Re: My FC3 machine appears to be compromised, please help

On 4/6/06, Les Mikesell <lesmikesell@xxxxxxxxx> wrote:
On Thu, 2006-04-06 at 08:21, Bob Brennan wrote:
On 4/6/06, Paul Howarth <paul@xxxxxxxxxxxx> wrote:
Bob Brennan wrote:
On 4/6/06, Paul Howarth <paul@xxxxxxxxxxxx> wrote:
Somebody has probably changed a DNS entry for theFamily.net so that
instead of or as well as A/MX records, there's a:

theFamily.net. CNAME wc.funnel.revenuedirect.com.akadns.net.

record. Sendmail properly rewrites addresses for @theFamily.net to
@wc.funnel.revenuedirect.com.akadns.net during the address
canonicalisation stage in this case.

Paul.

All of my DNS entries for all of my domains are managed at
mydomain.com (literally) and I have checked that everything on their
DNS server is correct and there are no canonical entries. The refused
email is being delivered correctly to my own server, so their DNS
records must be correct.

However it is within my own server that things are going wrong. I do
not have an active DNS server but use the "hosts" file instead. The
hosts file is accurate and unchanged.

As I said earlier I searched all files in /etc/ for any entries that
might rewrite anything to or even contain the words
wc.funnel.revenuedirect.com.akadns.net and found nothing.

Is there any other information I can give or look for that might help
narrow this down? Or tests I can do? Or clever magical incantation
command lines I can try?

Try DNS lookups for your domain on your machine:

$ dig domain.xxx mx
$ dig theFamily.net mx

If you gave the real domain name(s) it might help too as we can see what
DNS lookups from outside your network are like.

Paul.

You are correct Paul - the dig command gives:

;; ANSWER SECTION
thebrennan.net 56879 IN CNAME wc.traffic.puredns.com.
wc.traffic.puredns.com 23661 IN CNAME
wc.funnel.revenuedirect.com.akadns.net.
wc.funnel.revenuedirect.com.akadns.net. 2 IN A 69.25.47.165
wc.funnel.revenuedirect.com.akadns.net. 2 IN A 66.150.161.58

with similar results for other domains on my server such as
mi-server.net. Any ideas as to how to correct this and how it
happened?

It is fairly common for ISPs to manage customer domains as
CNAMES into their own namespaces. Note that your inbound
email follows the MX record instead:

;; QUESTION SECTION:
;thebrennan.net. IN MX

;; ANSWER SECTION:
thebrennan.net. 2400 IN MX 0 mail.mi-server.net.
thebrennan.net. 2400 IN MX 10 mx1.sitelutions.com.
thebrennan.net. 2400 IN MX 20 mx2.sitelutions.com.

On outbound mail, sendmail normally reverse-resolves its
interface address to find it's own name. You can override
that on the inbound side by providing all the domain names
it should accept in the /etc/mail/local-host-names file
and on the outbound side by uncommenting and editing the
MASQUERADE_AS(`mydomain.com')dnl line in /etc/mail/sendmail.mc.
Both changes require a restart of sendmail to take effect.

--
Les Mikesell
lesmikesell@xxxxxxxxx

Thanks for that Les. The mail.mi-server.net is the same IP as all of
my domains, I just use it as a generic pointer in case I chop and/or
change other names. Sitelutions is a mail backup service that is
hopefully gathering and saving my email as we speak, well worth the
$1.50/month because even though my FC3 system is fairly watertight
there is no telling how, why, or for how long some lowlife has
compromised Demon's nameservers.

bob

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • RE: Sendmail: host name lookup failure
    ... Subject: Sendmail: host name lookup failure ... > I am told it's running Windows 2000 DNS Server. ... > Microsoft's own DNS implementation built into Windows 2000. ...
    (freebsd-questions)
  • Re: Why sendmail is rewriting destination email address?
    ... |> MTA goes and finds MX records for gregandtania.com domain. ... | That is not the sendmail way. ... | the public DNS server for gregandtania.com doesn't specify any CNAME, ...
    (comp.mail.sendmail)
  • Re: Networking
    ... responsible DNS server. ... ALL servers within that domain share that CName. ... time to create a CName of a database server, or for a cluster of servers. ... The DNS CNAME record is probably the greatest tool as an administrator ...
    (microsoft.public.access.gettingstarted)
  • Re: My FC3 machine appears to be compromised, please help
    ... CNAME wc.funnel.revenuedirect.com.akadns.net. ... DNS server is correct and there are no canonical entries. ... On outbound mail, sendmail normally reverse-resolves its ...
    (Fedora)
  • Re: linux behind linksys - configuration of server
    ... > Here's the routing table: ... > be running all the time, although having it do dns is attractive). ... > If it is not possible for sendmail to get mail on a POP mailbox, ... > for any pop/smtp server on the outside. ...
    (comp.os.linux.networking)