?
Solved

Help! Sendmail queue is getting hammered with spammers

Posted on 2009-07-07
7
Medium Priority
?
351 Views
Last Modified: 2013-12-18
We have over 16000 mail items in our queue. Someone is spamming us and I have no idea how to determine who or what IP is doing this.

Can someone help me with some commands in sendmail to see who is doing this?
0
Comment
Question by:Network_Padawan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 26

Expert Comment

by:jar3817
ID: 24792956
Look in /var/log/maillog to find the IP address. Then add that address to your /etc/mail/access file:

1.2.3.4    ERROR:550 Go Away

Then remake the access map and restart sendmail.

That's one problem. The next problem is why is your server accepting mail for external recipients in the first place? It should only accept mail for the domains it handles, rejecting all others. Paste a copy of your /etc/mail/sendmail.mc file and /etc/mail/access file so we can see why you're relaying when you shouldn't be.
0
 

Author Comment

by:Network_Padawan
ID: 24799681
Thanks jay3817, we use our sendmail as a smtp relay for other sites...its a business decision. Here are the sendmail.mc and  access files. Thank

divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl        m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
DOMAIN(generic)dnl
define(`confMAX_DAEMON_CHILDREN', `300')dnl
define(`confQUEUE_LA', `50')dnl
define(`confCONNECTION_RATE_THROTTLE', `100')dnl
define(`confMAX_RUNNERS_PER_QUEUE', `35')dnl
define(`confMAX_QUEUE_CHILDREN', `150')dnl
define(`confTO_QUEUERETURN', `8h')dnl
define(`confTO_QUEUEWARN', `2h')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confTO_IDENT', `0s')dnl
define(`confDONT_PROBE_INTERFACE', `True')dnl
define(`confLOG_LEVEL', `9')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`PROCMAIL_MAILER_ARGS', `procmail -m $h $g $u')dnl
define(`PROCMAIL_MAILER_FLAGS', `mSDFMhun')dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, Addr=203.38.180.201, Port=25, Name=corp-mail-1, M=bhE')dnl
DAEMON_OPTIONS(`Family=inet, Addr=127.0.0.1, Port=25, Name=corp-mail-1, M=bhE')dnl
DAEMON_OPTIONS(`Family=inet, Addr=203.38.180.202, Port=25, Name=cust-mail-1, M=bhE')dnl
TRUST_AUTH_MECH('LOGIN PLAIN')dnl
define('confAUTH_MECHANISMS', 'LOGIN PLAIN')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(use_cw_file)dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`greet_pause',1000)
dnl FEATURE(`ratecontrol', ,`terminate')dnl
dnl FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
dnl FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected see http://www.ordb.org/faq/\#why_rejected"')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl LOCAL_CONFIG
dnl CPprocmail
dnl LOCAL_RULESETS
0
 

Author Comment

by:Network_Padawan
ID: 24799683
access file: its much longer than this but you get the general idea

localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY
10                              RELAY
203.38.180                      RELAY
172.16                          RELAY
172.25                          RELAY

## Temp Fiji WANIPs
210.7.17.186                    RELAY

## Rsync dump of UK sites
203.39.52.154   RELAY
213.98.162.70   RELAY
78.105.11.112   RELAY
78.105.4.101    RELAY
78.105.8.127    RELAY
80.101.6.81     RELAY
81.44.254.97    RELAY
82.163.51.219   RELAY
87.244.115.201  RELAY
88.81.147.78    RELAY
89.145.218.250  RELAY
94.193.102.116  RELAY
94.193.97.194   RELAY

## Rsync dump of Fiji sites
202.62.122.2  RELAY
210.7.12.65  RELAY
210.7.12.88  RELAY
210.7.14.36  RELAY
210.7.14.38  RELAY
210.7.16.173  RELAY
210.7.16.174  RELAY
210.7.16.175  RELAY
210.7.16.177  RELAY
210.7.16.185  RELAY
210.7.16.186  RELAY
210.7.16.187  RELAY
210.7.16.192  RELAY
210.7.16.197  RELAY
210.7.16.20  RELAY
210.7.16.200  RELAY
210.7.16.207  RELAY
210.7.16.208  RELAY
210.7.16.209  RELAY
210.7.16.47  RELAY
210.7.16.49  RELAY
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 26

Expert Comment

by:jar3817
ID: 24799770
No huge problems that I can see. Did you look at the logs (/etc/mail/maillog) to see what IP address these messages are actually coming from? According to http://mxtoolbox.com your server is not an open relay, so that leaves two possibilities:

1. The spam is coming from one of the IPs listed in your /etc/mail/access file. If this is the case some workstation at that site probably has a virus or spyware that is going nuts.

2. A local account on this sendmail server is compromised and someone is using a valid username/password to get around the relay restriction.

Check the logs to see where exactly it's coming from to know how to proceed. Do you have any local accounts on this sendmail server other than the service accounts (which shouldn't have passwords) and root? When was the last time you changed the passwords?
0
 
LVL 26

Expert Comment

by:jar3817
ID: 24799778
...yeah the log is actually located at:

/var/log/maillog

sorry, about the confusion...
0
 

Author Comment

by:Network_Padawan
ID: 24802397
hi jar 3817

Thanks for your help. What i did was verify the valid email, push them through one by one and then flushed the mail queue.

Can I ask, you stated "Check the logs to see where exactly it's coming from to know how to proceed", I did a tail on the /var/log/messages but I didn't really know what to look for. If it was one of the networks that we allow to relay their smtp through us, what is the best way of finding out the source? What should I look for?
0
 
LVL 26

Accepted Solution

by:
jar3817 earned 2000 total points
ID: 24802424
The file you need to look in is:

/var/log/maillog

Get the message ID from of of the spam messages in the queue (by typing "mailq" to display the queue) and then search for that ID in the maillog file. You'll see the IP address in the log entry.

0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question