stopping "from=<>" mails? (URGENT)

stopping "from=<>" mails? (URGENT)

Post by N8w8 » Thu, 01 Aug 2002 04:02:14



Hi,

The webserver I'm looking out for is sending lots of mails from "<>". An
example from the maillog:

Jul 30 20:34:25 xxx sendmail[3510]: g6UIYOH03510: from=<>, size=3154,

daemon=MTA, relay=[123.123.123.123]

The access db contains only local IPs, the mailertable file doesn't exist,
the virtusertable is generated from a database and looks fine to me.

Here is the mc file:

VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.10.2.11 2001/07/14
18:07:27 gshapiro Exp $') OSTYPE(freebsd4)
DOMAIN(generic)
FEATURE(access_db, `hash -o /etc/mail/access')
FEATURE(relay_entire_domain)
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
FEATURE(local_procmail)
FEATURE(`nouucp',`reject')dnl
define(`confMAX_MIME_HEADER_LENGTH', `256/128')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy') MAILER(smtp)
MAILER(procmail)

Well, that's all I think is relevant. I don't know the server well since
I'm only watching it so the real admin could take a holiday. However I'd
like to get this fixed as soon as possible because the server now is an
open relay (right?). Damn the thing for helping spammers :(
It would be great if someone could tell me what's wrong with the
configuration.

Thanks in advance!

Gert

 
 
 

stopping "from=<>" mails? (URGENT)

Post by Crist J. Clar » Thu, 01 Aug 2002 05:58:31



> Hi,

> The webserver I'm looking out for is sending lots of mails from "<>". An
> example from the maillog:

> Jul 30 20:34:25 xxx sendmail[3510]: g6UIYOH03510: from=<>, size=3154,

> daemon=MTA, relay=[123.123.123.123]

> The access db contains only local IPs, the mailertable file doesn't exist,
> the virtusertable is generated from a database and looks fine to me.

[snip]

Quote:> Well, that's all I think is relevant. I don't know the server well since
> I'm only watching it so the real admin could take a holiday. However I'd
> like to get this fixed as soon as possible because the server now is an
> open relay (right?). Damn the thing for helping spammers :(
> It would be great if someone could tell me what's wrong with the
> configuration.

Probably nothing. Mail's from "<>" are typically generated by the
daemon itself when it is reporting failures to other MTAs. What makes
you think these messages are relayed SPAM?
--




 
 
 

stopping "from=<>" mails? (URGENT)

Post by N8w8 » Thu, 01 Aug 2002 08:09:34


Well since I don't have any logs on my home server which have "from=<>" in
them, I was a bit suspicious.

I'm pretty sure it's spam which gets sent, because a few hundred mails a
day (which is much more than normal over here) with subjects like "cum"
etc.etc. end up in the postmaster mailbox after delivery failure. All
those mails have different spoofed senders which match the domains the
server is hosting.

A client whose domain they host also reported he got bounced mails with
sender addresses which match his domain.

So according to you, the 'from=<>' lines are innocent. At least that one
is out of the way... Any other tips/hints?

Thanks for your help!



>> Hi,

>> The webserver I'm looking out for is sending lots of mails from "<>".
>> An example from the maillog:

>> Jul 30 20:34:25 xxx sendmail[3510]: g6UIYOH03510: from=<>, size=3154,

>> proto=ESMTP, daemon=MTA, relay=[123.123.123.123]

>> The access db contains only local IPs, the mailertable file doesn't
>> exist, the virtusertable is generated from a database and looks fine to
>> me.

> [snip]

>> Well, that's all I think is relevant. I don't know the server well
>> since I'm only watching it so the real admin could take a holiday.
>> However I'd like to get this fixed as soon as possible because the
>> server now is an open relay (right?). Damn the thing for helping
>> spammers :( It would be great if someone could tell me what's wrong
>> with the configuration.

> Probably nothing. Mail's from "<>" are typically generated by the daemon
> itself when it is reporting failures to other MTAs. What makes you think
> these messages are relayed SPAM?

