Solved

sendmail problem.

Posted on 2006-07-05
6
485 Views
Last Modified: 2010-04-07
Folks,
     Thank you for your terrific response on securing apache. I have another headache. We have a problem with our sendmail SMTP server. If you look at the following list, it looks like someone is trying to send an mail to someone which as we can say are fake addresses and end up sitting up in the queue. How do i get red of this problem?


QAA06976     3109 Wed Jul  5 16:07 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                <baimaggieh@0451.com>
QAA12223      872 Wed Jul  5 16:28 <michelle@acck.edu>
                 (Deferred: 450 <michelle@acck.edu>: Sender address rejected: )
                                   <Amy-Little@fami.com>
NAA22287     3108 Wed Jul  5 13:24 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <allk@0451.com>
LAA07237     3086 Wed Jul  5 11:05 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <awawa@0451.com>
AAA05638     3238 Wed Jul  5 00:45 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <allbecauselove@0451.com>
SAA26137     3142 Tue Jul  4 18:59 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <baimaggieo@0451.com>
IAA09039     3096 Tue Jul  4 08:48 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <bairobertq@0451.com>
BAA21516     3062 Tue Jul  4 01:01 MAILER-DAEMON
                 (Deferred: Connection refused by mail.0451.com.)
                                   <abc12300@0451.com>
0
Comment
Question by:zkaiserm
  • 2
6 Comments
 
LVL 12

Expert Comment

by:GinEric
Comment Utility
It looks like you have either a rootkit infection or the webserver has been compromised [temp folders infected and sending out emails].

Check both, get rkhunter and run it and manually inspect your temporary folders.

KDE and Apache are infamous for getting hit this way.

Look for .pl files or similar in temp and cache folders.

It's especially true if user "nobody" is sending out emails, but it could be any user account.  Web Server "nobody" account should have mail accounted disallowed and temp folders shouldn't have execute permissions by default.

Sendmail has done a good job of stopping the spam, which seems to be coming from your server.

Also, mail.0451 in any variation is a spam relayer.  You might want to block all of their domains in the sendmail or hosts.deny file.
0
 

Author Comment

by:zkaiserm
Comment Utility
Its a HP-UX box. Are the commands going to be any different.
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
do you have relay turned off?
0
 
LVL 12

Accepted Solution

by:
GinEric earned 500 total points
Comment Utility
The commands are for any Linux box, there should be no difference.

sendmail: 0451.com

or

ALL: 0451.com

Will block them.  I have been working on a Windows network installation while the Linux server is down for replacement.  If I can find the hosts.deny, I'll give a sample listing of how to block these email attempts.  Also, user nobody is generally "disabled" under most Linux systems using Apache by default.  If you see emails to or from user "nobody" you have a problem somewhere.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now