Find the answer to your Linux question:
Results 1 to 8 of 8
Spammers are impersonating users on my server and sending out spam in their name. I imagine this is a very common problem and must be consuming enormous bandwidth but I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2006
    Posts
    5

    Red face Stop my Sendmail spewing spam - help!


    Spammers are impersonating users on my server and sending out spam in their name. I imagine this is a very common problem and must be consuming enormous bandwidth but I can't seem to find a way to stop it.

    What I need to do is to stop Sendmail accepting commands from outside to send hundreds of messages from "nonsense@a_local_domain.com". Can anyone offer or point me to an easy-to-follow how-to?

    Running a server is an ancilliary activity for me and Sendmail has a reputation (which I can endorse) for being almost impossible to understand so I need some help in layman's language. And, yes, I admit it, I am paranoid about making changes that might break everything.

    I am using the server to host websites. No-one logs into my server to send mail just to collect it (so I don't think POP before SMTP is relevant). But I do need my customers to receive e-mail from anywhere and I need to keep the scripts on their sites that send e-mail to themselves and to their customers.

    I have spent hours typing "sendmail" and "spam" and "smtp auth" into Google trying to find something I can understand and is relevant to my (? not unusual) web hosting setup but I am not getting anywhere. So I would like to think that if you can offer an answer that helps me it would help a lot of other people too. I found suggestions like "don't use Sendmail" or "install and make everything all over again" but that's not what I would call "helpful"!

    If it is relevant I have:

    Fedora 2
    Webmin
    Sendmail
    Dovecot

    /etc/mail/access has only:

    localhost.localdomain RELAY
    localhost RELAY
    127.0.0.1 RELAY

    SMTP AUTH is available (- I think - I have something called Cyrus installed and telnet to port 25 responds with 250-AUTH)

    --------------

    BTW - is there a campaign to lobby legislators to persuade ALL governments to start making life truly scarey for spammers and hackers? If not let's start one!

  2. #2
    Linux User yourname3232's Avatar
    Join Date
    Aug 2005
    Location
    Pacific Northwest, USA
    Posts
    262
    Well first can you go here to check if you are an open relay. If you are then I will help you look for material that will help you fix this. If you are an open relay then you need to shut down your SMTP server, because YOU can be fined for the spam even though you didn't send it.
    Registered GNU/Linux User #399198
    'Experience is something you don't get until just after you need it.' -Steven Wright

  3. #3
    Just Joined!
    Join Date
    Dec 2006
    Posts
    5
    Wise advice but "open relay" was the first thing I checked when I became aware of the problem a few weeks ago. Also, just for the record, I am not aware of any provision under English law for the sort of fines you mention though if threre are you must say more as we all need to know.

  4. #4
    Linux User yourname3232's Avatar
    Join Date
    Aug 2005
    Location
    Pacific Northwest, USA
    Posts
    262
    So you are not an open relay? Well is somebody using a PHP script to send mass spam (as was the case on my server).
    Registered GNU/Linux User #399198
    'Experience is something you don't get until just after you need it.' -Steven Wright

  5. #5
    Just Joined!
    Join Date
    Dec 2006
    Posts
    5
    No. As I said in my original posting, it seems that 'Sendmail is accepting commands from outside to send hundreds of messages from "nonsense@a_local_domain.com".'

    From what little I have understood about this, it seems that port 25 has to be open to accept mail for users on the server and someone is using that to Telnet commands to send the mail.

    Maybe that means I have the wrong focus and need to forget Sendmail and tighten up Telnet somehow, though logically it would appear that the world must be able to contact Sendmail without restriction in order to deposit genuine mail.

  6. #6
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Dumb naive question -- can you just switch telnet off?? i.e. stop the telnet daemon so peopl can't telnet in the commands to send mail, and use ssh if you need remote access.

    Sorry if this is a dumb point, as I don't really understand mailservers, but I do know that telnet isn't so hot when it comes to security.
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  7. #7
    Just Joined!
    Join Date
    Dec 2006
    Posts
    5
    Sorry - loose and thoughtless language on my part - I think Telnet IS off - if I try locally "telnet 1.2.3.4" (with my IP) I get Could not open connection to the host, on port 23 Connection failed.

    I don't really understand what is happening (or how to find out) all I know is that somehow false names at local domains are sending out mail.

  8. #8
    Just Joined!
    Join Date
    Dec 2006
    Posts
    5

    Resolved

    I hope everyone will forgive me adding this in the hope that some other poor soul in trouble will find this solution in a search.

    There was a script on my server (now removed - hackers please note) which processed forms from a number of websites. So it accepted a "to" address and a "from" address and a "message" as variables.

    OK OK with 20-20 hindsight even I can see how vulnerable that is to an external post direct to the script sending as many "to" addresses, whichever weird "from" address and whatever evil message Mr. Hacker wanted to send.

    From now on I'll use individual scripts with hard coded "to" addresses only. Oh, and from what I read I think I need to make sure there's something between line feeds to stop Sendmail thinking it has got another header ending \n\n

    Thanks to those who offered help

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •