From owner-freebsd-security Fri May 5 22:15:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from ogyo.pointer-software.com (ogyo.pointer-software.com [210.164.96.147]) by hub.freebsd.org (Postfix) with ESMTP id 1748637BD7A for ; Fri, 5 May 2000 22:15:05 -0700 (PDT) (envelope-from horio@acm.org) Message-Id: <200005060515.OAA14105@ogyo.pointer-software.com> Date: Sat, 06 May 2000 14:13:41 +0900 From: horio shoichi Organization: pointer software X-Mailer: Mozilla 4.7 [en] (X11; U; Linux 2.0.34 i686) X-Accept-Language: ja, en MIME-Version: 1.0 To: David Babler Cc: Jim Durham , freebsd-security@FreeBSD.ORG Subject: Re: I got spammed from my localhost.. References: Content-Type: text/plain; charset=iso-2022-jp Content-Transfer-Encoding: 7bit X-Received: from acm.org (horio@char.near.this [10.0.172.11]) by long.near.this (8.9.3/8.9.3) with ESMTP id OAA18622; Sat, 6 May 2000 14:13:00 +0900 (JST) X-Received: from acm.org (horio@char.near.this [10.0.172.11]) by long.near.this (8.9.3/8.9.3) with ESMTP id OAA18622; Sat, 6 May 2000 14:13:00 +0900 (JST) X-Received: from acm.org (horio@char.near.this [10.0.172.11]) by long.near.this (8.9.3/8.9.3) with ESMTP id OAA18622; Sat, 6 May 2000 14:13:00 +0900 (JST) X-Message-Id: <3913AA05.9427287F@acm.org> X-Message-Id: <3913AA05.9427287F@acm.org> X-Message-Id: <3913AA05.9427287F@acm.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Babler wrote: > > On Thu, 4 May 2000, Jim Durham wrote: > > > I discovered when I went to read my e-mail this evening a bunch of > > mail from my Mailer-Daemon for non-existant addresses and such for > > mail that I did not send. > > > > I found that someone has been relaying through my sendmail all day > > long. He is appearing as "localhost" which is an allowable address > > to relay in my access database for sendmail. > > You have two significant errors. First, your sendmail is operating as an > Open Relay, which is why you are or were hammered by spammers. You're also > likely to show up on one or more blacklists because of that, though you > currently aren't on the major ones. The second is that your configuration > also makes you an ANONYMOUS relay, because you're resolving all legitimate > SMTP contacts as coming from localhost. See the complete relay test > message below... the significant line (other than the fact you're an open > relay in the first place) is: > > Received: from Rigel.orionsys.com (localhost [127.0.0.1]) > by w2xo.pgh.pa.us (8.9.3/8.9.3) with SMTP id QAA46683 > for ; Fri, 5 May 2000 16:57:08 GMT > (envelope-from nobody@w2xo.pgh.pa.us) > > Note that sendmail is reversing the incoming contact, which should be > "Rigel.orionsys.com [205.148.224.9]" in this case, to "(localhost > [127.0.0.1])". This is why it relays; sendmail believes all email > originates locally regardless of reality. Looks like a DNS/hostname > problem. > > -Dave > > ---- Test Message Sorry to ask this, but did you send the test message without mangling 'From ' ? Following message appeared in my mailbox that took me a few 'serious' seconds. horio shoichi : From - Sat May 6 12:06:10 2000 : Received: from w2xo.pgh.pa.us (ipl-229-026.npt-sdsl.stargate.net : [208.223.229.26]) : by Rigel.orionsys.com (8.9.3/8.9.3) with ESMTP id KAA06269 : for ; Fri, 5 May 2000 10:13:26 -0700 (PDT ) : (envelope-from nobody@w2xo.pgh.pa.us) : From: nobody@w2xo.pgh.pa.us : X-Envelope-From: nobody@w2xo.pgh.pa.us : X-Envelope-To: : Received: from Rigel.orionsys.com (localhost [127.0.0.1]) : by w2xo.pgh.pa.us (8.9.3/8.9.3) with SMTP id QAA46683 : for ; Fri, 5 May 2000 16:57:08 GMT : (envelope-from nobody@w2xo.pgh.pa.us) : To: postmaster@rigel.orionsys.com : Subject: test for susceptibility to third-party mail relay : Date: Fri, 05 May 2000 16:56:58 GMT : Message-Id: : Sender: dbabler@rigel.orionsys.com : Status: : X-Mozilla-Status: 8001 : X-Mozilla-Status2: 00000000 : X-UIDL: 387ac1b900005e1c : : This is a test of third-party mail relay, generated by the : "rlytest" utility. : : Target host = w2xo.pgh.pa.us : Test performed by : : A well-configured mail server should NOT relay third-party email. : Otherwise, the server is subject to attack and hijack by Internet : vandals and spammers. : : For information on how to secure a mail server against third-party : relay, visit . : : Relay: 206.210.78.220 : 200005050956 : : : : : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message