Solved

sendmail problem.

Posted on 2006-07-05
6
491 Views
Last Modified: 2010-04-07
Folks,
     Thank you for your terrific response on securing apache. I have another headache. We have a problem with our sendmail SMTP server. If you look at the following list, it looks like someone is trying to send an mail to someone which as we can say are fake addresses and end up sitting up in the queue. How do i get red of this problem?


QAA06976     3109 Wed Jul  5 16:07 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                <baimaggieh@0451.com>
QAA12223      872 Wed Jul  5 16:28 <michelle@acck.edu>
                 (Deferred: 450 <michelle@acck.edu>: Sender address rejected: )
                                   <Amy-Little@fami.com>
NAA22287     3108 Wed Jul  5 13:24 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <allk@0451.com>
LAA07237     3086 Wed Jul  5 11:05 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <awawa@0451.com>
AAA05638     3238 Wed Jul  5 00:45 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <allbecauselove@0451.com>
SAA26137     3142 Tue Jul  4 18:59 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <baimaggieo@0451.com>
IAA09039     3096 Tue Jul  4 08:48 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <bairobertq@0451.com>
BAA21516     3062 Tue Jul  4 01:01 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <abc12300@0451.com>
0
Comment
Question by:zkaiserm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 12

Expert Comment

by:GinEric
ID: 17051153
It looks like you have either a rootkit infection or the webserver has been compromised [temp folders infected and sending out emails].

Check both, get rkhunter and run it and manually inspect your temporary folders.

KDE and Apache are infamous for getting hit this way.

Look for .pl files or similar in temp and cache folders.

It's especially true if user "nobody" is sending out emails, but it could be any user account.  Web Server "nobody" account should have mail accounted disallowed and temp folders shouldn't have execute permissions by default.

Sendmail has done a good job of stopping the spam, which seems to be coming from your server.

Also, mail.0451 in any variation is a spam relayer.  You might want to block all of their domains in the sendmail or hosts.deny file.
0
 

Author Comment

by:zkaiserm
ID: 17051875
Its a HP-UX box. Are the commands going to be any different.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 17058006
do you have relay turned off?
0
 
LVL 12

Accepted Solution

by:
GinEric earned 500 total points
ID: 17064156
The commands are for any Linux box, there should be no difference.

sendmail: 0451.com

or

ALL: 0451.com

Will block them.  I have been working on a Windows network installation while the Linux server is down for replacement.  If I can find the hosts.deny, I'll give a sample listing of how to block these email attempts.  Also, user nobody is generally "disabled" under most Linux systems using Apache by default.  If you see emails to or from user "nobody" you have a problem somewhere.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question