[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Newbie at wits end with spammers through server
- Subject: Re: [cobalt-security] Newbie at wits end with spammers through server
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Tue, 14 Aug 2001 14:05:15 +0200
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Chae,
> I'm at the end of my tether with the spamming and if it continues I can see
> me loosing the server and the customers. Can any of you knowledgeable
> users/administrators say where I'm going wrong, is the server set-up wrong
> or is it just life and hope that it all dies down.
One of the problems with the Cobalt's sendmail setup is as follows:
Sendmail will relay mail if at least one of the following conditions is met:
a) Sender's email address matches an email address which exists on the server
b) Recipient's email address matches existing email address on the server
c) Sender's domain name has an MX entry which points to the machine where
sendmail is running.
d) User is local
So (a) can be easily faked, (b) doesn't need to be faked and everyone with
control over a DNS server can arrange for (c).
I had it myself a looong time ago that cybersell.net was using my SMTP server
to send spam. They even used my own business email address as sender address
in the beginning. When I had shut that down and implemented stricter sendmail
rules they just set up an MX entry which associated cybersell.net with my
primary IP. Due to that they were able to again send spam through me. Back
then I complained to Network Solutions and had their domain deleted, which
only worked because all three contacts listed for the domain were fakes and I
had sufficient proof of that at hand.
What you might want to look for is the following:
POP-before-SMTP is fine, but it can be circumvented by some MX tricks. Also
you need to be very suspicious of your webhosting customers, especially those
with shell accounts, and/or accounts with cgi, PHP and/or ASP access, which
is what I mean with option (d). Local users can *always* send mail, so any
PERL or PHP script can send emails, too.
The only way to find out who the bad guys are and where they come from is to
check /var/log/maillog very thoroughly.
If you find out that they send from another server out there which simply
forwards the mail to your box and has a faked MX entry, then the best thing
to do first is to setup IPChains and to block them. Then start to complain to
them and send them an invoice for the damage they caused. If they're using
your infrastructure to make money, then you have the right to bill them for
it.
Additionally you might want to look up information about how to fortify your
sendmail. Good starting points are sendmail.org and cauce.org, but you might
also want to use google.com to search for additional material.
--
With best regards,
Michael Stauber
Solarspeed.net