Sendmail / Exchange denial of service attack

Place to discuss Fedora and/or Red Hat
Post Reply
deepeyes
user
user
Posts: 14
Joined: Wed Feb 18, 2004 5:08 pm
Location: Sydney Australia
Contact:

Sendmail / Exchange denial of service attack

Post by deepeyes » Sun Feb 22, 2004 9:06 pm

Hi Guys, here is another prob (soon vaid main might change my login name to leech, I have tried to get in some other posts, but your too dam quick void).

I have another site I look after...lets call it example.com.au
It has a RH8.0 FW running sendmail------which then forwards it to the exchange server on and NT box inside the network. It all works good, we have alot of spamming problems, I use the /etc/mail/access to blockout spam. At the moment I can't keepup with the constant non users emails.

If you send an email to sales@example.com.au it goes to sales, if you send an email to unknownuser@example.com.au sendmail passes it through to the exchange box, exchange says...no don't know them, sends admin@example.com.au an email(me) them rejects the email. At the moment I am having to reboot the NT box twice a week as exchange falls over (not hard I know, but it's old legacy...can't loose it just yet...we need a linux exchange!) anyway, my question is....

Is there a way to get sendmail to only forward valid users's email?

I thought about taking out example.com.au RELAY out of /etc/mail/access and replacing it with all the valid users?

Thanks guys I do apreciate it, I find it so hard to search google with a unique prob sometimes. Havn't had time to get into the Apache post yet, will get onto it soon.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sun Feb 22, 2004 9:54 pm

I don't think you can do that in the access file. I believe the /etc/mail/access file is only for taking action on "from" email and IP/domain addresses. I have over 2100 lines in my access file right now that are mostly IP address ranges that I am blocking. I add to the file as I get spam that slips through my dnsbl rules. Are you using any dnsbl (RBL) type of filtering? My favorite one shut down about a year ago and now I am using two in my /etc/mail/sendmail.mc:

Code: Select all

FEATURE(dnsbl,`dnsbl.njabl.org',` Mail from $&{client_addr} believed by http://njabl.org to be spam and rejected; see http://www.mydomain.com/mail/')
FEATURE(dnsbl,`relays.ordb.org',` Mail from $&{client_addr} believed by relays.ordb.org to be spam and rejected; see http://www.mydomain.com/mail/')
I also have set up Sendmail servers as front end boxes to Exchange for a company. I set up two machines, a primary and a backup in their DMZ. They would accept mail from the internet and forward it on to the exchange server who had it's SMTP port forwarded and only accepted connections from the two Linux servers. It also handled multiple domains and users very much like the way yours sounds. They didn't have a problem with the sendmail server crapping out though that I recall (at least not for that reason). But back then relays.osirusoft.com was still up and really blocked most of the SPAM. I think they were blocking several thousand messages a day where now a lot more get through.

Probably the best thing you can do is look into a filter like SPAM assasin. I personally have never run it so I can't provide much more information on it other than that article. Of course I am assuming that most of this problematic mail you are getting is spam, or is not not a correct assumption?

Now, more directly to your original question about only forwarding mail if it is is to a valid user, I'll bet there is a way to do it. Of course you'll need a way to get the valid list to the Sendmail server (should be an easy task). I'll have to dig a little and see what I can come up with (won't happen tonight though).

deepeyes
user
user
Posts: 14
Joined: Wed Feb 18, 2004 5:08 pm
Location: Sydney Australia
Contact:

Post by deepeyes » Sun Feb 22, 2004 11:06 pm

Void Main,

No i'm not using a RBL as I thought you had to pay for that?

It's not the sendmail server that dies it's the exchange server, I would get about 60 - 100 wrong names a day! I have gone throught the logs and put some of the ip's and names in the /etc/mail/access file, but they use other names the next day....very frustrating. There is no message, their just trying to hit "real" names I believe.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Mon Feb 23, 2004 12:01 pm

deepeyes wrote:No i'm not using a RBL as I thought you had to pay for that?
Some you do, some you don't. The ones in my sendmail.mc examples you don't.
It's not the sendmail server that dies it's the exchange server, I would get about 60 - 100 wrong names a day!
I understood that, although that certainly doesn't sound like a high number, even for crashing an M$ system.
I have gone throught the logs and put some of the ip's and names in the /etc/mail/access file, but they use other names the next day....very frustrating. There is no message, their just trying to hit "real" names I believe.
The RBL lists will stop any spam coming from known open relay hosts. I don't understand what you mean by "there is no message". Are you saying the messages coming in only have a to an from address and no subject or body? I would be interested in seeing one of these messages (with all of the header info if that were the case). There should be an easy way to block those types of messages. If it is the typical sort of spam that comes from infected windows machines I think spam assassin might catch a lot of it (but again, I don't have any real hands on experience with it). And yes, it is frustrating which is why I would just like to see all M$ software be banned from this earth (at least banned from touching the Internet).

deepeyes
user
user
Posts: 14
Joined: Wed Feb 18, 2004 5:08 pm
Location: Sydney Australia
Contact:

Post by deepeyes » Tue Feb 24, 2004 6:59 pm

OK Void, I have put the recommended changes into my sendmail file, and I am watching the log file........we will see what happens.

also

Those messages I was talking about did have attached spam files to them.

Q. Do you recommned where abouts to put those FEATURE lines in the sendmail.mc file.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Tue Feb 24, 2004 7:29 pm

I don't believe it matters where those two lines go in your file. Can I assume you know how to regenerate your sendmail.cf with the m4 command after making the changes to your sendmail.mc?

After generating the new sendmail.cf and restarting sendmail you might want to watch your /var/log/maillog for rejected messages (search for parts of the reject text from the lines you added to the sendmail.mc). I think you have other problems with your Exchange server if only 50 messages in a day to nonexistent users can bring it down. :)

deepeyes
user
user
Posts: 14
Joined: Wed Feb 18, 2004 5:08 pm
Location: Sydney Australia
Contact:

Post by deepeyes » Mon Mar 01, 2004 6:31 pm

Yes void, It seems to be working great. I will be there tomorrow so I can confirm that's it's all good.

DE

Post Reply