LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-08-2001, 01:12 PM   #1
klaus geld
LQ Newbie
 
Registered: Jul 2001
Posts: 3

Rep: Reputation: 0
sendmail sending fake e-mails


Our mail server is being telneted by someone who then sends fake e-mail messages to people in our company. How do I stop this?
 
Old 07-08-2001, 01:14 PM   #2
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 47
Disable external telnet. Either turn off the daemon (use ssh instead!) or firewall the telnet port.

If someone who isn't with the company is getting into your server then I'd be looking for more than just email problems.

HTH

Jamie...
 
Old 07-09-2001, 07:30 AM   #3
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
I agree with Jamie,

How do you know they are getting a shell.
It's more likely they are using the command "telnet your_emails_servers_ip 25" and then spoofing the HELO and from address info to your internal users email addresses.

Sounds like your email server is set-up incorrectly and allows relaying.

Supply more info on email server type, version and what makes you think they have telnet access.

/Raz
 
Old 07-18-2001, 07:13 AM   #4
klaus geld
LQ Newbie
 
Registered: Jul 2001
Posts: 3

Original Poster
Rep: Reputation: 0
sendmail sending fake emails

Sorry for the wait time, we have found the following(after looking at logs for days).

It was not an external telnet, it came from a machine inside our intranet. This was found out after some time. The original person(s) logged into one machine, telneted another, and then sent the e-mails. This way, the machine name in the sendmail log showed the second machine's name. Then after looking for a telnet session in the logs, did we find that that machine was telneted to(OOOoohhh, tricky).

The user name of the person from who the e-mail was not a valid user name at our company.

The account that was used to login with is a student account that has been used for months now.(I know, I know, that was one of the other sys admins idea, he's taking the heat for that now). That is a dead end since we have no cameras or records.

We cannot block the internal telnet for the student machine since it is used in the class.

Sendmail is blocked on the classroom machines, so it could not have been used, hense the "telnet" lead.

There must be some sendmail config that will not except connections like this???

We are using sendmail ver. 8.8.3, later, after gettting some more machines up, this will change, but not for a few months, you know with this kick ass economy and all, were just spending away, not.

So how do I get rid of relaying?
 
Old 07-18-2001, 08:45 AM   #5
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
I would start by reading http://www.sendmail.org/m4/anti-spam.html and deciding with option meets your criteria.

I would look at the FEATURE(`relay_mail_from') option where you specify real user names that are allowed to relay

or
FEATURE(`access_db')
FEATURE(`access_db', `hash /etc/mail/access')

The access_bd feature where you build up a list of users who are allowed access to the mail services, a fake user would be rejected.
Also a check from the Header id to confirm user id so faking a known user is rejected with an incorrect message id.

Someone who knows more about sendmail then I do, could give you more info on these options then in the anti spam FAQ.

/Raz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem sending nonlocal mails in sendmail s1mpl1c1ty Linux - Newbie 4 08-29-2005 02:57 AM
Sending e-mails via a C++ program The_Nerd Programming 6 12-05-2004 09:56 PM
Sending mails using port 25 rabeea Linux - Security 10 08-16-2004 11:53 PM
qmail not sending mails spank Linux - Software 0 05-21-2004 12:08 PM
Sending mails with eXtremail Ivanhoe Linux - Networking 2 12-31-2002 09:34 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration