Date: Sat, 06 May 2000 14:13:41 +0900 From: horio shoichi <horio@acm.org> To: David Babler <root@Rigel.orionsys.com> Cc: Jim Durham <durham@w2xo.pgh.pa.us>, freebsd-security@FreeBSD.ORG Subject: Re: I got spammed from my localhost.. Message-ID: <200005060515.OAA14105@ogyo.pointer-software.com> References: <Pine.BSF.4.21.0005051018140.2061-100000@Rigel.orionsys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
David Babler wrote: > > On Thu, 4 May 2000, Jim Durham wrote: > > > I discovered when I went to read my e-mail this evening a bunch of > > mail from my Mailer-Daemon for non-existant addresses and such for > > mail that I did not send. > > > > I found that someone has been relaying through my sendmail all day > > long. He is appearing as "localhost" which is an allowable address > > to relay in my access database for sendmail. > > You have two significant errors. First, your sendmail is operating as an > Open Relay, which is why you are or were hammered by spammers. You're also > likely to show up on one or more blacklists because of that, though you > currently aren't on the major ones. The second is that your configuration > also makes you an ANONYMOUS relay, because you're resolving all legitimate > SMTP contacts as coming from localhost. See the complete relay test > message below... the significant line (other than the fact you're an open > relay in the first place) is: > > Received: from Rigel.orionsys.com (localhost [127.0.0.1]) > by w2xo.pgh.pa.us (8.9.3/8.9.3) with SMTP id QAA46683 > for <postmaster@rigel.orionsys.com>; Fri, 5 May 2000 16:57:08 GMT > (envelope-from nobody@w2xo.pgh.pa.us) > > Note that sendmail is reversing the incoming contact, which should be > "Rigel.orionsys.com [205.148.224.9]" in this case, to "(localhost > [127.0.0.1])". This is why it relays; sendmail believes all email > originates locally regardless of reality. Looks like a DNS/hostname > problem. > > -Dave > > ---- Test Message Sorry to ask this, but did you send the test message without mangling 'From ' ? Following message appeared in my mailbox that took me a few 'serious' seconds. horio shoichi : From - Sat May 6 12:06:10 2000 : Received: from w2xo.pgh.pa.us (ipl-229-026.npt-sdsl.stargate.net : [208.223.229.26]) : by Rigel.orionsys.com (8.9.3/8.9.3) with ESMTP id KAA06269 : for <postmaster@rigel.orionsys.com>; Fri, 5 May 2000 10:13:26 -0700 (PDT ) : (envelope-from nobody@w2xo.pgh.pa.us) : From: nobody@w2xo.pgh.pa.us : X-Envelope-From: nobody@w2xo.pgh.pa.us : X-Envelope-To: <postmaster@rigel.orionsys.com> : Received: from Rigel.orionsys.com (localhost [127.0.0.1]) : by w2xo.pgh.pa.us (8.9.3/8.9.3) with SMTP id QAA46683 : for <postmaster@rigel.orionsys.com>; Fri, 5 May 2000 16:57:08 GMT : (envelope-from nobody@w2xo.pgh.pa.us) : To: postmaster@rigel.orionsys.com : Subject: test for susceptibility to third-party mail relay : Date: Fri, 05 May 2000 16:56:58 GMT : Message-Id: <rlytest-957545818-5032@Rigel.orionsys.com> : Sender: dbabler@rigel.orionsys.com : Status: : X-Mozilla-Status: 8001 : X-Mozilla-Status2: 00000000 : X-UIDL: 387ac1b900005e1c : : This is a test of third-party mail relay, generated by the : "rlytest" <URL: http://www.unicom.com/sw/#rlytest> utility. : : Target host = w2xo.pgh.pa.us : Test performed by <dbabler@Rigel.orionsys.com> : : A well-configured mail server should NOT relay third-party email. : Otherwise, the server is subject to attack and hijack by Internet : vandals and spammers. : : For information on how to secure a mail server against third-party : relay, visit <URL: http://maps.vix.com/tsi/>. : : Relay: 206.210.78.220 : 200005050956 : : : : : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005060515.OAA14105>