  There are no accounts on this server.  It is not directly connected to the internet, it uses the server above as a gateway

I can send emails no problem right now.  When I send one to myself I see a message in the SMTP log that says "Connection Refused".

Finally, everything is on the same domain, 192.168.2.x.  We're a small company, we don't have a complex system.

I hope this can help.  I want to thank you for all YOUR help!!!!!!!!!!!!

0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12230961
"POP incomming only"

POP is not an "incoming" protocol. POP lets client machines get E-Mail from a mailbox on the server. It is not a mail transfer protocol in the same sense that SMTP is.

If you have a server to which your Domain's MX record resolves, then that server needs to be running an SMTP daemon, such as sendmail.

Your AppleX server was acting as a mail relay for your Outlook clients. Frankly, the Qube could have done the same thing, properly configured with a modern version of sendmail, so your environment was already more complex than it had to be.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12230979
The reason you're getting "Connection Refused" is that the AppleX server is trying to relay out thru the Qube, and the Qube is not running sendmail, and so is not accepting the connection from the AppleX server.

And oh, by the way, no one from outside your company can get E-Mail in to you as long as you don't have an SMTP daemon (like sendmail) running on the Qube.
0
 
LVL 1

Author Comment

by:MasterWoodsman
ID: 12239401
Ok Thanks for all you help, PsiCop, you've been invaluable.  

I'm now setting up a new linux box to run the email.  Then I'll tackle upgrading the sendmail

0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12239875
What distro and version of Linux?

I hate to say this, but many Linux vendors are not all that swift about keeping up with sendmail versions. An unfortunate habit they seem to have adopted from the *NIX vendors. Remember to specifically look for v8.12.10 or later.

If it were me, in your situation, I'd probably set up the Linux box configured as a mail relay. It would receive E-mail for your Domain, apply some sniff-tests (RBLs, MIMEdefang, SpamAssassin, ClamAV, whatever) and then pass it along to an internal host that would handle final delivery. It would also accept out-bound mail from that internal host (acting as that host's "smart relay"). This would allow you to limit Port 25 at your firewall to just the Linux box acting that is acting as a relay host.

Your internal host would support both sendmail (SMTP) and some sort of client mailbox service, such as a POP or IMAP daemon. This would allow users with POP or IMAP clients to access their E-mail on that host. This host would also be set as an "open relay" for anyone on your network, so that users of those mail clients could also send. There is some danger here, especially since you are using Outlook - it a machine on your net gets compromised and is turned into a spambot, it will be able to freely relay thru your mailsystem (however, most spambots install their own SMTP engine and attempt to send directly, ignoring any configured relays, so this behavior can be stopped dead with an outgoing firewall rule).

Anyway, such a design, with a relay host between your internal mailserver and the Internet, will afford you better security and more control over your mail environment. Good luck, and don't forget to keep your sendmail installation updated. This is a lesson I learned many years ago, when *MY* mailserver got black-listed because I let the sendmail version get behind.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Hello Friends, My friends and relatives always ask me how to delete all the various types of emails at once in our g-mail  or windows live account.  So I researched this topic to find a unique solution to this query.  Here it is for those who do …
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now