Solved

sendmail problem.

Posted on 2006-07-05
6
487 Views
Last Modified: 2010-04-07
Folks,
     Thank you for your terrific response on securing apache. I have another headache. We have a problem with our sendmail SMTP server. If you look at the following list, it looks like someone is trying to send an mail to someone which as we can say are fake addresses and end up sitting up in the queue. How do i get red of this problem?


QAA06976     3109 Wed Jul  5 16:07 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                <baimaggieh@0451.com>
QAA12223      872 Wed Jul  5 16:28 <michelle@acck.edu>
                 (Deferred: 450 <michelle@acck.edu>: Sender address rejected: )
                                   <Amy-Little@fami.com>
NAA22287     3108 Wed Jul  5 13:24 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <allk@0451.com>
LAA07237     3086 Wed Jul  5 11:05 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <awawa@0451.com>
AAA05638     3238 Wed Jul  5 00:45 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <allbecauselove@0451.com>
SAA26137     3142 Tue Jul  4 18:59 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <baimaggieo@0451.com>
IAA09039     3096 Tue Jul  4 08:48 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <bairobertq@0451.com>
BAA21516     3062 Tue Jul  4 01:01 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <abc12300@0451.com>
0
Comment
Question by:zkaiserm
  • 2
6 Comments
 
LVL 12

Expert Comment

by:GinEric
ID: 17051153
It looks like you have either a rootkit infection or the webserver has been compromised [temp folders infected and sending out emails].

Check both, get rkhunter and run it and manually inspect your temporary folders.

KDE and Apache are infamous for getting hit this way.

Look for .pl files or similar in temp and cache folders.

It's especially true if user "nobody" is sending out emails, but it could be any user account.  Web Server "nobody" account should have mail accounted disallowed and temp folders shouldn't have execute permissions by default.

Sendmail has done a good job of stopping the spam, which seems to be coming from your server.

Also, mail.0451 in any variation is a spam relayer.  You might want to block all of their domains in the sendmail or hosts.deny file.
0
 

Author Comment

by:zkaiserm
ID: 17051875
Its a HP-UX box. Are the commands going to be any different.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 17058006
do you have relay turned off?
0
 
LVL 12

Accepted Solution

by:
GinEric earned 500 total points
ID: 17064156
The commands are for any Linux box, there should be no difference.

sendmail: 0451.com

or

ALL: 0451.com

Will block them.  I have been working on a Windows network installation while the Linux server is down for replacement.  If I can find the hosts.deny, I'll give a sample listing of how to block these email attempts.  Also, user nobody is generally "disabled" under most Linux systems using Apache by default.  If you see emails to or from user "nobody" you have a problem somewhere.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ensuring effective and secure communication in the age of healthcare BYOD.
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question