Sendmail become open relay

2008-09-08 Thread lyd mc 
Hi guys need help..

My mailserver become an open relay.

Unknown user can now send mail.

snippet from mailq

m88C8iWq042874  689 Mon Sep  8 20:08 [EMAIL PROTECTED]
 (Deferred: Name server: mx1.mail.tw.yahoo.com.: host name loo)
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]

I don't  have user 'osxch' and there others can also send..


best regars thnx

alydio





___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Sendmail become open relay

2008-09-08 Thread Paul Macdonald 


This might be more general advice than a specific help, but i've found 
most bad mail originating from me comes from php driven forum sites.
After originally patching the php src to log sitenames that send mail, i 
found enabling MAILHEAD support in php build adds customs headers which 
help to identify the site anyway.


I plan on adding a milter to pick these up dynamically, but for now, it 
helps identify sites from stuck items in mailq.


i.e a grep into mailq  for X-PHP-Script

/var/spool/mqueue/qfm83AltWj045560:H??X-PHP-Script: 
www.siteonserver.com/signup.php for x.101.27.178


Its easy to spot dubious scripts as the ip is commonly the same.

gd luck.
Paul.

lyd mc wrote:

Hi guys need help..

My mailserver become an open relay.

Unknown user can now send mail.

snippet from mailq

m88C8iWq042874  689 Mon Sep  8 20:08 [EMAIL PROTECTED]
 (Deferred: Name server: mx1.mail.tw.yahoo.com.: host name loo)
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]

I don't  have user 'osxch' and there others can also send..


best regars thnx

alydio




  
___

freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
  


--

http://www.ifdnrg.com   *Ultra fast and secure web hosting
Live and on demand video streaming
Custom online Solutions *

*Paul Macdonald*
Director
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
www.ifdnrg.com http://www.ifdnrg.com

*IFDNRG*
127 Rose St South Lane, Edinburgh, EH2 4BB
0044.(0)131.2257470



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Sendmail become open relay

2008-09-08 Thread Chris Pratt 


On Sep 8, 2008, at 7:26 AM, Paul Macdonald wrote:



This might be more general advice than a specific help, but i've  
found most bad mail originating from me comes from php driven forum  
sites.
After originally patching the php src to log sitenames that send  
mail, i found enabling MAILHEAD support in php build adds customs  
headers which help to identify the site anyway.


I plan on adding a milter to pick these up dynamically, but for  
now, it helps identify sites from stuck items in mailq.


i.e a grep into mailq  for X-PHP-Script

/var/spool/mqueue/qfm83AltWj045560:H??X-PHP-Script:  
www.siteonserver.com/signup.php for x.101.27.178


Its easy to spot dubious scripts as the ip is commonly the same.

gd luck.
Paul.


I was thinking somewhat the same thing. It can be the leveraging
of any scripts if the server is a web server of any sort. Spammers test
every possible crack against your scripts. While you attempt to find
which is being leveraged, you can minimize the damage by
using the MAX_RCPTS_PER_MESSAGE within sendmail. It allows
you to catch and destroy their use of your system prior to much
mail going out. You set this value to 2 and it's impossible to send
in one pass to more than two recipients. Monitoring your mailq
will allow you to see quickly if someone has got your number. This
will help keep you off BLs while you tighten your security.



lyd mc wrote:

Hi guys need help..

My mailserver become an open relay.

Unknown user can now send mail.

snippet from mailq

m88C8iWq042874  689 Mon Sep  8 20:08 [EMAIL PROTECTED]
 (Deferred: Name server: mx1.mail.tw.yahoo.com.:  
host name loo)

 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
  
[EMAIL PROTECTED]

 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]

I don't  have user 'osxch' and there others can also send..


best regars thnx

alydio




  ___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions- 
[EMAIL PROTECTED]




--

http://www.ifdnrg.com   *Ultra fast and secure web hosting
Live and on demand video streaming
Custom online Solutions *

*Paul Macdonald*
Director
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
www.ifdnrg.com http://www.ifdnrg.com

*IFDNRG*
127 Rose St South Lane, Edinburgh, EH2 4BB
0044.(0)131.2257470



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions- 
[EMAIL PROTECTED]


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]