 
 
 

stopping "from=<>" mails? (URGENT)

Post by Forage » Thu, 01 Aug 2002 13:35:09



Quote:> I'm pretty sure it's spam which gets sent, because a few hundred mails a
> day (which is much more than normal over here) with subjects like "cum"
> etc.etc. end up in the postmaster mailbox after delivery failure. All
> those mails have different spoofed senders which match the domains the
> server is hosting.

> A client whose domain they host also reported he got bounced mails with
> sender addresses which match his domain.

> So according to you, the 'from=<>' lines are innocent. At least that one
> is out of the way... Any other tips/hints?

If you're getting a massive amount of spam messages like that from a
particular server, put a REJECT entry for it in your access file.  Depending
on the amount of traffic, userbase, etc., I'd look into using DNSBL's such
as ORDB, SpamCop, NJABL, or others.  I use the three specifically mentioned
on a private and a production server.  The production server denied over
36,000 messages last week alone.  Granted, that probably pales in comparison
to a lot of other servers run in this group ;)

I recently found out that using FEATURE(`delay_checks') in your .mc file has
the nice side effect of logging the MAIL FROM: address, so it's easy to
track legitimate mails getting rejected.  I've found that the "collateral
damage" of legitimate messages vs spam messages is maybe 1 out of 15,000.
That's a VERY acceptable number as far as I'm concerned.

--
Alan W. Rateliff, II

 
 
 

stopping "from=<>" mails? (URGENT)

Post by bit-buc.. » Thu, 01 Aug 2002 23:55:24



[...]

: If you're getting a massive amount of spam messages like that from a
: particular server, put a REJECT entry for it in your access file.  Depending
: on the amount of traffic, userbase, etc., I'd look into using DNSBL's such
: as ORDB, SpamCop, NJABL, or others.  I use the three specifically mentioned
: on a private and a production server.  The production server denied over
: 36,000 messages last week alone.  Granted, that probably pales in comparison
: to a lot of other servers run in this group ;)

: I recently found out that using FEATURE(`delay_checks') in your .mc file has
: the nice side effect of logging the MAIL FROM: address, so it's easy to
: track legitimate mails getting rejected.  I've found that the "collateral
: damage" of legitimate messages vs spam messages is maybe 1 out of 15,000.
: That's a VERY acceptable number as far as I'm concerned.

How exactly are you tracking the rejects and false positives? I'm using
an accesss table, several DNSBLs, and procmail filters for local delivery
and I'd *love* to have a nice automated way of tracking/graphing the
rejected mails so that I can do trending/tweaking as well as watching
for false positives.

So, care to share?

fpsm
--
| Fredrich P. Maney              my_last_name AT my_last_name DOT org |
|   Do NOT send me HTML formatted E-mail or copies of netnews posts!  |
|  Address in header is a spamtrap. Use one in signature for replies. |
|  Please review http://www.maney.org/fred/site/uce/ before emailing. |

 
 
 

stopping "from=<>" mails? (URGENT)

Post by Bert » Fri, 02 Aug 2002 00:07:31



muttered something like:

Quote:> How exactly are you tracking the rejects and false positives? I'm using
> an accesss table, several DNSBLs, and procmail filters for local delivery
> and I'd *love* to have a nice automated way of tracking/graphing the
> rejected mails so that I can do trending/tweaking as well as watching
> for false positives.

I can't speak for Forager, but here we have a daily cron job that greps
through the day's maillogs for reject codes and pipes those entries to an
admin's e-mail address.  Thus the admin gets a daily mail log of
everything that was rejected the day before.

This might not work for a huge site; with less than a dozen users the mail
flow here is low enough that the reject logs CAN be examined manually by a
human being, and can safely be done the next morning.

-Bertha
--
Xander: We saw you and spike with the straddling--
Buffybot: Spike's mine!  Who's straddling Spike?
Buffy: Oh my God.
Xander: And so say all of us.

 
 
 

stopping "from=<>" mails? (URGENT)

Post by N8w8 » Fri, 02 Aug 2002 02:01:46



> If you're getting a massive amount of spam messages like that from a
> particular server, put a REJECT entry for it in your access file.
> Depending on the amount of traffic, userbase, etc., I'd look into using
> DNSBL's such as ORDB, SpamCop, NJABL, or others.  I use the three
> specifically mentioned on a private and a production server.  The
> production server denied over 36,000 messages last week alone.  Granted,
> that probably pales in comparison to a lot of other servers run in this
> group ;)

[...]

Yes, I would use some sort of BL or at least a few procmail recipes, but I
don't want to risk blocking too much mail since the server is not mine and
services mail for about 40 clients.

Hmm, I think the real problem (I just figured it out a few seconds ago) is
that postmaster and the clients only get the "message rejected, returned
to sender" kind of mails, so it looks like someone uses an open relay or
something to send spam, with fake sender addresses which match the domains
(in the virtusertable) of our clients. This is possible right? And if so,
do these mails get through the access db (it seems to be)? How can I block
these?

Again, thanks for your help :) Considering my lacking knowledge of this
particular server and sendmail (smtp mail in general, actually), maybe
it's better to just leave it alone and wait for the "real" admin to return
from his vacation. Couldn't that spammer just wait for 1 lousy week?
grrrr...

Gert

 
 
 

stopping "from=<>" mails? (URGENT)

Post by N8w8 » Fri, 02 Aug 2002 03:27:43


The problem is FINALLY solved :)

It seems someone was sending spam thru another server with fake From:
addresses, matching the domains we host.

I'm using a procmail recipe which blocks all incoming mail which is sent

used addresses with that form).
That way, all the messages the spammer sends which can not be delivered
(IOW, are returned to our server) are blocked.

Man, it took quite some time to figure that one out. To at least
contribute a *y little bit to the sendmail community, here is the
procmail recipe I use:
----

LOGFILE="/var/log/procmail"

:0 H

/var/log/procmail-blocked

:0:
${DEFAULT}

----
Thanks for helping!

Gert

 
 
 

1. "T <regex>" Before ";d' & "$", whichOnesARE tagged?

I've gone and tagged a whole bunch
of stuff, some tags applied via
T<findSpamRegex>.

Now, I want to ";d" thus getting each one of those
tagged-files marked for deleting.

Once I hit "$", it's forever-goodbye to those emails.

---

But I'm a bit scared; maybe one came from
my *boss*, eg:
    Urgent!  Take 5pm to Panama; sorry for the hot time!
    (zap after reading): overheard some wild inside-info
    Joe succeed!  Doubled size of Martian dong-plant.  Party at 7pm; be there!

Question: is there currently an (easy) way
to have screen of just those emails
that we've tagged?  

So we can untag any mistaken choices.

------

Recall this about Emacs:

When you're in a DIRED buffer, you can go down
the file-list and mark this one and that one
and this other one "D" -- to be deleted from
the disk, ie from the computer.

A somewhat dangerous operation, if you've made
a mistake and marked-D some files you later discover
that you actually needed to keep.

So, what emacs dired-mod does is, when you
hit "x" (char, bound to the "delete all D-marked
files" command),

it first creates a clear area of screen,
and than shows in that space the *names*
of *all* the files you marked "D" on and
that it is now just about to actually
delete (due to you hitting the "x").

So, you scan your eyes over all those names,
and only if you are happy with what you've
chosen, you reply "yes" to your x-caused
prompt "delete these files?", will it then
actually delete them.

Similar safety-scheme would sure be nice in mutt!  

David

2. Please Help!

3. MAIL FROM: requires "<" ">"?

4. Code Pages

5. How to get "for <box@domain.com>" in "Received:" line?

6. Use WFC?

7. my mail recipients get "from: <myname>@mail.<mydomain>.com

8. How do you find list of tasks ?

9. URGENT HELP NEEDED: How do I stop mail being sent as "webmaster"?

10. "<filename> is not a mailbox" (at "s" cmd)

11. <<>> COMPUTER SOFTWARE / HARDWARE <<>>

12. <<<<***FREE MOTOROLA PAGERS***>>>>