Re: [SLUG] Open mail relay?

From: Mark (mark@bish.net)
Date: Tue Jun 05 2001 - 12:11:44 EDT


You aren't relaying but that doesn't stop someone from faking haeders with
your domain in them which would cause those mailers to bounce messages to
you.

This is a good time to bring up the fact that MAILER-DAEMON should point
to an account that is used in addition to root so you can see these
problems when they first come up.

On Tue, 5 Jun 2001, Aharon wrote:

> I am having an interesting morning to say the least. I host a few
> dedicated servers running Redhat 7.0.. They are all my servers.
>
> I rarely log in as root. Well last night, I needed to make some httpd
> changes. While running around as root I kept getting messages telling me
> of new mail arrival.. Which is funny because root shouldnt be getting tons
> of mail. I went into pine... Low and behold, I have about 6000 email
> messages. Most are "Invalid user bounces", and spam notifications.
> Luckilly, my domain hasnt been blacklisted yet.
>
> All my servers are behind a Nokia Checkpoint firewall appliance, the
> router is a Cisco 2600 series with IOS firewall as well. I consider my
> boxes pretty secure, few to no ports answer. Always up to the minute
> exploit paches. Plus, I am the only one that has all the login info for
> the servers. I don't run an ISP, they are mine. No customers or users.
>
> Did some extensive checking and searching of the boxes this morning, and
> am confident they have not been comprimised.
>
> This leaves me to believe that someone, a spammer, is relaying through me.
> I have telneted to sendmail directly, and cannot get my sendmail to relay
> by hand. It always responds with relaying denied. I have also used some
> of the web based relay testers, and they all agree that relaying will be
> denied.
>
> Can you guys give it a shot?? And try to relay through my mailserver? My
> domain is superfreeway.com, you can try mail.superfreeway.com.
>
> Anything else you think I should look for?
>
> I am attaching one of the bounced messages, so you can check out the
> headers. You can clearly see the superfreeway.com relayed the mail. The
> only thing I can think of is that the spammer is modifying thier headers
> big time to make it appear as if it is comming from me.
>
> Another thing I have noticed is that all the bounced messages are going to
> nobody@superfreeway.com ... The only processes which run as nobody is
> httpd. But, this may be standard if sendmail has no idea where to send
> the bounce message.
>
> Here is a clip of one of the spam bounces:
>
> <<< 550 cyberdog25 IS NOT ACCEPTING MAIL FROM THIS SENDER
> 550 <cyberdog25@aol.com>... User unknown
> >>> RCPT To:<bluefish146@aol.com>
> <<< 550 bluefish146 IS NOT ACCEPTING MAIL FROM THIS SENDER
> 550 <bluefish146@aol.com>... User unknown
> >>> RCPT To:<avoidreflection@aol.com>
> <<< 550 MAILBOX NOT FOUND
> 550 <avoidreflection@aol.com>... User unknown
>
> [ Part 2: "Delivery Status" ]
>
> Reporting-MTA: dns; rly-xd05.mx.aol.com
> Arrival-Date: Thu, 17 May 2001 22:01:19 -0400 (EDT)
>
> Final-Recipient: RFC822; avoidreflection@aol.com
> Action: failed
> Status: 2.0.0
> Remote-MTA: DNS; air-xd01.mail.aol.com
> Diagnostic-Code: SMTP; 250 OK
> Last-Attempt-Date: Thu, 17 May 2001 22:01:32 -0400 (EDT)
>
> Final-Recipient: RFC822; bluefish146@aol.com
> Action: failed
> Status: 2.0.0
> Remote-MTA: DNS; air-xd01.mail.aol.com
> Diagnostic-Code: SMTP; 250 OK
> Last-Attempt-Date: Thu, 17 May 2001 22:01:32 -0400 (EDT)
>
> Final-Recipient: RFC822; cyberdog25@aol.com
> Action: failed
> Status: 2.0.0
> Remote-MTA: DNS; air-xd01.mail.aol.com
> Diagnostic-Code: SMTP; 250 OK
> Last-Attempt-Date: Thu, 17 May 2001 22:01:32 -0400 (EDT)
>
>
> [ Part 3: "Included Message" ]
>
> Received: from superfreeway.com ([63.140.74.35]) by rly-xd05.mx.aol.com
> (v77_r1.36) with ESMTP; Thu, 17 May 2001 22:01:18 2000
> Received: (from nobody@localhost)
> by superfreeway.com (8.11.0/8.11.0) id f4I1uKV18460;
> Thu, 17 May 2001 21:56:20 -0400
> Date: Thu, 17 May 2001 21:56:20 -0400
> Message-Id: <200105180156.f4I1uKV18460@superfreeway.com>
> To: AvoidReflection@aol.com, BarnesStarman@aol.com, Blacbird08@aol.com,
> BlueFish146@aol.com, Cyberdog25@aol.com
> From: New_Credit_4u@yahoo.com ()
> Subject: Re: New Credit
>
> Below is the result of your feedback form. It was submitted by
> (New_Credit_4u@yahoo.com) on Thursday, May 17, 2001 at 21:56:20
>
>
>
> --
> vgextend /dev/myself /dev/nichole /dev/sarah /dev/misty /dev/julie
> "I extend myself over many women - Aharon"
>
> Unix Administrator
> Tampa, Florida
>
> Websites:
> http://www.tamparacing.com
> http://www.ls6.com
> http://www.lastgen.com
>
>
>

------------------------------------------------------------------------
| Mark Bishop (mark@bish.net) | Computer Engineer |
| 813.258.2390 | Network Engineer |
| http://bish.net | Embedded Programmer |



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:55:37 EDT