Network_Padawan
asked on
Help! Sendmail queue is getting hammered with spammers
We have over 16000 mail items in our queue. Someone is spamming us and I have no idea how to determine who or what IP is doing this.
Can someone help me with some commands in sendmail to see who is doing this?
Can someone help me with some commands in sendmail to see who is doing this?
ASKER
Thanks jay3817, we use our sendmail as a smtp relay for other sites...its a business decision. Here are the sendmail.mc and access files. Thank
divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendma il-cf/m4/c f.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
DOMAIN(generic)dnl
define(`confMAX_DAEMON_CHI LDREN', `300')dnl
define(`confQUEUE_LA', `50')dnl
define(`confCONNECTION_RAT E_THROTTLE ', `100')dnl
define(`confMAX_RUNNERS_PE R_QUEUE', `35')dnl
define(`confMAX_QUEUE_CHIL DREN', `150')dnl
define(`confTO_QUEUERETURN ', `8h')dnl
define(`confTO_QUEUEWARN', `2h')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confTO_IDENT', `0s')dnl
define(`confDONT_PROBE_INT ERFACE', `True')dnl
define(`confLOG_LEVEL', `9')dnl
define(`PROCMAIL_MAILER_PA TH', `/usr/bin/procmail')dnl
define(`PROCMAIL_MAILER_AR GS', `procmail -m $h $g $u')dnl
define(`PROCMAIL_MAILER_FL AGS', `mSDFMhun')dnl
FEATURE(`no_default_msa')d nl
DAEMON_OPTIONS(`Family=ine t, Addr=203.38.180.201, Port=25, Name=corp-mail-1, M=bhE')dnl
DAEMON_OPTIONS(`Family=ine t, Addr=127.0.0.1, Port=25, Name=corp-mail-1, M=bhE')dnl
DAEMON_OPTIONS(`Family=ine t, Addr=203.38.180.202, Port=25, Name=cust-mail-1, M=bhE')dnl
TRUST_AUTH_MECH('LOGIN PLAIN')dnl
define('confAUTH_MECHANISM S', 'LOGIN PLAIN')dnl
FEATURE(`smrsh',`/usr/sbin /smrsh')dn l
FEATURE(`mailertable',`has h -o /etc/mail/mailertable.db') dnl
FEATURE(`virtusertable',`h ash -o /etc/mail/virtusertable.db ')dnl
FEATURE(redirect)dnl
FEATURE(use_cw_file)dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipie nts')dnl
FEATURE(`greet_pause',1000 )
dnl FEATURE(`ratecontrol', ,`terminate')dnl
dnl FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
dnl FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected see http://www.ordb.org/faq/\#why_rejected"')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl LOCAL_CONFIG
dnl CPprocmail
dnl LOCAL_RULESETS
divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendma
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
DOMAIN(generic)dnl
define(`confMAX_DAEMON_CHI
define(`confQUEUE_LA', `50')dnl
define(`confCONNECTION_RAT
define(`confMAX_RUNNERS_PE
define(`confMAX_QUEUE_CHIL
define(`confTO_QUEUERETURN
define(`confTO_QUEUEWARN',
define(`confAUTH_OPTIONS',
define(`confTO_IDENT', `0s')dnl
define(`confDONT_PROBE_INT
define(`confLOG_LEVEL', `9')dnl
define(`PROCMAIL_MAILER_PA
define(`PROCMAIL_MAILER_AR
define(`PROCMAIL_MAILER_FL
FEATURE(`no_default_msa')d
DAEMON_OPTIONS(`Family=ine
DAEMON_OPTIONS(`Family=ine
DAEMON_OPTIONS(`Family=ine
TRUST_AUTH_MECH('LOGIN PLAIN')dnl
define('confAUTH_MECHANISM
FEATURE(`smrsh',`/usr/sbin
FEATURE(`mailertable',`has
FEATURE(`virtusertable',`h
FEATURE(redirect)dnl
FEATURE(use_cw_file)dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipie
FEATURE(`greet_pause',1000
dnl FEATURE(`ratecontrol', ,`terminate')dnl
dnl FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
dnl FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected see http://www.ordb.org/faq/\#why_rejected"')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl LOCAL_CONFIG
dnl CPprocmail
dnl LOCAL_RULESETS
ASKER
access file: its much longer than this but you get the general idea
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
10 RELAY
203.38.180 RELAY
172.16 RELAY
172.25 RELAY
## Temp Fiji WANIPs
210.7.17.186 RELAY
## Rsync dump of UK sites
203.39.52.154 RELAY
213.98.162.70 RELAY
78.105.11.112 RELAY
78.105.4.101 RELAY
78.105.8.127 RELAY
80.101.6.81 RELAY
81.44.254.97 RELAY
82.163.51.219 RELAY
87.244.115.201 RELAY
88.81.147.78 RELAY
89.145.218.250 RELAY
94.193.102.116 RELAY
94.193.97.194 RELAY
## Rsync dump of Fiji sites
202.62.122.2 RELAY
210.7.12.65 RELAY
210.7.12.88 RELAY
210.7.14.36 RELAY
