Solved

Mail users receiving email from their domain with accounts that are false

Posted on 2004-10-12
19
358 Views
Last Modified: 2013-12-17
I've been trying to track down an issue where our mail server users are complaining of receiving emails from fake accounts that have their domain name associated with them.  After looking through this further it appears to be spam and viruses that are coming through with headers that are from other sources but ours.

Were currently running fedora core yarrow release 1, with sendmail 8.12.10

After research I'm guessing I need to change the sendmail.mc to do header checks but I was wondering if I could configure the server to check against either the virtusertable or local accounts to see if that user sending mail is an actual account on this server.

Thanks in advance for any help.

I currently only have 40 points to offer but I will consider buying more if need be.

Also if any linux tech's are in the cleveland area my bosses may be interested in talking about further linux support help.

Thanks.
0
Comment
Question by:rpone605
  • 11
  • 8
19 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 12287076
Well, yes, this is more than a 40-point Question, but let's see what we can do.

I doubt the virtusertable will solve your issue. The headers are a smoke-screen. What you need to do is reject the spammers earlier in the SMTP conversation.

Congrats on running a reasonably modern version of sendmail (latest is v8.13.1, but v8.12.10 is quite acceptable). You'd be amazed how many people come into this TA running v8.8 or even older and expecting the same mail management tools to be available to them as they have in a newer version.

Here is an annotated sendmail.mc file that I use in my sendmail v8.12.11 environment, and it contains a number of anti-spam measures, including 5 RBLs --> http://www.experts-exchange.com/Q_21116293.html
0
 
LVL 1

Author Comment

by:rpone605
ID: 12287858
I will purchase additional points and increase the point value later today then.

I will take a look a bit later as well at your sendmail config and see what I can use.  One of the issues we had in the past with using the rbl's in the sendmail.mc that would block valid domains.  I'm sure there's a way to whitelist certain domains through the config but am unsure how.

I appreciate the kind word on the version discussion.  I know being a on site tech that most people still don't understand what a windows update is and what antivirus updates are.

Thanks for you help so far.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12287942
You can whitelist senders using the FEATURE(`delay checks', `friend') option. Once that is set, the access db [see FEATURE(`access_db',`dbm -T<TMPF> /some/path/here/access') for info] can be used to allow override of the RBLs (among other things).
0
 
LVL 1

Author Comment

by:rpone605
ID: 12290154
alright here's what i'm going to add to the sendmail.mc file

FEATURE('delay_checks', 'whitelist')

FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl
FEATURE(`enhdnsbl', `list.dsbl.org', `"550 Mail from " $`'&{client_addr} " refused - see http://dsbl.org/"')dnl
FEATURE(`enhdnsbl', `blackholes.mail-abuse.org', `"550 Mail from " $`'&{client_addr} " refused - see http://mail-abuse.org/"')dnl
FEATURE(`enhdnsbl', `sbl.spamhaus.org', `"550 Mail from " $`'&{client_addr} " refused - see http://www.spamhaus.org/SBL/"')dnl
FEATURE(`enhdnsbl', `relays.visi.com', `"550 Mail from " $`'&{client_addr} " refused - see http://relays.visi.com/"')dnl

the access db feature is already enabled due to mail relay.

then all i have to do is add the selected domains to the access db with the tag whitelist and we should be ready to rock correct?

*note* i did also up the point value and will be turning these on tommorow.

Thanks again
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12290349
I don't recall "whitelist" being a valid argument to FEATURE(`delay_checks') - but I also don't have my sendmail reference in front of me, so it might be fine.

Your plan sounds right.

Thanks for increasing the points.
0
 
LVL 1

Author Comment

by:rpone605
ID: 12290499
I think this is what your referring to.

As explained the new rulesets for SMTP connections are called in the order: check_relay (host name and host address when a client connects), check_mail for the MAIL command, and check_rcpt for the RCPT command. Hence it is per default not possible to override rejections in check_relay by the sender address, or rejections in check_mail for individual recipients. The new FEATURE(`delay_checks') changes the order by modifying the names of some rulesets. This allows you to:
accept mail from specific (envelope) senders, even though the server rejects connections from some clients,
accept mail for specific recipients, e.g., postmaster, even though the mail would be rejected by other means.
By using FEATURE(`delay_checks') the rulesets check_mail and check_relay will not be called when a client connects or issues a MAIL command, respectively. Instead, check_rcpt is the first check_* ruleset to be called. After it completes, check_mail and check_relay will be called in order. Moreover, one argument can be specified for the delay_checks feature:

FEATURE(`delay_checks', `friend')
enable spamfriend test
FEATURE(`delay_checks', `hater')
enable spamhater test
If such an argument (at most one) is given, the recipient will be looked up in the access map (using the tag To:). If the argument is friend, then the other rulesets will be skipped if the recipient address is found and has RHS SPAMFRIEND, i.e., the default is to apply the usual rulesets unless an entry in the access map is specified. If the argument is hater, then the other rulesets will be applied if the recipient address is found and has RHS SPAMHATER, i.e., the default is to skip the usual rulesets unless an entry in the access map is specified.
This allows for simple exceptions from the tests, e.g. by activating the spamfriend option and having

