Help! Sendmail queue is getting hammered with spammers

We have over 16000 mail items in our queue. Someone is spamming us and I have no idea how to determine who or what IP is doing this.

Can someone help me with some commands in sendmail to see who is doing this?
Network_PadawanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jar3817Commented:
Look in /var/log/maillog to find the IP address. Then add that address to your /etc/mail/access file:

1.2.3.4    ERROR:550 Go Away

Then remake the access map and restart sendmail.

That's one problem. The next problem is why is your server accepting mail for external recipients in the first place? It should only accept mail for the domains it handles, rejecting all others. Paste a copy of your /etc/mail/sendmail.mc file and /etc/mail/access file so we can see why you're relaying when you shouldn't be.
0
Network_PadawanAuthor Commented:
Thanks jay3817, we use our sendmail as a smtp relay for other sites...its a business decision. Here are the sendmail.mc and  access files. Thank

divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl        m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
DOMAIN(generic)dnl
define(`confMAX_DAEMON_CHILDREN', `300')dnl
define(`confQUEUE_LA', `50')dnl
define(`confCONNECTION_RATE_THROTTLE', `100')dnl
define(`confMAX_RUNNERS_PER_QUEUE', `35')dnl
define(`confMAX_QUEUE_CHILDREN', `150')dnl
define(`confTO_QUEUERETURN', `8h')dnl
define(`confTO_QUEUEWARN', `2h')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confTO_IDENT', `0s')dnl
define(`confDONT_PROBE_INTERFACE', `True')dnl
define(`confLOG_LEVEL', `9')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`PROCMAIL_MAILER_ARGS', `procmail -m $h $g $u')dnl
define(`PROCMAIL_MAILER_FLAGS', `mSDFMhun')dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, Addr=203.38.180.201, Port=25, Name=corp-mail-1, M=bhE')dnl
DAEMON_OPTIONS(`Family=inet, Addr=127.0.0.1, Port=25, Name=corp-mail-1, M=bhE')dnl
DAEMON_OPTIONS(`Family=inet, Addr=203.38.180.202, Port=25, Name=cust-mail-1, M=bhE')dnl
TRUST_AUTH_MECH('LOGIN PLAIN')dnl
define('confAUTH_MECHANISMS', 'LOGIN PLAIN')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(use_cw_file)dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`greet_pause',1000)
dnl FEATURE(`ratecontrol', ,`terminate')dnl
dnl FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
dnl FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected see http://www.ordb.org/faq/\#why_rejected"')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl LOCAL_CONFIG
dnl CPprocmail
dnl LOCAL_RULESETS
0
Network_PadawanAuthor Commented:
access file: its much longer than this but you get the general idea

localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY
10                              RELAY
203.38.180                      RELAY
172.16                          RELAY
172.25                          RELAY

## Temp Fiji WANIPs
210.7.17.186                    RELAY

## Rsync dump of UK sites
203.39.52.154   RELAY
213.98.162.70   RELAY
78.105.11.112   RELAY
78.105.4.101    RELAY
78.105.8.127    RELAY
80.101.6.81     RELAY
81.44.254.97    RELAY
82.163.51.219   RELAY
87.244.115.201  RELAY
88.81.147.78    RELAY
89.145.218.250  RELAY
94.193.102.116  RELAY
94.193.97.194   RELAY

## Rsync dump of Fiji sites
202.62.122.2  RELAY
210.7.12.65  RELAY
210.7.12.88  RELAY
210.7.14.36  RELAY
210.7.14.38  RELAY
210.7.16.173  RELAY
210.7.16.174  RELAY
210.7.16.175  RELAY
210.7.16.177  RELAY
210.7.16.185  RELAY
210.7.16.186  RELAY
210.7.16.187  RELAY
210.7.16.192  RELAY
210.7.16.197  RELAY
210.7.16.20  RELAY
210.7.16.200  RELAY
210.7.16.207  RELAY
210.7.16.208  RELAY
210.7.16.209  RELAY
210.7.16.47  RELAY
210.7.16.49  RELAY
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

jar3817Commented:
No huge problems that I can see. Did you look at the logs (/etc/mail/maillog) to see what IP address these messages are actually coming from? According to http://mxtoolbox.com your server is not an open relay, so that leaves two possibilities:

1. The spam is coming from one of the IPs listed in your /etc/mail/access file. If this is the case some workstation at that site probably has a virus or spyware that is going nuts.

2. A local account on this sendmail server is compromised and someone is using a valid username/password to get around the relay restriction.

Check the logs to see where exactly it's coming from to know how to proceed. Do you have any local accounts on this sendmail server other than the service accounts (which shouldn't have passwords) and root? When was the last time you changed the passwords?
0
jar3817Commented:
...yeah the log is actually located at:

/var/log/maillog

sorry, about the confusion...
0
Network_PadawanAuthor Commented:
hi jar 3817

Thanks for your help. What i did was verify the valid email, push them through one by one and then flushed the mail queue.

Can I ask, you stated "Check the logs to see where exactly it's coming from to know how to proceed", I did a tail on the /var/log/messages but I didn't really know what to look for. If it was one of the networks that we allow to relay their smtp through us, what is the best way of finding out the source? What should I look for?
0
jar3817Commented:
The file you need to look in is:

/var/log/maillog

Get the message ID from of of the spam messages in the queue (by typing "mailq" to display the queue) and then search for that ID in the maillog file. You'll see the IP address in the log entry.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.