Solved

Help! Sendmail queue is getting hammered with spammers

Posted on 2009-07-07
7
344 Views
Last Modified: 2013-12-18
We have over 16000 mail items in our queue. Someone is spamming us and I have no idea how to determine who or what IP is doing this.

Can someone help me with some commands in sendmail to see who is doing this?
0
Comment
Question by:Network_Padawan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 26

Expert Comment

by:jar3817
ID: 24792956
Look in /var/log/maillog to find the IP address. Then add that address to your /etc/mail/access file:

1.2.3.4    ERROR:550 Go Away

Then remake the access map and restart sendmail.

That's one problem. The next problem is why is your server accepting mail for external recipients in the first place? It should only accept mail for the domains it handles, rejecting all others. Paste a copy of your /etc/mail/sendmail.mc file and /etc/mail/access file so we can see why you're relaying when you shouldn't be.
0
 

Author Comment

by:Network_Padawan
ID: 24799681
Thanks jay3817, we use our sendmail as a smtp relay for other sites...its a business decision. Here are the sendmail.mc and  access files. Thank

divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl        m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
DOMAIN(generic)dnl
define(`confMAX_DAEMON_CHILDREN', `300')dnl
define(`confQUEUE_LA', `50')dnl
define(`confCONNECTION_RATE_THROTTLE', `100')dnl
define(`confMAX_RUNNERS_PER_QUEUE', `35')dnl
define(`confMAX_QUEUE_CHILDREN', `150')dnl
define(`confTO_QUEUERETURN', `8h')dnl
define(`confTO_QUEUEWARN', `2h')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confTO_IDENT', `0s')dnl
define(`confDONT_PROBE_INTERFACE', `True')dnl
define(`confLOG_LEVEL', `9')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`PROCMAIL_MAILER_ARGS', `procmail -m $h $g $u')dnl
define(`PROCMAIL_MAILER_FLAGS', `mSDFMhun')dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, Addr=203.38.180.201, Port=25, Name=corp-mail-1, M=bhE')dnl
DAEMON_OPTIONS(`Family=inet, Addr=127.0.0.1, Port=25, Name=corp-mail-1, M=bhE')dnl
DAEMON_OPTIONS(`Family=inet, Addr=203.38.180.202, Port=25, Name=cust-mail-1, M=bhE')dnl
TRUST_AUTH_MECH('LOGIN PLAIN')dnl
define('confAUTH_MECHANISMS', 'LOGIN PLAIN')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(use_cw_file)dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`greet_pause',1000)
dnl FEATURE(`ratecontrol', ,`terminate')dnl
dnl FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
dnl FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected see http://www.ordb.org/faq/\#why_rejected"')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl LOCAL_CONFIG
dnl CPprocmail
dnl LOCAL_RULESETS
0
 

Author Comment

by:Network_Padawan
ID: 24799683
access file: its much longer than this but you get the general idea

localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY
10                              RELAY
203.38.180                      RELAY
172.16                          RELAY
172.25                          RELAY

## Temp Fiji WANIPs
210.7.17.186                    RELAY

## Rsync dump of UK sites
203.39.52.154   RELAY
213.98.162.70   RELAY
78.105.11.112   RELAY
78.105.4.101    RELAY
78.105.8.127    RELAY
80.101.6.81     RELAY
81.44.254.97    RELAY
82.163.51.219   RELAY
87.244.115.201  RELAY
88.81.147.78    RELAY
89.145.218.250  RELAY
94.193.102.116  RELAY
94.193.97.194   RELAY

## Rsync dump of Fiji sites
202.62.122.2  RELAY
210.7.12.65  RELAY
210.7.12.88  RELAY
210.7.14.36  RELAY
210.7.14.38  RELAY
210.7.16.173  RELAY
210.7.16.174  RELAY
210.7.16.175  RELAY
210.7.16.177  RELAY
210.7.16.185  RELAY
210.7.16.186  RELAY
210.7.16.187  RELAY
210.7.16.192  RELAY
210.7.16.197  RELAY
210.7.16.20  RELAY
210.7.16.200  RELAY
210.7.16.207  RELAY
210.7.16.208  RELAY
210.7.16.209  RELAY
210.7.16.47  RELAY
210.7.16.49  RELAY
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 26

Expert Comment

by:jar3817
ID: 24799770
No huge problems that I can see. Did you look at the logs (/etc/mail/maillog) to see what IP address these messages are actually coming from? According to http://mxtoolbox.com your server is not an open relay, so that leaves two possibilities:

1. The spam is coming from one of the IPs listed in your /etc/mail/access file. If this is the case some workstation at that site probably has a virus or spyware that is going nuts.

2. A local account on this sendmail server is compromised and someone is using a valid username/password to get around the relay restriction.

Check the logs to see where exactly it's coming from to know how to proceed. Do you have any local accounts on this sendmail server other than the service accounts (which shouldn't have passwords) and root? When was the last time you changed the passwords?
0
 
LVL 26

Expert Comment

by:jar3817
ID: 24799778
...yeah the log is actually located at:

/var/log/maillog

sorry, about the confusion...
0
 

Author Comment

by:Network_Padawan
ID: 24802397
hi jar 3817

Thanks for your help. What i did was verify the valid email, push them through one by one and then flushed the mail queue.

Can I ask, you stated "Check the logs to see where exactly it's coming from to know how to proceed", I did a tail on the /var/log/messages but I didn't really know what to look for. If it was one of the networks that we allow to relay their smtp through us, what is the best way of finding out the source? What should I look for?
0
 
LVL 26

Accepted Solution

by:
jar3817 earned 500 total points
ID: 24802424
The file you need to look in is:

/var/log/maillog

Get the message ID from of of the spam messages in the queue (by typing "mailq" to display the queue) and then search for that ID in the maillog file. You'll see the IP address in the log entry.

0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question