Date: Fri, 5 May 2000 10:25:42 -0700 (PDT) From: David Babler <root@Rigel.orionsys.com> To: Jim Durham <durham@w2xo.pgh.pa.us> Cc: freebsd-security@FreeBSD.ORG Subject: Re: I got spammed from my localhost.. Message-ID: <Pine.BSF.4.21.0005051018140.2061-100000@Rigel.orionsys.com> In-Reply-To: <39124044.EAB72303@w2xo.pgh.pa.us>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 4 May 2000, Jim Durham wrote:
> I discovered when I went to read my e-mail this evening a bunch of
> mail from my Mailer-Daemon for non-existant addresses and such for
> mail that I did not send.
>
> I found that someone has been relaying through my sendmail all day
> long. He is appearing as "localhost" which is an allowable address
> to relay in my access database for sendmail.
You have two significant errors. First, your sendmail is operating as an
Open Relay, which is why you are or were hammered by spammers. You're also
likely to show up on one or more blacklists because of that, though you
currently aren't on the major ones. The second is that your configuration
also makes you an ANONYMOUS relay, because you're resolving all legitimate
SMTP contacts as coming from localhost. See the complete relay test
message below... the significant line (other than the fact you're an open
relay in the first place) is:
Received: from Rigel.orionsys.com (localhost [127.0.0.1])
by w2xo.pgh.pa.us (8.9.3/8.9.3) with SMTP id QAA46683
for <postmaster@rigel.orionsys.com>; Fri, 5 May 2000 16:57:08 GMT
(envelope-from nobody@w2xo.pgh.pa.us)
Note that sendmail is reversing the incoming contact, which should be
"Rigel.orionsys.com [205.148.224.9]" in this case, to "(localhost
[127.0.0.1])". This is why it relays; sendmail believes all email
originates locally regardless of reality. Looks like a DNS/hostname
problem.
-Dave
---- Test Message
From nobody@w2xo.pgh.pa.us Fri May 5 10:17:42 2000
Received: from w2xo.pgh.pa.us (ipl-229-026.npt-sdsl.stargate.net
[208.223.229.26])
by Rigel.orionsys.com (8.9.3/8.9.3) with ESMTP id KAA06269
for <postmaster@rigel.orionsys.com>; Fri, 5 May 2000 10:13:26 -0700 (PDT)
(envelope-from nobody@w2xo.pgh.pa.us)
From: nobody@w2xo.pgh.pa.us
X-Envelope-From: nobody@w2xo.pgh.pa.us
X-Envelope-To: <postmaster@rigel.orionsys.com>
Received: from Rigel.orionsys.com (localhost [127.0.0.1])
by w2xo.pgh.pa.us (8.9.3/8.9.3) with SMTP id QAA46683
for <postmaster@rigel.orionsys.com>; Fri, 5 May 2000 16:57:08 GMT
(envelope-from nobody@w2xo.pgh.pa.us)
To: postmaster@rigel.orionsys.com
Subject: test for susceptibility to third-party mail relay
Date: Fri, 05 May 2000 16:56:58 GMT
Message-Id: <rlytest-957545818-5032@Rigel.orionsys.com>
Sender: dbabler@rigel.orionsys.com
This is a test of third-party mail relay, generated by the
"rlytest" <URL: http://www.unicom.com/sw/#rlytest>; utility.
Target host = w2xo.pgh.pa.us
Test performed by <dbabler@Rigel.orionsys.com>
A well-configured mail server should NOT relay third-party email.
Otherwise, the server is subject to attack and hijack by Internet
vandals and spammers.
For information on how to secure a mail server against third-party
relay, visit <URL: http://maps.vix.com/tsi/>.
Relay: 206.210.78.220
200005050956
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0005051018140.2061-100000>