Sendmail become open relay

Paul Macdonald paul at ifdnrg.com
Mon Sep 8 14:26:55 UTC 2008 

This might be more general advice than a specific help, but i've found 
most bad mail originating from me comes from php driven forum sites.
After originally patching the php src to log sitenames that send mail, i 
found enabling MAILHEAD support in php build adds customs headers which 
help to identify the site anyway.

I plan on adding a milter to pick these up dynamically, but for now, it 
helps identify sites from stuck items in mailq.

i.e a grep into mailq  for X-PHP-Script

/var/spool/mqueue/qfm83AltWj045560:H??X-PHP-Script: 
www.siteonserver.com/signup.php for x.101.27.178

Its easy to spot dubious scripts as the ip is commonly the same.

gd luck.
Paul.

lyd mc wrote:
> Hi guys need help..
>
> My mailserver become an open relay.
>
> Unknown user can now send mail.
>
> snippet from mailq
>
> m88C8iWq042874      689 Mon Sep  8 20:08 <osxch at mail.mydomain.com>
>                  (Deferred: Name server: mx1.mail.tw.yahoo.com.: host name loo)
>                                          <chenaa00 at yahoo.com.tw>
>                                          <chena0.tw at yahoo.com.tw>
>                                          <chena0877 at yahoo.com.tw>
>                                          <chena0 at yahoo.com.tw>
>                                          <chena11 at yahoo.com.tw>
>                                          <chena121959330 at yahoo.com.tw>
>                                          <chena1238 at yahoo.com.tw>
>                                          <chena186890 at yahoo.com.tw>
>                                          <chena1966 at yahoo.com.tw>
>                                          <chena20155 at yahoo.com.tw>
>                                          <chena226 at yahoo.com.tw>
>                                          <chena22 at yahoo.com.tw>
>                                          <chena26232000 at yahoo.com.tw>
>
> I don't  have user 'osxch' and there others can also send..
>
>
> best regars thnx
>
> alydio
>
>
>
>
>       
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>   

-- 

<http://www.ifdnrg.com> 	*Ultra fast and secure web hosting
Live and on demand video streaming
Custom online Solutions *

*Paul Macdonald*
Director 	
paul at ifdnrg.com <mailto:paul at ifdnrg.com>
www.ifdnrg.com <http://www.ifdnrg.com> 	

	*IFDNRG*
127 Rose St South Lane, Edinburgh, EH2 4BB
0044.(0)131.2257470

More information about the freebsd-questions mailing list