my sendmail server keeps sending spam

[pasin]

Hello
I have a sendmail server that can't be seen outside the network.
I have imported mail accounts from another sendmail server in it.
Now i see that it keeps trying to send spam.
I am a newbie to sendmail.
What can I control first?

[Roxoff]

Sendmail doesn't send spam, people send spam. One (or more) of those accounts you've enabled must be open to a bot or a user with a desire to send crap via email.

If it were my system I'd remove all the accounts again, then talk to the owners of each account, only enabling the ones who you can verify, and monitor outgoing email closely to find out anyone starts sending junk after you enable their account. If you can't talk to the account holders, then you might want to try disabling the accounts in batches until the spam stops and you narrow down who is generating it. It is possible that the spam is generated by an infected computer somewhere inside your network - you need to squish this as quickly as you can.

[tdsan]

Please download, install and run the following executables from the command prompt. They should catch anything that is running on your machine that is running spyware. Then I would install an antivirus solution for linux like AVG or whatever you chose.

Code:

chkrootkit

rkhunter

Chkrootkit - chkrootkit - Wikipedia, the free encyclopedia

Rkhunter - http://en.wikipedia.org/wiki/Rkhunter

[Barret]

I use to filter out:
- spamasssasin
- clamav

And i configured postfix with the following (partial config of main.cf):

Code:

disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes

smtpd_helo_restrictions =
        permit_mynetworks,
        check_client_access proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf,
        reject_unlisted_recipient,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname,
        permit

smtpd_sender_restrictions =
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_unlisted_sender,

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        reject_unknown_recipient_domain,
        permit_mynetworks,
        reject_rbl_client sbl.spamhaus.org,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client dul.dnsbl.sorbs.net,
        permit

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

This helped me alote of rejecting the major scanners/bots that are lurking for open relay servers or half-configured servers.

Also i have a cron-script that syncs with spamhaus BLOCK list, that also helps alote to refuse connections from marked blacklisted ip's.

Check out: spamhaus dot org section: SBL - IP Spam Filter

p.s.: i use virtual email boxes in my mysql.

Hopes this helps a bit.
- Barret

[tdsan]

Everything looks good from my point of view, most of the items are set to the default settings which are good in many cases. I have reviewed each line of code here

smtpd_helo_restrictions =
permit_mynetworks,
check_client_access proxy:mysql:/etc/postfix/mysql-
permit # Add to the restrictions section for proper syntax
virtual_mailboxes.cf,
reject_unlisted_recipient,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
permit

smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unlisted_sender,
permit # Add to the restrictions section for proper syntax

smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unknown_recipient_domain,
permit_mynetworks, <==Remove, you have it twice
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

allow_untrusted_routing=0 # Add this line items, helps with spamming as well
relay_recipient_maps= # Adds another line of defense by rejecting mail used for spamming purposes
[/CODE]

Also, what version of postfix are you running?

In addition, there is a nice fix that I think you could try - Linux basic command: Spam Control For Postfix

But one thing to remember, run the chkrootkit and the rkhunter on your machine to ensure you have not been affected (just as a side note).

I hope this helps.

Todd

[pasin]

Thank you all for your answers, but I use sendmail, not postfix.

[tdsan]

Near the middle of the documentation, it says you configured postfix parameters.

So let me know if I am missing something because the parameters you listed are from your posting in regards to postfix.

Please be advised.

Todd

[Roxoff]

Near the middle of the documentation, it says you configured postfix parameters.

So let me know if I am missing something because the parameters you listed are from your posting in regards to postfix.

Please be advised.

Todd

The op hasn't posted any parameters. They've only made two posts on this message board this far - and they're both in this thread. Are you getting the op's request for help mixed up with some of the other posts further down?

[pasin]

No , the first post is mine.
My username is pasin.

[tdsan]

Ok, the post I was referring to must have came from Barrett.

Ok, my bad there.

Ok, if it is sendmail, do you have the sendmail.mc file, I need to look at this for review.

In addition, do you have the configuration file for spam assassin.

Thank you for the catch.

Todd