Solved

sendmail problem.

Posted on 2006-07-05
6
486 Views
Last Modified: 2010-04-07
Folks,
     Thank you for your terrific response on securing apache. I have another headache. We have a problem with our sendmail SMTP server. If you look at the following list, it looks like someone is trying to send an mail to someone which as we can say are fake addresses and end up sitting up in the queue. How do i get red of this problem?


QAA06976     3109 Wed Jul  5 16:07 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                <baimaggieh@0451.com>
QAA12223      872 Wed Jul  5 16:28 <michelle@acck.edu>
                 (Deferred: 450 <michelle@acck.edu>: Sender address rejected: )
                                   <Amy-Little@fami.com>
NAA22287     3108 Wed Jul  5 13:24 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <allk@0451.com>
LAA07237     3086 Wed Jul  5 11:05 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <awawa@0451.com>
AAA05638     3238 Wed Jul  5 00:45 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <allbecauselove@0451.com>
SAA26137     3142 Tue Jul  4 18:59 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <baimaggieo@0451.com>
IAA09039     3096 Tue Jul  4 08:48 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <bairobertq@0451.com>
BAA21516     3062 Tue Jul  4 01:01 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <abc12300@0451.com>
0
Comment
Question by:zkaiserm
  • 2
6 Comments
 
LVL 12

Expert Comment

by:GinEric
ID: 17051153
It looks like you have either a rootkit infection or the webserver has been compromised [temp folders infected and sending out emails].

Check both, get rkhunter and run it and manually inspect your temporary folders.

KDE and Apache are infamous for getting hit this way.

Look for .pl files or similar in temp and cache folders.

It's especially true if user "nobody" is sending out emails, but it could be any user account.  Web Server "nobody" account should have mail accounted disallowed and temp folders shouldn't have execute permissions by default.

Sendmail has done a good job of stopping the spam, which seems to be coming from your server.

Also, mail.0451 in any variation is a spam relayer.  You might want to block all of their domains in the sendmail or hosts.deny file.
0
 

Author Comment

by:zkaiserm
ID: 17051875
Its a HP-UX box. Are the commands going to be any different.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 17058006
do you have relay turned off?
0
 
LVL 12

Accepted Solution

by:
GinEric earned 500 total points
ID: 17064156
The commands are for any Linux box, there should be no difference.

sendmail: 0451.com

or

ALL: 0451.com

Will block them.  I have been working on a Windows network installation while the Linux server is down for replacement.  If I can find the hosts.deny, I'll give a sample listing of how to block these email attempts.  Also, user nobody is generally "disabled" under most Linux systems using Apache by default.  If you see emails to or from user "nobody" you have a problem somewhere.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now