[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Newbie at wits end with spammers through server

Subject: Re: [cobalt-security] Newbie at wits end with spammers through server
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Tue, 14 Aug 2001 14:05:15 +0200
Organization: Stauber Multimedia Design
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Chae,

> I'm at the end of my tether with the spamming and if it continues I can see
> me loosing the server and the customers. Can any of you knowledgeable
> users/administrators say where I'm going wrong, is the server set-up wrong
> or is it just life and hope that it all dies down.

One of the problems with the Cobalt's sendmail setup is as follows: 

Sendmail will relay mail if at least one of the following conditions is met:

a) Sender's email address matches an email address which exists on the server

b) Recipient's email address matches existing email address on the server

c) Sender's domain name has an MX entry which points to the machine where 
sendmail is running.

d) User is local

So (a) can be easily faked, (b) doesn't need to be faked and everyone with 
control over a DNS server can arrange for (c).

I had it myself a looong time ago that cybersell.net was using my SMTP server 
to send spam. They even used my own business email address as sender address 
in the beginning. When I had shut that down and implemented stricter sendmail 
rules they just set up an MX entry which associated cybersell.net with my 
primary IP. Due to that they were able to again send spam through me. Back 
then I complained to Network Solutions and had their domain deleted, which 
only worked because all three contacts listed for the domain were fakes and I 
had sufficient proof of that at hand.

What you might want to look for is the following:

POP-before-SMTP is fine, but it can be circumvented by some MX tricks. Also 
you need to be very suspicious of your webhosting customers, especially those 
with shell accounts, and/or accounts with cgi, PHP and/or ASP access, which 
is what I mean with option (d). Local users can *always* send mail, so any 
PERL or PHP script can send emails, too.

The only way to find out who the bad guys are and where they come from is to 
check /var/log/maillog very thoroughly.

If you find out that they send from another server out there which simply 
forwards the mail to your box and has a faked MX entry, then the best thing 
to do first is to setup IPChains and to block them. Then start to complain to 
them and send them an invoice for the damage they caused. If they're using 
your infrastructure to make money, then you have the right to bill them for 
it. 

Additionally you might want to look up information about how to fortify your 
sendmail. Good starting points are sendmail.org and cauce.org, but you might 
also want to use google.com to search for additional material.

-- 

With best regards,

Michael Stauber
Solarspeed.net

Follow-Ups:
- Re: [cobalt-security] Newbie at wits end with spammers through server
  - From: Kevin D

References:
- [cobalt-security] Newbie at wits end with spammers through server
  - From: Render-Vue

Prev by Date: Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
Next by Date: Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
Previous by thread: [cobalt-security] Newbie at wits end with spammers through server
Next by thread: Re: [cobalt-security] Newbie at wits end with spammers through server

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index