Help a newbie stop sendmail spam
March 9, 2007 1:17 PM Subscribe
How can I keep spammers from using my sendmail server?
I recently inherited IT responsibility for a sendmail server (RedHat, sendmail 8.12.11.x), and I have to solve a small problem: Our server is being used to send phishing messages to external addresses (e.g. From: service@paypal.com) and to send generic spam from local addresses to other local addresses.
This box supplies the following legitimate services:
I recently inherited IT responsibility for a sendmail server (RedHat, sendmail 8.12.11.x), and I have to solve a small problem: Our server is being used to send phishing messages to external addresses (e.g. From: service@paypal.com) and to send generic spam from local addresses to other local addresses.
This box supplies the following legitimate services:
- POP and Webmail access to a handful of people using accounts @myserver.com. These are roving users, so they need to relay.
- Webmail-only access to ~200 people using accounts @mysecondserver.com. All legit webmail logins all come through a login interface on a different server, which passes the login credentials to the webmail CGI.
I can't remember the exact term used, but a lot of places require you to login by POP or IMAP before you are allowed to relay via SMTP. This has the advantage that endusers generally don't have to make any changes to their client side configuration.
Make no mistake, you have a huge problem. The fact that you are being used as a spam relay means that your legitimate users outgoing e-mail are likely to filtered as spam at other sites. I think a known interruption of service because you start requiring AUTH before relay is much preferred to their mail going into a black hole without them knowing about it.
posted by Good Brain at 1:28 PM on March 9, 2007
Make no mistake, you have a huge problem. The fact that you are being used as a spam relay means that your legitimate users outgoing e-mail are likely to filtered as spam at other sites. I think a known interruption of service because you start requiring AUTH before relay is much preferred to their mail going into a black hole without them knowing about it.
posted by Good Brain at 1:28 PM on March 9, 2007
http://popbsmtp.sourceforge.net/
posted by Good Brain at 1:29 PM on March 9, 2007
posted by Good Brain at 1:29 PM on March 9, 2007
Webmail should appear to come from localhost which is fine. However, you seem to have a problem in that you need to allow relaying from external sources (you don't mention external users using SMTP, but they must be if you're having this problem).
I think you have two solutions.
1) Get users to use their own ISP's SMTP server for outgoing mail. This works in nearly every case, but does put the onus on the user.
2) Set up "POP before SMTP". This is where if someone successfully authenticates as a POP3 user, they're then allowed to relay. Anyone else is blocked. This solves the problem but requires a little work to set up. Just Google for "POP before SMTP sendmail", etc.
SMTP AUTH is certainly not a bad idea though since it's often a single tick box to enable it at the user end. Of course, most users are idiots, so I can understand your hesitancy. POP before SMTP is therefore the second best option.
posted by wackybrit at 1:30 PM on March 9, 2007
I think you have two solutions.
1) Get users to use their own ISP's SMTP server for outgoing mail. This works in nearly every case, but does put the onus on the user.
2) Set up "POP before SMTP". This is where if someone successfully authenticates as a POP3 user, they're then allowed to relay. Anyone else is blocked. This solves the problem but requires a little work to set up. Just Google for "POP before SMTP sendmail", etc.
SMTP AUTH is certainly not a bad idea though since it's often a single tick box to enable it at the user end. Of course, most users are idiots, so I can understand your hesitancy. POP before SMTP is therefore the second best option.
posted by wackybrit at 1:30 PM on March 9, 2007
SMTP AUTH
Basically the user in their email client would have to check a checkbox that requires them to authorize with their pop3/imap credentials before they can send mail. On my email server its as easy as a check box.
You'll have to send an email to your users letting them know to change their settings if they use a standalone client e.g. outlook, thunderbird, etc.
http://www.sendmail.org/~ca/email/auth.html
posted by SirOmega at 1:31 PM on March 9, 2007
Basically the user in their email client would have to check a checkbox that requires them to authorize with their pop3/imap credentials before they can send mail. On my email server its as easy as a check box.
You'll have to send an email to your users letting them know to change their settings if they use a standalone client e.g. outlook, thunderbird, etc.
http://www.sendmail.org/~ca/email/auth.html
posted by SirOmega at 1:31 PM on March 9, 2007
Response by poster: Okay, it turns out that users are required to authorize before they can send mail to remote addresses; but not to send mail to local addresses. Hence the local-to-local spam.
The authorization might not be very secure, either... When I connect to the sendmail daemon, it returns
250-AUTH LOGIN PLAIN
in the EHLO response. Can I set up a better mechanism without rebuilding or bouncing sendmail?
posted by danblaker at 2:05 PM on March 9, 2007
The authorization might not be very secure, either... When I connect to the sendmail daemon, it returns
250-AUTH LOGIN PLAIN
in the EHLO response. Can I set up a better mechanism without rebuilding or bouncing sendmail?
posted by danblaker at 2:05 PM on March 9, 2007
I'm not sure if it's possible, but it sounds like you might want to use POP before SMTP, but on ALL mail rather than just relaying.
posted by wackybrit at 2:11 PM on March 9, 2007
posted by wackybrit at 2:11 PM on March 9, 2007
Response by poster: If relaying is disabled, and yet you are seeing outgoing messages of this sort, it's pretty likely that the box is compromised.
