Stopping server relays
Greetings --- How can I stop my server from being used to relay mail? I got an email from a admin somewhere claiming that emails were being sent from my server with virus attached? It's only me and one other person has access to this box? Related question could this be the source of the [EMAIL PROTECTED] (I set up an .qmail-52 aliases to try to catch these emails) This question is part of the Forged Emails post I sent eailer from [EMAIL PROTECTED] Thanks, David Jackson
Re: Stopping server relays
On Mon, Jul 23, 2001 at 12:40:22PM -0600, David J Jackson wrote: Greetings --- How can I stop my server from being used to relay mail? I got an email from a admin somewhere claiming that emails were being sent from my server with virus attached? It's only me and one other person has access to this box? I doubt you're being used by a third party to relay. It seems much more likely that some Windoze box on your network is infected, and that's where the source of this problem is. Get a good virus scanner. You really have to try to make qmail relay. Possible sources of relay: 1. control/rcpthosts empty. 2. RELAYCLIENT set for all/wrong addresses in /etc/tcp.smtp[.cdb] (or wherever you keep that file) if using tcpserver 3. RELAYCLIENT set for all addresses in /etc/hosts.allow if using inetd. 4. An insecure .cgi script on your machine (not possible if not running a cgi-capable webserver on your mail host), and RELAYCLIENT set for localhost. Related question could this be the source of the [EMAIL PROTECTED] (I set up an .qmail-52 aliases to try to catch these emails) I suppose it might be. Read some of the caught mail. The virus looked like 'Snow White' tho, and that uses a null envelope sender, just like a bounce message does. This question is part of the Forged Emails post I sent eailer from [EMAIL PROTECTED] In future, please keep things on the same topic in the same thread -- some of us use threaded mail readers for just this purpose. ;) -- Greg White
Re: Stopping server relays
Greg White [EMAIL PROTECTED] wrote: You really have to try to make qmail relay. Possible sources of relay: 1. control/rcpthosts empty. 2. RELAYCLIENT set for all/wrong addresses in /etc/tcp.smtp[.cdb] (or wherever you keep that file) if using tcpserver 3. RELAYCLIENT set for all addresses in /etc/hosts.allow if using inetd. 4. An insecure .cgi script on your machine (not possible if not running a cgi-capable webserver on your mail host), and RELAYCLIENT set for localhost. One more that's bitten me in the past is a catch-all that forwards to a smart host. Since the message is coming from a trusted host, the smart host honors the relay request. E.g., spammer sends message to host A addressed to victim%hostc@hosta. Host A, running qmail, has no victim%hostc user or alias, but does have a ~alias/.qmail-default that forwards undeliverable mail to a Sendmail or PMDF smart host, host B. Host B receives the message addressed to victim%hostc@hostb. It trusts host A, and implements the percent hack, so it relays the message to victim@hostc. The fix is to check for funny chars in addresses (%!@) before forwarding to the smart host. -Dave
Re: Stopping server relays
Greg -- Thanks for your reply... this has me somewhat perplexed? There is no other boxes Windoz or other wise on pickledbeans.com if that's what you mean? Just me and my 24K dailup to Qwest.net?? 1. control/rcpthosts empty. /var/qmail/crontrol/rcpthosts : mail.pickledbeans.com # box sitting on my desk pickledbeans.com# domain mapped - mail.pickledbeans.com (dyndns) 2. RELAYCLIENT set for all/wrong addresses in /etc/tcp.smtp[.cdb] (or wherever you keep that file) if using tcpserver not using tcpserver 3. RELAYCLIENT set for all addresses in /etc/hosts.allow if using inetd. /etc/hosts.allow is emtpy /etc/hosts.deny is empty /etc/host.equiv: localhost mail.pickledbeans.com pickledbeans.com 4. An insecure .cgi script on your machine (not possible if not running a cgi-capable webserver on your mail host), and RELAYCLIENT set for localhost. I suppose it could be except I only have one cgi script a simple chat room thing? Thanks again for you time David Jackson