210.7.14.38 RELAY
210.7.16.173 RELAY
210.7.16.174 RELAY
210.7.16.175 RELAY
210.7.16.177 RELAY
210.7.16.185 RELAY
210.7.16.186 RELAY
210.7.16.187 RELAY
210.7.16.192 RELAY
210.7.16.197 RELAY
210.7.16.20 RELAY
210.7.16.200 RELAY
210.7.16.207 RELAY
210.7.16.208 RELAY
210.7.16.209 RELAY
210.7.16.47 RELAY
210.7.16.49 RELAY
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
10 RELAY
203.38.180 RELAY
172.16 RELAY
172.25 RELAY
## Temp Fiji WANIPs
210.7.17.186 RELAY
## Rsync dump of UK sites
203.39.52.154 RELAY
213.98.162.70 RELAY
78.105.11.112 RELAY
78.105.4.101 RELAY
78.105.8.127 RELAY
80.101.6.81 RELAY
81.44.254.97 RELAY
82.163.51.219 RELAY
87.244.115.201 RELAY
88.81.147.78 RELAY
89.145.218.250 RELAY
94.193.102.116 RELAY
94.193.97.194 RELAY
## Rsync dump of Fiji sites
202.62.122.2 RELAY
210.7.12.65 RELAY
210.7.12.88 RELAY
210.7.14.36 RELAY
210.7.14.38 RELAY
210.7.16.173 RELAY
210.7.16.174 RELAY
210.7.16.175 RELAY
210.7.16.177 RELAY
210.7.16.185 RELAY
210.7.16.186 RELAY
210.7.16.187 RELAY
210.7.16.192 RELAY
210.7.16.197 RELAY
210.7.16.20 RELAY
210.7.16.200 RELAY
210.7.16.207 RELAY
210.7.16.208 RELAY
210.7.16.209 RELAY
210.7.16.47 RELAY
210.7.16.49 RELAY
No huge problems that I can see. Did you look at the logs (/etc/mail/maillog) to see what IP address these messages are actually coming from? According to http://mxtoolbox.com your server is not an open relay, so that leaves two possibilities:
1. The spam is coming from one of the IPs listed in your /etc/mail/access file. If this is the case some workstation at that site probably has a virus or spyware that is going nuts.
2. A local account on this sendmail server is compromised and someone is using a valid username/password to get around the relay restriction.
Check the logs to see where exactly it's coming from to know how to proceed. Do you have any local accounts on this sendmail server other than the service accounts (which shouldn't have passwords) and root? When was the last time you changed the passwords?
1. The spam is coming from one of the IPs listed in your /etc/mail/access file. If this is the case some workstation at that site probably has a virus or spyware that is going nuts.
2. A local account on this sendmail server is compromised and someone is using a valid username/password to get around the relay restriction.
Check the logs to see where exactly it's coming from to know how to proceed. Do you have any local accounts on this sendmail server other than the service accounts (which shouldn't have passwords) and root? When was the last time you changed the passwords?
...yeah the log is actually located at:
/var/log/maillog
sorry, about the confusion...
/var/log/maillog
sorry, about the confusion...
ASKER
hi jar 3817
Thanks for your help. What i did was verify the valid email, push them through one by one and then flushed the mail queue.
Can I ask, you stated "Check the logs to see where exactly it's coming from to know how to proceed", I did a tail on the /var/log/messages but I didn't really know what to look for. If it was one of the networks that we allow to relay their smtp through us, what is the best way of finding out the source? What should I look for?
Thanks for your help. What i did was verify the valid email, push them through one by one and then flushed the mail queue.
Can I ask, you stated "Check the logs to see where exactly it's coming from to know how to proceed", I did a tail on the /var/log/messages but I didn't really know what to look for. If it was one of the networks that we allow to relay their smtp through us, what is the best way of finding out the source? What should I look for?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1.2.3.4 ERROR:550 Go Away
Then remake the access map and restart sendmail.
That's one problem. The next problem is why is your server accepting mail for external recipients in the first place? It should only accept mail for the domains it handles, rejecting all others. Paste a copy of your /etc/mail/sendmail.mc file and /etc/mail/access file so we can see why you're relaying when you shouldn't be.