Re: SendMail sending garbage mails

From: Steve Phillips (steve_at_focb.co.nz)
Date: 07/29/04

  • Next message: Anthony E. Greene: "Re: ? RH9 and Comcast cable?" 
    Date: Wed, 28 Jul 2004 21:00:19 -0500 (CDT)
To: General Red Hat Linux discussion list <redhat-list@redhat.com>

    On Wed, 28 Jul 2004, Duncan wrote:

    > if it was ipchains you would do the follwoing ;
    >
    > #allowing localhost
    > /sbin/ipchains -A input -j ACCEPT -p all -s localhost -d localhost -i lo
    > /sbin/ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo
    >
    > #Deny packets from internet claiming to be from localhost and log
    > /sbin/ipchains -A input -j REJECT -p all -s localhost -i ppp+ -l
    >
    > Basically that should solve your problems for now that is u dont have a
    > machine on your LAN spamming
    > Rgds

    Except for the fact that the e-mails in question that generated the bounce
    message may not have even originated from his machine. The original e-mail
    does nto have enough information about the setup to allow one to deduce
    wether a "firewall" would help or not and randomly adding iptables rules
    will usually do more harm than good.

    There are two probable scenario's, one is that the MX host being delivered
    to is accepting all mail for that domain and then trying to pass it on to
    the final recipient, the final recipient generates a 5xx message (perm
    failure) and the message then gets bounced back to the (apparent)
    originator who happens to be someone else - this is usually known as a joe
    job and is pretty much impossible to stop. Its also probably not that
    likely but without more information its hard to say. It is possible to do
    this easily with smart relay hosts that collect mail for a domain and then
    pass it on.

    The other scenario is that something on his network (including the mail
    system itself) is allowing an external source to relay mail through his
    mail system. This could be via an open proxy, trojan, virus or other such
    nasty. In order to find out if this is the case he should look in his logs
    for outbound mail and track back where the sender was - if it was
    localhost then look for an open proxy or other nasty on the mail machine
    itself (firewalls allowing all from localhost wont stop this) and if it
    was from a machine on the network then investigate further on that machine
    (anti-virus software would be a good start) - also check that you have not
    turned your mail server into an open relay as that would be bad [tm]. In
    this case adding the firewall rules will simply stop the users/pc's from
    relaying mail and while it will prevent bad mail going out - will also
    prevent good mail from going out and so isn't really a workable solution.

    Added to this - if your ISP or your firewall/filtering is allowing
    obviously spoofed traffic through onto your network then there is
    something wrong and you should complain to your providor/network admin
    etc. I would be suprised if your box allowed obviously spoofed traffic in
    by default but stranger things can happen. 

    -- 
Steve.
>
> Duncan
> ----- Original Message -----
> From: "Nilesh" <niluforalways@yahoo.com>
> To: "Duncan" <drack@mweb.co.zw>; "General Red Hat Linux discussion list"
> <redhat-list@redhat.com>
> Sent: Wednesday, July 28, 2004 2:31 PM
> Subject: Re: SendMail sending garbage mails
>
>
>> Hi Duncan,
>>
>> yeah I have configured IPtables firewall on that
>> machine and blocked incoming packtes for other ports
>> except 25 port and 110
>> but not blocked loopback do u feel this problem is
>> because of loopback
>>
>> Regards
>> Nilesh
>>
>>
>>
>> --- Duncan <drack@mweb.co.zw> wrote:
>>
>>>> Hi friends,
>>>>
>>>> I have some problems with my sendmail server.
>>>> it has sending some garbage mails to outside and
>>> that
>>>> mails bouncing back to on different user that is
>>> not
>>>> existing users.
>>>> the error are like
>>>> ----- The following addresses had permanent fatal
>>>> errors -----
>>>> vbqdfwhgvokn@centrum.cz
>>>>     (reason: 550 5.5.1 No such user here)
>>>>
>>>>    ----- Transcript of session follows -----
>>>> ... while talking to data2.centrum.cz.:
>>>>
>>>>>>>>>> DATA
>>>>
>>>> <<< 550 5.5.1 No such user here
>>>> 550 5.1.1 vbqdfwhgvokn@centrum.cz... User unknown
>>>> <<< 503 5.5.2 Waiting for RCPT command
>>>>
>>>> Subject:
>>>> Returned mail: see transcript for details
>>>> From:
>>>> Mail Delivery Subsystem <MAILER-DAEMON>
>>>> Date:
>>>> Thu, 15 Jul 2004 21:14:34 +0530
>>>> To:
>>>> vbqdfwhgvokn@centrum.cz
>>>>
>>>> The original message was received at Thu, 15 Jul
>>> 2004
>>>> 21:14:34 +0530
>>>> from root@localhost
>>>>
>>>>    ----- The following addresses had permanent
>>> fatal
>>>> errors -----
>>>> craig@abc.net
>>>>     (reason: 550 5.1.1 User unknown)
>>>>    ----- Transcript of session follows -----
>>>> 550 5.1.1 craig@abc.net... User unknown
>>>>
>>>> could any one please tell me how to stop this.
>>>> redhat-list mailing list
>>>> unsubscribe
>>>
>> mailto:redhat-list-request@redhat.com?subject=unsubscribe
>>>>
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>> Well you definately need a firewall on your loopback
>>> interface which does
>>> not allow outside packets to connect  except  yo ISP
>>> to smtp port
>>> etc..Basically do not allow packets from the outside
>>> .Else u have a machibe
>>> in your LAN with a virus that is spamming , u iwll
>>> have to monitor your
>>> maillog .
>>> Wat do others think ????
>>> Rgds
>>>
>>> Duncan Rack
>>>
>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe
>>>
>> mailto:redhat-list-request@redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>
>>
>>
>>
>>
>> __________________________________
>> Do you Yahoo!?
>> New and Improved Yahoo! Mail - 100MB free storage!
>> http://promotions.yahoo.com/new_mail
>>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
  • Next message: Anthony E. Greene: "Re: ? RH9 and Comcast cable?"

    Relevant Pages

    • Re: No route to host
      ... localhost as before and when I try pinging another node on the lan it seems ... 600 packets transmitted, 0 packets received, 100% packet loss ... Try turning off the firewall for starters. ... packets transmitted, 0 packets received, 100% packet loss ...
      (freebsd-questions)
    • Re: filtern des pptp tunnels
      ... Das soll ne Firewall sein und kein Spielzeug! ... Ich frage mich einfach, wo der ISA filtert, wenn ich eine Rule ... Dann, unter "Localhost" steht, es würde den ISA Server Computer meinen. ... auf den LAN Adapter oder auf dem WAN Adapter? ...
      (microsoft.public.de.german.isaserver)
    • Re: "Messenger Service" Pop Up
      ... Duncan that will teach you to try to help someone. ... block the port on the firewall. ... > Event Log ... > Remote Access Connection Manager ...
      (microsoft.public.security)
    • Re: Network w/Windows XP
      ... > and NMB service are not both reported to be running in your SWAT status ... Connected to localhost. ... Connection closed by foreign host. ... > through your Firewall... ...
      (alt.os.linux.suse)
    • Re: avguard.exe avgnt.exe exchange data
      ... are exchanging data via TCP (on the localhost). ... I want to block as much processes as possible by the firewall ...
      (de.comp.security.firewall)