We help IT Professionals succeed at work.

Help! Sendmail queue is getting hammered with spammers

Network_Padawan
on
390 Views
Last Modified: 2013-12-18
We have over 16000 mail items in our queue. Someone is spamming us and I have no idea how to determine who or what IP is doing this.

Can someone help me with some commands in sendmail to see who is doing this?
Comment
Watch Question

Commented:
Look in /var/log/maillog to find the IP address. Then add that address to your /etc/mail/access file:

1.2.3.4    ERROR:550 Go Away

Then remake the access map and restart sendmail.

That's one problem. The next problem is why is your server accepting mail for external recipients in the first place? It should only accept mail for the domains it handles, rejecting all others. Paste a copy of your /etc/mail/sendmail.mc file and /etc/mail/access file so we can see why you're relaying when you shouldn't be.

Author

Commented:
Thanks jay3817, we use our sendmail as a smtp relay for other sites...its a business decision. Here are the sendmail.mc and  access files. Thank

divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl        m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
DOMAIN(generic)dnl
define(`confMAX_DAEMON_CHILDREN', `300')dnl
define(`confQUEUE_LA', `50')dnl
define(`confCONNECTION_RATE_THROTTLE', `100')dnl
define(`confMAX_RUNNERS_PER_QUEUE', `35')dnl
define(`confMAX_QUEUE_CHILDREN', `150')dnl
define(`confTO_QUEUERETURN', `8h')dnl
define(`confTO_QUEUEWARN', `2h')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confTO_IDENT', `0s')dnl
define(`confDONT_PROBE_INTERFACE', `True')dnl
define(`confLOG_LEVEL', `9')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`PROCMAIL_MAILER_ARGS', `procmail -m $h $g $u')dnl
define(`PROCMAIL_MAILER_FLAGS', `mSDFMhun')dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, Addr=203.38.180.201, Port=25, Name=corp-mail-1, M=bhE')dnl
DAEMON_OPTIONS(`Family=inet, Addr=127.0.0.1, Port=25, Name=corp-mail-1, M=bhE')dnl
DAEMON_OPTIONS(`Family=inet, Addr=203.38.180.202, Port=25, Name=cust-mail-1, M=bhE')dnl
TRUST_AUTH_MECH('LOGIN PLAIN')dnl
define('confAUTH_MECHANISMS', 'LOGIN PLAIN')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(use_cw_file)dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`greet_pause',1000)
dnl FEATURE(`ratecontrol', ,`terminate')dnl
dnl FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
dnl FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected see http://www.ordb.org/faq/\#why_rejected"')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl LOCAL_CONFIG
dnl CPprocmail
dnl LOCAL_RULESETS

Author

Commented:
access file: its much longer than this but you get the general idea

localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY
10                              RELAY
203.38.180                      RELAY
172.16                          RELAY
172.25                          RELAY

## Temp Fiji WANIPs
210.7.17.186                    RELAY

## Rsync dump of UK sites
203.39.52.154   RELAY
213.98.162.70   RELAY
78.105.11.112   RELAY
78.105.4.101    RELAY
78.105.8.127    RELAY
80.101.6.81     RELAY
81.44.254.97    RELAY
82.163.51.219   RELAY
87.244.115.201  RELAY
88.81.147.78    RELAY
89.145.218.250  RELAY
94.193.102.116  RELAY
94.193.97.194   RELAY

## Rsync dump of Fiji sites
202.62.122.2  RELAY
210.7.12.65  RELAY
210.7.12.88  RELAY
210.7.14.36  RELAY
210.7.14.38  RELAY
210.7.16.173  RELAY
210.7.16.174  RELAY
210.7.16.175  RELAY
210.7.16.177  RELAY
210.7.16.185  RELAY
210.7.16.186  RELAY
210.7.16.187  RELAY
210.7.16.192  RELAY
210.7.16.197  RELAY
210.7.16.20  RELAY
210.7.16.200  RELAY
210.7.16.207  RELAY
210.7.16.208  RELAY
210.7.16.209  RELAY
210.7.16.47  RELAY
210.7.16.49  RELAY

Commented:
No huge problems that I can see. Did you look at the logs (/etc/mail/maillog) to see what IP address these messages are actually coming from? According to http://mxtoolbox.com your server is not an open relay, so that leaves two possibilities:

1. The spam is coming from one of the IPs listed in your /etc/mail/access file. If this is the case some workstation at that site probably has a virus or spyware that is going nuts.

2. A local account on this sendmail server is compromised and someone is using a valid username/password to get around the relay restriction.

Check the logs to see where exactly it's coming from to know how to proceed. Do you have any local accounts on this sendmail server other than the service accounts (which shouldn't have passwords) and root? When was the last time you changed the passwords?

Commented:
...yeah the log is actually located at:

/var/log/maillog

sorry, about the confusion...

Author

Commented:
hi jar 3817

Thanks for your help. What i did was verify the valid email, push them through one by one and then flushed the mail queue.

Can I ask, you stated "Check the logs to see where exactly it's coming from to know how to proceed", I did a tail on the /var/log/messages but I didn't really know what to look for. If it was one of the networks that we allow to relay their smtp through us, what is the best way of finding out the source? What should I look for?
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.