[gentoo-user] OT - Concerns (possible security threat?)
I'm concerned. When I got out of the shower just now and came to check my email, I didn't have any. Concerned that sendmail might not be running, I ps'd for it: bullet mail # ps ax | grep 'sendmail' 9939 ?Ss 0:00 sendmail: Queue [EMAIL PROTECTED]:30:00 for /var/spool/clientmqueue 10305 ?Ss 0:00 sendmail: accepting connections 10801 ?S 0:00 sendmail: ./k0FKmpDE010833 gpeplpqel.shankscape.com.: user open 10810 pts/0R+ 0:00 grep sendmail I see that sendmail is connected with gpeplpqel.shankscape.com. I assume that someone at that host is trying to send mail to my domain, but I checked /var/spool/mail and I didn't see anything from them. I ps'd sendmail again and saw that they were no longer connected. I checked /var/log/maillog and see a bunch of these: Jan 17 11:04:10 bullet sm-mta[10801]: k0FKmpDE010833: to=[EMAIL PROTECTED], delay=1+20:15:18, xdelay=00:03:10, mailer=esmtp, pri=8599167, relay=gpeplpqel.shankscape.com. [69.25.212.153], dsn=4.0.0, stat=Deferred: Connection timed out with gpeplpqel.shankscape.com. Is there a way to make sure that unauthorized people are not sending mail through my domain? -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT - Concerns (possible security threat?)
On Jan 17, 2006, at 11:14 AM, Michael Sullivan wrote: I'm concerned. When I got out of the shower just now and came to check my email, I didn't have any. Concerned that sendmail might not be running, I ps'd for it: bullet mail # ps ax | grep 'sendmail' 9939 ?Ss 0:00 sendmail: Queue [EMAIL PROTECTED]:30:00 for /var/spool/clientmqueue 10305 ?Ss 0:00 sendmail: accepting connections 10801 ?S 0:00 sendmail: ./k0FKmpDE010833 gpeplpqel.shankscape.com.: user open 10810 pts/0R+ 0:00 grep sendmail I see that sendmail is connected with gpeplpqel.shankscape.com. I assume that someone at that host is trying to send mail to my domain, but I checked /var/spool/mail and I didn't see anything from them. I ps'd sendmail again and saw that they were no longer connected. I checked /var/log/maillog and see a bunch of these: Jan 17 11:04:10 bullet sm-mta[10801]: k0FKmpDE010833: to=[EMAIL PROTECTED], delay=1+20:15:18, xdelay=00:03:10, mailer=esmtp, pri=8599167, relay=gpeplpqel.shankscape.com. [69.25.212.153], dsn=4.0.0, stat=Deferred: Connection timed out with gpeplpqel.shankscape.com. Is there a way to make sure that unauthorized people are not sending mail through my domain? telnet yourdomain.com 25 helo somedomain.com msg from someforeigndomain.com rcpt to someotherforeigndomain.com see if it slaps you down (note, i may have the msg from and rcpt to backwards, always forget) -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT - Concerns (possible security threat?)