That wouldn't surprise me--many of our webmail-only users have insecure passwords. I was thinking I'd disable remote SMTP access for those users; but I don't see where to do it.
posted by danblaker at 2:19 PM on March 9, 2007
That wouldn't surprise me--many of our webmail-only users have insecure passwords. I was thinking I'd disable remote SMTP access for those users; but I don't see where to do it.
posted by danblaker at 2:19 PM on March 9, 2007
There is nothing wrong with AUTH LOGIN PLAIN... so long as you use SSL to connect to the mail server so the connection will be encrypted (and therefor your password can't be sniffed).
This combination (auth login plain with SSL) is the only secure mechanism that pretty much all clients can handle, so it's the most commonly used and often the only choice.
You can use:
define(`confAUTH_OPTIONS', `A p')dnl
to only allow authentication when the connection is secure (i.e. TLS/SSL) and only allow relaying on an authenticated connection.
Of courrse you also have to enable SSL/TLS and create a cert.
:j
posted by jbotz at 2:50 PM on March 9, 2007
This combination (auth login plain with SSL) is the only secure mechanism that pretty much all clients can handle, so it's the most commonly used and often the only choice.
You can use:
define(`confAUTH_OPTIONS', `A p')dnl
to only allow authentication when the connection is secure (i.e. TLS/SSL) and only allow relaying on an authenticated connection.
Of courrse you also have to enable SSL/TLS and create a cert.
:j
posted by jbotz at 2:50 PM on March 9, 2007
Check to see if your box is showing as an open relay. There are several web based services to do this. Here is one.
http://www.abuse.net/relay.html
Tail -f /var/log/maillog and watch the connections for awhile. It'll give you a feel for the usage.
You may also be the victim of a Joe job.
http://en.wikipedia.org/wiki/Joe_job.
Mailscanner is a useful tool that will integreate SpamAssassin and virus scanners without modifying your sendmail installation. Backing up /etc/mail before install is a good idea.
http://www.mailscanner.info
posted by dknott123 at 6:17 PM on March 9, 2007
http://www.abuse.net/relay.html
Tail -f /var/log/maillog and watch the connections for awhile. It'll give you a feel for the usage.
You may also be the victim of a Joe job.
http://en.wikipedia.org/wiki/Joe_job.
Mailscanner is a useful tool that will integreate SpamAssassin and virus scanners without modifying your sendmail installation. Backing up /etc/mail before install is a good idea.
http://www.mailscanner.info
posted by dknott123 at 6:17 PM on March 9, 2007
Have your users submit mail using port 587, the mail submission port. Lock this down with your favorite AUTH flavor. Port 25 should then be used only to receive mail for the domains you MX. Instruct your users to change their mail client to use SMTP port 587.
I'm surprised anybody uses sendmail any more. Postfix is way easier to administer and is plug-compatible.
posted by ldenneau at 7:24 PM on March 9, 2007
I'm surprised anybody uses sendmail any more. Postfix is way easier to administer and is plug-compatible.
posted by ldenneau at 7:24 PM on March 9, 2007
"I'm surprised anybody uses sendmail any more"
Me too, but Red Hat is still shipping it as the default, and I get SO MUCH SPAM from compromised RH boxes running Sendmail that it's not even funny anymore. Ugh.
Yeah, danblaker, if you're new to this I would advise you to strongly consider rebuilding the box but using Postfix instead.
http://www.postfix.org - the config files are a lot easier to deal with, it's a direct drop-in replacement for Sendmail, and the user community (postfix mailing list) is VERY sharp.
I think that POP before SMTP is ok, but it's kind of a kludgy hack. SMTP AUTH works a lot better, and is really easy to set up with Postfix.
There are many HOWTO documents out there on the web for setting up a Postfix box.
I'm saying this because if you've already checked the relay rules and stuff is still going on, you may want to look for a compromised box.
posted by drstein at 9:52 PM on March 9, 2007
Me too, but Red Hat is still shipping it as the default, and I get SO MUCH SPAM from compromised RH boxes running Sendmail that it's not even funny anymore. Ugh.
Yeah, danblaker, if you're new to this I would advise you to strongly consider rebuilding the box but using Postfix instead.
http://www.postfix.org - the config files are a lot easier to deal with, it's a direct drop-in replacement for Sendmail, and the user community (postfix mailing list) is VERY sharp.
I think that POP before SMTP is ok, but it's kind of a kludgy hack. SMTP AUTH works a lot better, and is really easy to set up with Postfix.
There are many HOWTO documents out there on the web for setting up a Postfix box.
I'm saying this because if you've already checked the relay rules and stuff is still going on, you may want to look for a compromised box.
posted by drstein at 9:52 PM on March 9, 2007
This thread is closed to new comments.
posted by majick at 1:26 PM on March 9, 2007