Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Aug 2010 13:14:04 -0500 (CDT)
From:      Robert Bonomi <bonomi@mail.r-bonomi.com>
To:        freebsd-questions@freebsd.org, peter@vfemail.net
Subject:   Re: Open Mail Relay
Message-ID:  <201008161814.o7GIE4K7003985@mail.r-bonomi.com>

next in thread | raw e-mail | index | archive | help

> Date: Sun, 15 Aug 2010 07:57:23 -0400
> To: freebsd-questions@freebsd.org
> From: peter@vfemail.net
> Subject: Re: Open Mail Relay
>
> At 05:13 PM 8/14/2010, Robert Bonomi wrote:
> >> Date: Sat, 14 Aug 2010 09:29:54 -0400
> >> To: freebsd-questions@freebsd.org
> >> From: peter@vfemail.net
> >> Subject: Open Mail Relay
> >>
> >>
> >> I have a machine running FreeBSD, sendmail and majordomo.  I have someone who is on one of those majordomo lists complaining that they are receiving spam from me.  The complainer says I have an open mail relay that I need to fix.  
> >>
> >> I went to <http://www.abuse.net/relay.html>http://www.abuse.net/relay.html to test the machine using its IP address.  Abuse.net gives a clean bill of health, saying relaying was denied in 17 separate tests.  
> >>
> >> I've reviewed my mail logs for the past couple of days and I can't find any entries for any mail addressed to the complainer's domain name except mail that should have been sent.  
> >>
> >> Is Abuse.net's test adequate to rule out an open mail relay problem?  
> >
> >
> >There are -several- possible sources of spam to that list user.
> >
> >The abusenet open-relay tests check only one of them.
> >
> >The machine ay be compromised (ie.e 'owned') andthe bad guys have
> >installed their -own- mail-sending software on it. the logs that
> >show activity from _your_ mail-sending software would, obviously,
> >*not* show the activity of this other software.
> >
> >In additon, whatever mailinglist said user is subscribed to _may_ be set
> >to take messaes from 'anybody', not just confirmed members of the list.
> >
> >Thirdly, some folks sign up for a list _just_ to send their off-topic
> >commercial messages to it.
> >
> >NONE of those three scenarios are an 'open relay', but they all result
> >in spam showing up in the list-subscriber's mailbox, that got there by
> >_from_ your machine.
>
> Thank you everyone for your many comments and suggestions.  The level of talent and responsiveness on this list is nothing less than stunning.  
>
> I've requested copies of the offensive messages, and I'm hopeful the complainer will send me copies.  I believe I have control over the majordomo lists -- postings are restricted to list members, postings are monitored, and many lists are moderated.  
>
> Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of additional mailer on the machine or another machine that's allowed to relay mail.  How would I go about locating that other mailer?  
>

*IF* the machine has been comrpomised, then you're going to have a -very-
difficult time finding it, using any tools _on_ the box.  It's not uncommon
for the bad guys to install 'modified' (to use a polite word for it) 
versions of system utilities, and/or run-time-loading system libraries, 
that selectively 'edit out' information that they don't want you to see.
e.g., a modified ps(1) will -not- show the 'bot' process that is spewing 
mail.

A _second_ machine, on the same LAN, using something like 'tcpdump' to 
monitor outboud port 25 traffic from the first box, can show you if there 
are 'things happening' that are not being reported in the log files.

_Finding_ the offending code, after you've established that it *is* happening,
is a whole nuther can of worms.  _if_ you have something like an up-to-date
'tripwire' database, with fingerprints of every installed executable, you
can boot from alternate media (say the 'live CD' image), and look for things
where the fingerprint has changed.

If you establish a compromise -has- occurred, about the only way to *ensure*
that the machine is 'trustworthy' again is to back up all application *data*,
wipe the drive(s) {as in 'dd if=/dev/zero of=/dev/ad??'}, and re-install 
everything FROM SCRATCH.

NOTE: This _is_ a 'worst case' scenario.  Odds are that when you see the
'full headers' on the 'offending' messages, it will turn out to be something
else entirely.

Comment:  someone who _knows_ what they're talking about would not simply
make the bald assertation 'you have an open relay' -- they would *know*
that that statement _alone_ is insufficient to get to the root of the problem
and fix it.  They would, at a minimum, identify the _type_ of traffic that
was being relayed (e.g. 'from is spoofed as your domain'), or would provide
several copies of the offending traffic, _before_ being asked.   Based on
this, the 'quality' of the original complainant's is somewhat suspect itself,


Probably the most _common_ situation is a spammer signs up to a mailing list,
*NOT* to spam _through_ it, but to collect the email addresses of those who
post _to_ the mailing list.  And they then send junk email to those people
directly.  Now, if somebody is using a 'unique' email address for that 
mailing list, they *can* jump to te onclusion that 'anything' to that address
must jave come from/through your servers.  I haven't seen anybody doing this
kind of thing 'smart enough' so as to make it appear (in received headers)
that it originated from the mailing-list server; it's a lot of work for 
not much return -- most people can't/don't read headers, so it's wasted
effort for them, for those who _DO_ know how, this kond of gimmick would
'fool' only those who were paying poorset of attention to details.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008161814.o7GIE4K7003985>