SendMail sending garbage mails
Steve Phillips
steve at focb.co.nz
Thu Jul 29 02:00:19 UTC 2004
On Wed, 28 Jul 2004, Duncan wrote:
> if it was ipchains you would do the follwoing ;
>
> #allowing localhost
> /sbin/ipchains -A input -j ACCEPT -p all -s localhost -d localhost -i lo
> /sbin/ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo
>
> #Deny packets from internet claiming to be from localhost and log
> /sbin/ipchains -A input -j REJECT -p all -s localhost -i ppp+ -l
>
> Basically that should solve your problems for now that is u dont have a
> machine on your LAN spamming
> Rgds
Except for the fact that the e-mails in question that generated the bounce
message may not have even originated from his machine. The original e-mail
does nto have enough information about the setup to allow one to deduce
wether a "firewall" would help or not and randomly adding iptables rules
will usually do more harm than good.
There are two probable scenario's, one is that the MX host being delivered
to is accepting all mail for that domain and then trying to pass it on to
the final recipient, the final recipient generates a 5xx message (perm
failure) and the message then gets bounced back to the (apparent)
originator who happens to be someone else - this is usually known as a joe
job and is pretty much impossible to stop. Its also probably not that
likely but without more information its hard to say. It is possible to do
this easily with smart relay hosts that collect mail for a domain and then
pass it on.
The other scenario is that something on his network (including the mail
system itself) is allowing an external source to relay mail through his
mail system. This could be via an open proxy, trojan, virus or other such
nasty. In order to find out if this is the case he should look in his logs
for outbound mail and track back where the sender was - if it was
localhost then look for an open proxy or other nasty on the mail machine
itself (firewalls allowing all from localhost wont stop this) and if it
was from a machine on the network then investigate further on that machine
(anti-virus software would be a good start) - also check that you have not
turned your mail server into an open relay as that would be bad [tm]. In
this case adding the firewall rules will simply stop the users/pc's from
relaying mail and while it will prevent bad mail going out - will also
prevent good mail from going out and so isn't really a workable solution.
Added to this - if your ISP or your firewall/filtering is allowing
obviously spoofed traffic through onto your network then there is
something wrong and you should complain to your providor/network admin
etc. I would be suprised if your box allowed obviously spoofed traffic in
by default but stranger things can happen.
--
Steve.
>
> Duncan
> ----- Original Message -----
> From: "Nilesh" <niluforalways at yahoo.com>
> To: "Duncan" <drack at mweb.co.zw>; "General Red Hat Linux discussion list"
> <redhat-list at redhat.com>
> Sent: Wednesday, July 28, 2004 2:31 PM
> Subject: Re: SendMail sending garbage mails
>
>
>> Hi Duncan,
>>
>> yeah I have configured IPtables firewall on that
>> machine and blocked incoming packtes for other ports
>> except 25 port and 110
>> but not blocked loopback do u feel this problem is
>> because of loopback
>>
>> Regards
>> Nilesh
>>
>>
>>
>> --- Duncan <drack at mweb.co.zw> wrote:
>>
>>>> Hi friends,
>>>>
>>>> I have some problems with my sendmail server.
>>>> it has sending some garbage mails to outside and
>>> that
>>>> mails bouncing back to on different user that is
>>> not
>>>> existing users.
>>>> the error are like
>>>> ----- The following addresses had permanent fatal
>>>> errors -----
>>>> vbqdfwhgvokn at centrum.cz
>>>> (reason: 550 5.5.1 No such user here)
>>>>
>>>> ----- Transcript of session follows -----
>>>> ... while talking to data2.centrum.cz.:
>>>>
>>>>>>>>>> DATA
>>>>
>>>> <<< 550 5.5.1 No such user here
>>>> 550 5.1.1 vbqdfwhgvokn at centrum.cz... User unknown
>>>> <<< 503 5.5.2 Waiting for RCPT command
>>>>
>>>> Subject:
>>>> Returned mail: see transcript for details
>>>> From:
>>>> Mail Delivery Subsystem <MAILER-DAEMON>
>>>> Date:
>>>> Thu, 15 Jul 2004 21:14:34 +0530
>>>> To:
>>>> vbqdfwhgvokn at centrum.cz
>>>>
>>>> The original message was received at Thu, 15 Jul
>>> 2004
>>>> 21:14:34 +0530
>>>> from root at localhost
>>>>
>>>> ----- The following addresses had permanent
>>> fatal
>>>> errors -----
>>>> craig at abc.net
>>>> (reason: 550 5.1.1 User unknown)
>>>> ----- Transcript of session follows -----
>>>> 550 5.1.1 craig at abc.net... User unknown
>>>>
>>>> could any one please tell me how to stop this.
>>>> redhat-list mailing list
>>>> unsubscribe
>>>
>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>> Well you definately need a firewall on your loopback
>>> interface which does
>>> not allow outside packets to connect except yo ISP
>>> to smtp port
>>> etc..Basically do not allow packets from the outside
>>> .Else u have a machibe
>>> in your LAN with a virus that is spamming , u iwll
>>> have to monitor your
>>> maillog .
>>> Wat do others think ????
>>> Rgds
>>>
>>> Duncan Rack
>>>
>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe
>>>
>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>
>>
>>
>>
>>
>> __________________________________
>> Do you Yahoo!?
>> New and Improved Yahoo! Mail - 100MB free storage!
>> http://promotions.yahoo.com/new_mail
>>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
More information about the redhat-list
mailing list