Sendmail become open relay

Chris Pratt eagletree at hughes.net
Mon Sep 8 17:10:43 UTC 2008 

On Sep 8, 2008, at 7:26 AM, Paul Macdonald wrote:

>
> This might be more general advice than a specific help, but i've  
> found most bad mail originating from me comes from php driven forum  
> sites.
> After originally patching the php src to log sitenames that send  
> mail, i found enabling MAILHEAD support in php build adds customs  
> headers which help to identify the site anyway.
>
> I plan on adding a milter to pick these up dynamically, but for  
> now, it helps identify sites from stuck items in mailq.
>
> i.e a grep into mailq  for X-PHP-Script
>
> /var/spool/mqueue/qfm83AltWj045560:H??X-PHP-Script:  
> www.siteonserver.com/signup.php for x.101.27.178
>
> Its easy to spot dubious scripts as the ip is commonly the same.
>
> gd luck.
> Paul.
>
I was thinking somewhat the same thing. It can be the leveraging
of any scripts if the server is a web server of any sort. Spammers test
every possible crack against your scripts. While you attempt to find
which is being leveraged, you can minimize the damage by
using the MAX_RCPTS_PER_MESSAGE within sendmail. It allows
you to catch and destroy their use of your system prior to much
mail going out. You set this value to 2 and it's impossible to send
in one pass to more than two recipients. Monitoring your mailq
will allow you to see quickly if someone has got your number. This
will help keep you off BLs while you tighten your security.


> lyd mc wrote:
>> Hi guys need help..
>>
>> My mailserver become an open relay.
>>
>> Unknown user can now send mail.
>>
>> snippet from mailq
>>
>> m88C8iWq042874      689 Mon Sep  8 20:08 <osxch at mail.mydomain.com>
>>                  (Deferred: Name server: mx1.mail.tw.yahoo.com.:  
>> host name loo)
>>                                          <chenaa00 at yahoo.com.tw>
>>                                          <chena0.tw at yahoo.com.tw>
>>                                          <chena0877 at yahoo.com.tw>
>>                                          <chena0 at yahoo.com.tw>
>>                                          <chena11 at yahoo.com.tw>
>>                                           
>> <chena121959330 at yahoo.com.tw>
>>                                          <chena1238 at yahoo.com.tw>
>>                                          <chena186890 at yahoo.com.tw>
>>                                          <chena1966 at yahoo.com.tw>
>>                                          <chena20155 at yahoo.com.tw>
>>                                          <chena226 at yahoo.com.tw>
>>                                          <chena22 at yahoo.com.tw>
>>                                          <chena26232000 at yahoo.com.tw>
>>
>> I don't  have user 'osxch' and there others can also send..
>>
>>
>> best regars thnx
>>
>> alydio
>>
>>
>>
>>
>>       _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions- 
>> unsubscribe at freebsd.org"
>>
>
> -- 
>
> <http://www.ifdnrg.com> 	*Ultra fast and secure web hosting
> Live and on demand video streaming
> Custom online Solutions *
>
> *Paul Macdonald*
> Director 	
> paul at ifdnrg.com <mailto:paul at ifdnrg.com>
> www.ifdnrg.com <http://www.ifdnrg.com> 	
>
> 	*IFDNRG*
> 127 Rose St South Lane, Edinburgh, EH2 4BB
> 0044.(0)131.2257470
>
> 	
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions- 
> unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list