Re: SendMail sending garbage mails

[Steve Phillips <steve@xxxxxxxxxx>]

On Wed, 28 Jul 2004, Duncan wrote:

> if it was ipchains you would do the follwoing ;
>
> #allowing localhost
>  /sbin/ipchains -A input  -j ACCEPT -p all -s localhost -d localhost -i lo
>  /sbin/ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo
>
> #Deny packets from internet claiming to be from localhost and log
>  /sbin/ipchains -A input  -j REJECT -p all -s localhost  -i ppp+ -l
>
> Basically that should solve your problems for now that is u dont have a
> machine on your LAN spamming
> Rgds

Except for the fact that the e-mails in question that generated the bounce 
message may not have even originated from his machine. The original e-mail 
does nto have enough information about the setup to allow one to deduce 
wether a "firewall" would help or not and randomly adding iptables rules 
will usually do more harm than good.

There are two probable scenario's, one is that the MX host being delivered 
to is accepting all mail for that domain and then trying to pass it on to 
the final recipient, the final recipient generates a 5xx message (perm 
failure) and the message then gets bounced back to the (apparent) 
originator who happens to be someone else - this is usually known as a joe 
job and is pretty much impossible to stop. Its also probably not that 
likely but without more information its hard to say. It is possible to do 
this easily with smart relay hosts that collect mail for a domain and then 
pass it on.

The other scenario is that something on his network (including the mail 
system itself) is allowing an external source to relay mail through his 
mail system. This could be via an open proxy, trojan, virus or other such 
nasty. In order to find out if this is the case he should look in his logs 
for outbound mail and track back where the sender was - if it was 
localhost then look for an open proxy or other nasty on the mail machine 
itself (firewalls allowing all from localhost wont stop this) and if it 
was from a machine on the network then investigate further on that machine 
(anti-virus software would be a good start) - also check that you have not 
turned your mail server into an open relay as that would be bad [tm]. In 
this case adding the firewall rules will simply stop the users/pc's from 
relaying mail and while it will prevent bad mail going out - will also 
prevent good mail from going out and so isn't really a workable solution.

Added to this - if your ISP or your firewall/filtering is allowing 
obviously spoofed traffic through onto your network then there is 
something wrong and you should complain to your providor/network admin 
etc. I would be suprised if your box allowed obviously spoofed traffic in 
by default but stranger things can happen.

--
Steve.

> Duncan
> ----- Original Message -----
> From: "Nilesh" <niluforalways@xxxxxxxxx>
> To: "Duncan" <drack@xxxxxxxxxx>; "General Red Hat Linux discussion list"
> <redhat-list@xxxxxxxxxx>
> Sent: Wednesday, July 28, 2004 2:31 PM
> Subject: Re: SendMail sending garbage mails
>
>
> > Hi Duncan,
> >
> > yeah I have configured IPtables firewall on that
> > machine and blocked incoming packtes for other ports
> > except 25 port and 110
> > but not blocked loopback do u feel this problem is
> > because of loopback
> >
> > Regards
> > Nilesh
> >
> >
> >
> > --- Duncan <drack@xxxxxxxxxx> wrote:
> >
> > > > Hi friends,
> > > >
> > > > I have some problems with my sendmail server.
> > > > it has sending some garbage mails to outside and
> > > that
> > > > mails bouncing back to on different user that is
> > > not
> > > > existing users.
> > > > the error are like
> > > > ----- The following addresses had permanent fatal
> > > > errors -----
> > > > vbqdfwhgvokn@xxxxxxxxxx
> > > >     (reason: 550 5.5.1 No such user here)
> > > >
> > > >    ----- Transcript of session follows -----
> > > > ... while talking to data2.centrum.cz.:
> > > >
> > > > > > > > > > DATA
> > > >
> > > > <<< 550 5.5.1 No such user here
> > > > 550 5.1.1 vbqdfwhgvokn@xxxxxxxxxxxxx User unknown
> > > > <<< 503 5.5.2 Waiting for RCPT command
> > > >
> > > > Subject:
> > > > Returned mail: see transcript for details
> > > > From:
> > > > Mail Delivery Subsystem <MAILER-DAEMON>
> > > > Date:
> > > > Thu, 15 Jul 2004 21:14:34 +0530
> > > > To:
> > > > vbqdfwhgvokn@xxxxxxxxxx
> > > >
> > > > The original message was received at Thu, 15 Jul
> > > 2004
> > > > 21:14:34 +0530
> > > > from root@localhost
> > > >
> > > >    ----- The following addresses had permanent
> > > fatal
> > > > errors -----
> > > > craig@xxxxxxx
> > > >     (reason: 550 5.1.1 User unknown)
> > > >    ----- Transcript of session follows -----
> > > > 550 5.1.1 craig@xxxxxxxxxx User unknown
> > > >
> > > > could any one please tell me how to stop this.
> > > > redhat-list mailing list
> > > > unsubscribe
> > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > > >
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > >
> > > Well you definately need a firewall on your loopback
> > > interface which does
> > > not allow outside packets to connect  except  yo ISP
> > > to smtp port
> > > etc..Basically do not allow packets from the outside
> > > .Else u have a machibe
> > > in your LAN with a virus that is spamming , u iwll
> > > have to monitor your
> > > maillog .
> > > Wat do others think ????
> > > Rgds
> > >
> > > Duncan Rack
> > >
> > >
> > > --
> > > redhat-list mailing list
> > > unsubscribe
> > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > New and Improved Yahoo! Mail - 100MB free storage!
> > http://promotions.yahoo.com/new_mail
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list