      To:abuse@      SPAMFRIEND

in the access map, mail to abuse@localdomain will get through. It is also possible to specify a full address or an address with +detail:
To:abuse@abuse.my.domain      SPAMFRIEND
To:me+abuse@            SPAMFRIEND

so i need to change that to friends and then add enable whitelist test to the delay_checks line if i'm reading that correctly

and then in the access db i'll need to add

mydoman.com        WHITELIST

0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12290594
Yep, that was what I was looking for.
0
 
LVL 1

Author Comment

by:rpone605
ID: 12290615
ok i'll let you know if the server goes down in a fiery crash tommorow then. :)
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12290779
*chuckle* Just don't forget to save copies of your original sendmail.mc and sendmail.cf

You can quickly test your changes by telnetting to port 25 on the sendmail server and manually initiating an SMTP conversation.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:rpone605
ID: 12311078
alright so i enabled the filters as we discusses.

i'm getting one error and it's on the delay_checks option

here it is:

sendmail.mc:63: m4: Warning: Excess arguments to built-in `define' ignored
sendmail.mc:63: m4: Cannot open /usr/share/sendmail-cf/feature/'delay_checks'.m4: No such file or directory

i'm guessing by the error that it is unable to run that feature..but i searched for that file and it found it no problem...could it be rights?
0
 
LVL 1

Author Comment

by:rpone605
ID: 12311299
Nevermind..i'm a dolt I figured it out.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12311647
Don't feel bad, I banged my head against the wall for 2 weeks with a sendmail/Majordomo interaction problem before I figgered out the answer was staring me in the face. Happens to every sysadmin.
0
 
LVL 1

Author Comment

by:rpone605
ID: 12311913
so does this mean it's working?

domain name and ip removed for security.

Oct 14 16:02:13 mail sendmail[15394]: ruleset=check_relay, arg1=rly07.xxx.com, arg2=xx.xx.xx.xx, relay=rly07.xxx.com [xx.xx.x.xx], reject=553 5.3.0 WHITELIST
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12312024
Ummm...no. 553 indicates the message was rejected.

Can you post your sendmail.mc, or at least the relevant portions?
0
 
LVL 1

Author Comment

by:rpone605
ID: 12312065
here ya go

divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST',`smtp.your.provider')
dnl #
define(`confDEF_USER_ID',``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
define(`confCACERT_PATH',`/usr/share/ssl/certs')
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl # NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl #       a kernel patch
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
dnl # FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl
MASQUERADE_DOMAIN(mydomainalias.com)dnl
MASQUERADE_DOMAIN(mydomain.lan)dnl
FEATURE(`delay_checks', friend)
enable spamfriend whitelist
FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl
FEATURE(`enhdnsbl', `list.dsbl.org', `"550 Mail from " $`'&{client_addr} " refused - see http://dsbl.org/"')dnl
FEATURE(`enhdnsbl', `blackholes.mail-abuse.org', `"550 Mail from " $`'&{client_addr} " refused - see
http://mail-abuse.org/"')dnl
FEATURE(`enhdnsbl', `sbl.spamhaus.org', `"550 Mail from " $`'&{client_addr} " refused - see
http://www.spamhaus.org/SBL/"')dnl
FEATURE(`enhdnsbl', `relays.visi.com', `"550 Mail from " $`'&{client_addr} " refused - see http://relays.visi.com/"')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
INPUT_MAIL_FILTER(`clamav-milter', `S=local:/var/run/clamav/clamav-milter.sock, F=,T=S:4m;R:4m;E:10m')dnl
0
 
LVL 1

Author Comment

by:rpone605
ID: 12312142
i think it might be the way it's reading the access db

i originally had

*@xxx.com     WHITELIST

i figured that to be wrong so i changed it per sendmail.org to:

spam:*@xxx.com     FRIEND
0
 
LVL 34

Accepted Solution

by:
PsiCop earned 300 total points
ID: 12312494
I confess you're getting into uncharted territory for me - I haven't played with the access DB to this degree. Is that change working?
0
 
LVL 1

Author Comment

by:rpone605
ID: 12312546
i think it is i've seen a couple things come by since i've changed that to the above.

i'll know in the morning if i get a phone call.
0
 
LVL 1

Author Comment

by:rpone605
ID: 12318818
so far so good...seems to be filter and blocking..now we just have to see if the one customer is receiving emails or not.

i will attempt to close question today if all is well.

thanks for all your help so far..i wouldn't have been able to get this working otherwise.
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

This short article will present "How to import ICS Calendar onto Office 365 Calendar". I was searching for free (or not free) tools to convert ICS to CSV without success. The only tools I found & working well were online tools...this was too hard to…
Import PST to Exchange using Power Shell new-mailboximportrequest command, you can simply import the PST file into Exchange mailbox or archived. To know How to import PST into Exchange  2013 read the complete article.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now