Re: [cobalt-security] Newbie at wits end with spammers through server

["Kevin D" <kdlists@xxxxxxxxxxxxxxx>]

From: "Michael Stauber" <cobalt@xxxxxxxxxxxxxx>

> One of the problems with the Cobalt's sendmail setup is as follows:

I'm not sure how long ago you've had these problems, but I've had my raq3i
for over a year now and it does not have the problems that you suggest.

> Sendmail will relay mail if at least one of the following conditions is
met:
>
> a) Sender's email address matches an email address which exists on the
server

Raq3i with all the patches does not allow this. I know because I routinely
set up new users on DSL lines and forget to add their IPs to my relaying
tables. Regardless of their sender email address, they still get relaying
denied errors.

> b) Recipient's email address matches existing email address on the server

This is always the case with any SMTP server, because that is how the
protocol works. By the way, this is not relaying, it is delivering to a
recipient on the server.

> c) Sender's domain name has an MX entry which points to the machine where
> sendmail is running.

This is not the case either. Same reasons as a).

> d) User is local

This is correct, any local user on the box can send.

You might also want to check out info on the pop before relay bug which
allows hackers to relay through your box. Search the archives.

>Also
> you need to be very suspicious of your webhosting customers, especially
those
> with shell accounts, and/or accounts with cgi, PHP and/or ASP access,
which
> is what I mean with option (d). Local users can *always* send mail, so any
> PERL or PHP script can send emails, too.

The /var/log/maillog will tell you which user, if this is the case. Ask for
a copy of the spammed email's headers, and you can search for the message ID
in your logs and know exactly who sent it.

Kevin