On Tue, 2006-01-17 at 11:20 -0600, John Jolet wrote: On Jan 17, 2006, at 11:14 AM, Michael Sullivan wrote: I'm concerned. When I got out of the shower just now and came to check my email, I didn't have any. Concerned that sendmail might not be running, I ps'd for it: bullet mail # ps ax | grep 'sendmail' 9939 ?Ss 0:00 sendmail: Queue [EMAIL PROTECTED]:30:00 for /var/spool/clientmqueue 10305 ?Ss 0:00 sendmail: accepting connections 10801 ?S 0:00 sendmail: ./k0FKmpDE010833 gpeplpqel.shankscape.com.: user open 10810 pts/0R+ 0:00 grep sendmail I see that sendmail is connected with gpeplpqel.shankscape.com. I assume that someone at that host is trying to send mail to my domain, but I checked /var/spool/mail and I didn't see anything from them. I ps'd sendmail again and saw that they were no longer connected. I checked /var/log/maillog and see a bunch of these: Jan 17 11:04:10 bullet sm-mta[10801]: k0FKmpDE010833: to=[EMAIL PROTECTED], delay=1+20:15:18, xdelay=00:03:10, mailer=esmtp, pri=8599167, relay=gpeplpqel.shankscape.com. [69.25.212.153], dsn=4.0.0, stat=Deferred: Connection timed out with gpeplpqel.shankscape.com. Is there a way to make sure that unauthorized people are not sending mail through my domain? telnet yourdomain.com 25 helo somedomain.com msg from someforeigndomain.com rcpt to someotherforeigndomain.com see if it slaps you down (note, i may have the msg from and rcpt to backwards, always forget) -- gentoo-user@gentoo.org mailing list I think I messed up the syntax somewhere: camille ~ # telnet espersunited.com 25 Trying 64.149.52.102... Connected to espersunited.com. Escape character is '^]'. 220 bullet.espersunited.com ESMTP Sendmail 8.13.4/8.13.4; Tue, 17 Jan 2006 11:33:21 -0600 helo somedomain.com 250 bullet.espersunited.com Hello [192.168.1.1], pleased to meet you msg from someforeigndomain.com 500 5.5.1 Command unrecognized: msg from someforeigndomain.com rcpt to someotherforeigndomain.com 503 5.0.0 Need MAIL before RCPT -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT - Concerns (possible security threat?)
On Jan 17, 2006, at 11:35 AM, Michael Sullivan wrote: On Tue, 2006-01-17 at 11:20 -0600, John Jolet wrote: On Jan 17, 2006, at 11:14 AM, Michael Sullivan wrote: I'm concerned. When I got out of the shower just now and came to check my email, I didn't have any. Concerned that sendmail might not be running, I ps'd for it: bullet mail # ps ax | grep 'sendmail' 9939 ?Ss 0:00 sendmail: Queue [EMAIL PROTECTED]:30:00 for /var/spool/clientmqueue 10305 ?Ss 0:00 sendmail: accepting connections 10801 ?S 0:00 sendmail: ./k0FKmpDE010833 gpeplpqel.shankscape.com.: user open 10810 pts/0R+ 0:00 grep sendmail I see that sendmail is connected with gpeplpqel.shankscape.com. I assume that someone at that host is trying to send mail to my domain, but I checked /var/spool/mail and I didn't see anything from them. I ps'd sendmail again and saw that they were no longer connected. I checked /var/log/maillog and see a bunch of these: Jan 17 11:04:10 bullet sm-mta[10801]: k0FKmpDE010833: to=[EMAIL PROTECTED], delay=1+20:15:18, xdelay=00:03:10, mailer=esmtp, pri=8599167, relay=gpeplpqel.shankscape.com. [69.25.212.153], dsn=4.0.0, stat=Deferred: Connection timed out with gpeplpqel.shankscape.com. Is there a way to make sure that unauthorized people are not sending mail through my domain? telnet yourdomain.com 25 helo somedomain.com msg from someforeigndomain.com rcpt to someotherforeigndomain.com see if it slaps you down (note, i may have the msg from and rcpt to backwards, always forget) -- gentoo-user@gentoo.org mailing list I think I messed up the syntax somewhere: camille ~ # telnet espersunited.com 25 Trying 64.149.52.102... Connected to espersunited.com. Escape character is '^]'. 220 bullet.espersunited.com ESMTP Sendmail 8.13.4/8.13.4; Tue, 17 Jan 2006 11:33:21 -0600 helo somedomain.com 250 bullet.espersunited.com Hello [192.168.1.1], pleased to meet you msg from someforeigndomain.com 500 5.5.1 Command unrecognized: msg from someforeigndomain.com rcpt to someotherforeigndomain.com 503 5.0.0 Need MAIL before RCPT mail from instead of msg from. my bad. -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT - Concerns (possible security threat?)