Re: Stopping server relays
On Mon, 23 Jul 2001 12:40:22 -0600 David J Jackson [EMAIL PROTECTED] wrote: Greetings --- How can I stop my server from being used to relay mail? I got an email from a admin somewhere claiming that emails were being sent from my server with virus attached? It's only me and one other person has access to this box? Related question could this be the source of the [EMAIL PROTECTED] (I set up an .qmail-52 aliases to try to catch these emails) This question is part of the Forged Emails post I sent eailer from [EMAIL PROTECTED] Thanks, David Jackson What i use, that works good as I'm hosting mail domains for a few friends who all have dynamic IP's, rather than allow the world to send, I use the vpopmail roaming users option. It implements a pop-before-smtp method of authing SMTP. As of yet, i havent gotten it to IMAP-before-smtp, however the only person who probably even knows IMAP exists, is myself, and I'm on the same lan as it is. very easy to add 192.168.100.* :) I reccommend you check that out. Plus there are other patches to qmail itself, not requiring vpopmail from inter7. The url for vpopmail is www.inter7.com. Mike -- Mike Hodson [EMAIL PROTECTED]
Re: Stopping server relays
Make -- Thanks I'll take at look at it Dave What i use, that works good as I'm hosting mail domains for a few friends who all have dynamic IP's, rather than allow the world to send, I use the vpopmail roaming users option. It implements a pop-before-smtp method of authing SMTP. As of yet, i havent gotten it to IMAP-before-smtp, however the only person who probably even knows IMAP exists, is myself, and I'm on the same lan as it is. very easy to add 192.168.100.* :) I reccommend you check that out. Plus there are other patches to qmail itself, not requiring vpopmail from inter7. The url for vpopmail is www.inter7.com. Mike -- Mike Hodson [EMAIL PROTECTED]
Re: Stopping server relays
On Mon, Jul 23, 2001 at 01:30:18PM -0600, David J Jackson wrote: Greg -- Thanks for your reply... this has me somewhat perplexed? There is no other boxes Windoz or other wise on pickledbeans.com if that's what you mean? Just me and my 24K dailup to Qwest.net?? 1. control/rcpthosts empty. /var/qmail/crontrol/rcpthosts : mail.pickledbeans.com # box sitting on my desk pickledbeans.com# domain mapped - mail.pickledbeans.com (dyndns) OK, no possibility there. 2. RELAYCLIENT set for all/wrong addresses in /etc/tcp.smtp[.cdb] (or wherever you keep that file) if using tcpserver not using tcpserver Using inetd then? Ugh. ;) 3. RELAYCLIENT set for all addresses in /etc/hosts.allow if using inetd. /etc/hosts.allow is emtpy /etc/hosts.deny is empty /etc/host.equiv: localhost mail.pickledbeans.com pickledbeans.com host.equiv is not relevant to this discussion. So, you're not setting RELAYCLIENT there... 4. An insecure .cgi script on your machine (not possible if not running a cgi-capable webserver on your mail host), and RELAYCLIENT set for localhost. I suppose it could be except I only have one cgi script a simple chat room thing? Not likely. So, you're not setting RELAYCLIENT for anyone? Noone uses this server to send mail at all (except scripts on the mailserver, of course)? That's odd, but possible. Check out Dave's possibility (I too almost got burned by this one -- apparently M$ Exchange makes it non-trivial to turn _off_ percenthack, and enables it by default). Other than that (an evil 'smarthost' setup), I can't see how anyone could be relaying through you, except legitimately. Hey, since you're on dialup and dyndns, isn't it possible that some Windoze user dialed up, got an old IP address that at one time was pickledbeans.com's dyndns, and sent this mail? The mail you forwarded specifically said 'from your IP address'??? If you're not setting RELAYCLIENT anywhere, then even your local LAN cannot be sending this mail... Just a thought. -- Greg White