Solved

Help! Sendmail queue is getting hammered with spammers

Posted on 2009-07-07
7
335 Views
Last Modified: 2013-12-18
We have over 16000 mail items in our queue. Someone is spamming us and I have no idea how to determine who or what IP is doing this.

Can someone help me with some commands in sendmail to see who is doing this?
0
Comment
Question by:Network_Padawan
  • 4
  • 3
7 Comments
 
LVL 26

Expert Comment

by:jar3817
ID: 24792956
Look in /var/log/maillog to find the IP address. Then add that address to your /etc/mail/access file:

1.2.3.4    ERROR:550 Go Away

Then remake the access map and restart sendmail.

That's one problem. The next problem is why is your server accepting mail for external recipients in the first place? It should only accept mail for the domains it handles, rejecting all others. Paste a copy of your /etc/mail/sendmail.mc file and /etc/mail/access file so we can see why you're relaying when you shouldn't be.
0
 

Author Comment

by:Network_Padawan
ID: 24799681
Thanks jay3817, we use our sendmail as a smtp relay for other sites...its a business decision. Here are the sendmail.mc and  access files. Thank

divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl        m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
DOMAIN(generic)dnl
define(`confMAX_DAEMON_CHILDREN', `300')dnl
define(`confQUEUE_LA', `50')dnl
define(`confCONNECTION_RATE_THROTTLE', `100')dnl
define(`confMAX_RUNNERS_PER_QUEUE', `35')dnl
define(`confMAX_QUEUE_CHILDREN', `150')dnl
define(`confTO_QUEUERETURN', `8h')dnl
define(`confTO_QUEUEWARN', `2h')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confTO_IDENT', `0s')dnl
define(`confDONT_PROBE_INTERFACE', `True')dnl
define(`confLOG_LEVEL', `9')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`PROCMAIL_MAILER_ARGS', `procmail -m $h $g $u')dnl
define(`PROCMAIL_MAILER_FLAGS', `mSDFMhun')dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, Addr=203.38.180.201, Port=25, Name=corp-mail-1, M=bhE')dnl
DAEMON_OPTIONS(`Family=inet, Addr=127.0.0.1, Port=25, Name=corp-mail-1, M=bhE')dnl
DAEMON_OPTIONS(`Family=inet, Addr=203.38.180.202, Port=25, Name=cust-mail-1, M=bhE')dnl
TRUST_AUTH_MECH('LOGIN PLAIN')dnl
define('confAUTH_MECHANISMS', 'LOGIN PLAIN')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(use_cw_file)dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`greet_pause',1000)
dnl FEATURE(`ratecontrol', ,`terminate')dnl
dnl FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
dnl FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected see http://www.ordb.org/faq/\#why_rejected"')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl LOCAL_CONFIG
dnl CPprocmail
dnl LOCAL_RULESETS
0
 

Author Comment

by:Network_Padawan
ID: 24799683
access file: its much longer than this but you get the general idea

localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY
10                              RELAY
203.38.180                      RELAY
172.16                          RELAY
172.25                          RELAY

## Temp Fiji WANIPs
210.7.17.186                    RELAY

## Rsync dump of UK sites
203.39.52.154   RELAY
213.98.162.70   RELAY
78.105.11.112   RELAY
78.105.4.101    RELAY
78.105.8.127    RELAY
80.101.6.81     RELAY
81.44.254.97    RELAY
82.163.51.219   RELAY
87.244.115.201  RELAY
88.81.147.78    RELAY
89.145.218.250  RELAY
94.193.102.116  RELAY
94.193.97.194   RELAY

## Rsync dump of Fiji sites
202.62.122.2  RELAY
210.7.12.65  RELAY
210.7.12.88  RELAY
210.7.14.36  RELAY
210.7.14.38  RELAY
210.7.16.173  RELAY
210.7.16.174  RELAY
210.7.16.175  RELAY
210.7.16.177  RELAY
210.7.16.185  RELAY
210.7.16.186  RELAY
210.7.16.187  RELAY
210.7.16.192  RELAY
210.7.16.197  RELAY
210.7.16.20  RELAY
210.7.16.200  RELAY
210.7.16.207  RELAY
210.7.16.208  RELAY
210.7.16.209  RELAY
210.7.16.47  RELAY
210.7.16.49  RELAY
0
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

 
LVL 26

Expert Comment

by:jar3817
ID: 24799770
No huge problems that I can see. Did you look at the logs (/etc/mail/maillog) to see what IP address these messages are actually coming from? According to http://mxtoolbox.com your server is not an open relay, so that leaves two possibilities:

1. The spam is coming from one of the IPs listed in your /etc/mail/access file. If this is the case some workstation at that site probably has a virus or spyware that is going nuts.

2. A local account on this sendmail server is compromised and someone is using a valid username/password to get around the relay restriction.

Check the logs to see where exactly it's coming from to know how to proceed. Do you have any local accounts on this sendmail server other than the service accounts (which shouldn't have passwords) and root? When was the last time you changed the passwords?
0
 
LVL 26

Expert Comment

by:jar3817
ID: 24799778
...yeah the log is actually located at:

/var/log/maillog

sorry, about the confusion...
0
 

Author Comment

by:Network_Padawan
ID: 24802397
hi jar 3817

Thanks for your help. What i did was verify the valid email, push them through one by one and then flushed the mail queue.

Can I ask, you stated "Check the logs to see where exactly it's coming from to know how to proceed", I did a tail on the /var/log/messages but I didn't really know what to look for. If it was one of the networks that we allow to relay their smtp through us, what is the best way of finding out the source? What should I look for?
0
 
LVL 26

Accepted Solution

by:
jar3817 earned 500 total points
ID: 24802424
The file you need to look in is:

/var/log/maillog

Get the message ID from of of the spam messages in the queue (by typing "mailq" to display the queue) and then search for that ID in the maillog file. You'll see the IP address in the log entry.

0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

New-MailboxSearch Powershell Command and step by step approach to Search and Extract Emails form Exchange 2013 Journaling server.
Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now