Michael Sullivan wrote: camille ~ # telnet espersunited.com 25 Trying 64.149.52.102... Connected to espersunited.com. Escape character is '^]'. 220 bullet.espersunited.com ESMTP Sendmail 8.13.4/8.13.4; Tue, 17 Jan 2006 11:33:21 -0600 helo somedomain.com 250 bullet.espersunited.com Hello [192.168.1.1], pleased to meet you msg from someforeigndomain.com 500 5.5.1 Command unrecognized: msg from someforeigndomain.com rcpt to someotherforeigndomain.com 503 5.0.0 Need MAIL before RCPT mail from: rather than msg from: I'd also try it from a machine not on your local network unless you don't allow local machines to relay. Your server will likely care much more about the src IP being in the allow list than using J Random domain as the sender. kashani -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT - Concerns (possible security threat?)
Michael Sullivan wrote: I'm concerned. When I got out of the shower just now and came to check my email, I didn't have any. Concerned that sendmail might not be running, I ps'd for it: [snip] Is there a way to make sure that unauthorized people are not sending mail through my domain? I used to use this test when I had a mail server: telnet relay-test.mail-abuse.org -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT - Concerns (possible security threat?)
On Tue, 2006-01-17 at 10:02 -0800, kashani wrote: Michael Sullivan wrote: camille ~ # telnet espersunited.com 25 Trying 64.149.52.102... Connected to espersunited.com. Escape character is '^]'. 220 bullet.espersunited.com ESMTP Sendmail 8.13.4/8.13.4; Tue, 17 Jan 2006 11:33:21 -0600 helo somedomain.com 250 bullet.espersunited.com Hello [192.168.1.1], pleased to meet you msg from someforeigndomain.com 500 5.5.1 Command unrecognized: msg from someforeigndomain.com rcpt to someotherforeigndomain.com 503 5.0.0 Need MAIL before RCPT mail from: rather than msg from: I'd also try it from a machine not on your local network unless you don't allow local machines to relay. Your server will likely care much more about the src IP being in the allow list than using J Random domain as the sender. kashani That's a bit difficult, seeing as I don't have access to a computer that would have telnet installed and is outside my network... -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT - Concerns (possible security threat?) [SOLVED]
On Tue, 2006-01-17 at 13:13 -0500, Alec Shaner wrote: Michael Sullivan wrote: I'm concerned. When I got out of the shower just now and came to check my email, I didn't have any. Concerned that sendmail might not be running, I ps'd for it: [snip] Is there a way to make sure that unauthorized people are not sending mail through my domain? I used to use this test when I had a mail server: telnet relay-test.mail-abuse.org I ran the command; It tried to connect to my mail server to send spam, but it didn't work, so I guess I'm okay. Thanks! -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT - Concerns (possible security threat?)
Michael Sullivan wrote: That's a bit difficult, seeing as I don't have access to a computer that would have telnet installed and is outside my network... Doing tests from your own network is the equivalent of going into your bathroom and then trying to break into your house to figure out if it's secure. You're just a little too likely to succeed. :) For the pedantic yes you can reconfigure your server to block local machines which is what I'd recommend if you have no other choices. I see you got it worked out and that's a good little tester I can put in my bag o tricks. And for completeness this is the proper syntax at least for Postfix. qmail tends to be a bit weird from the command line IIRC. popmail ~ # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 popmail.domain.com ESMTP Postfix helo localhost 250 popmail.domain.com mail from: [EMAIL PROTECTED] 250 Ok rcpt to: [EMAIL PROTECTED] 250 Ok data 354 End data with CRLF.CRLF Subject: Test test all day long Test test while I sing this song . 250 Ok: queued as 9791056D706 quit 221 Bye Connection closed by foreign host. kashani -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT - Concerns (possible security threat?)
On Tue, 17 Jan 2006 13:33:54 -0600, Michael Sullivan wrote: That's a bit difficult, seeing as I don't have access to a computer that would have telnet installed and is outside my network... There are several places offering free shell accounts, which are perfect for just this sort of thing. I use one at http://www.rootshell.be/ -- Neil Bothwick Intel Inside Is a Government Warning Required by Law. signature.asc Description: PGP signature
