From owner-freebsd-questions  Sun Oct 20 21:15:28 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id VAA18681
          for questions-outgoing; Sun, 20 Oct 1996 21:15:28 -0700 (PDT)
Received: from server.gf-net.af.mil (server.gf-net.af.mil [132.10.1.17])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA18673
          for <questions@FreeBSD.ORG>; Sun, 20 Oct 1996 21:15:24 -0700 (PDT)
Received: (from erickson@localhost) by server.gf-net.af.mil (8.7.5/8.7.3) id XAA21587; Sun, 20 Oct 1996 23:21:39 -0500 (CDT)
Date: Sun, 20 Oct 1996 23:21:37 -0500 (CDT)
From: Jay E Erickson <erickson@server.gf-net.af.mil>
To: "Timothy P. Layton, Sr." <tlayton@global-sol.com>
cc: questions@FreeBSD.ORG
Subject: Re: HELP !!! I have a mail hacker.
In-Reply-To: <199610190913.JAA07351@global-sol.com>
Message-ID: <Pine.BSF.3.91.961020231241.21572A-100000@server.gf-net.af.mil>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


To reduce this type of activity I did three things:
1. Installed TCP Wrappers 

2. Ran my smtp traffic through TCP Wrappers (three steps) 
    (the wrappers install docs helped me with this)
    added the next line to my /etc/inetd.conf
smtp    stream  tcp     nowait  root    /usr/libexec/tcpd       /usr/sbin/sendmail -bs
    and added the next two lines to my /etc/crontab for root
# Check sendmail queue every 30 minutes
*/30    *       *       *       *       root    /usr/sbin/sendmail -q
set the sendmail option in the /etc/sysconfig to  "no"
if you don't want to use crontab you can set the sendmail option in the 
/etc/sysconfig to "-q30m"

3. in my /etc/sendmail.cf file I set
O PrivacyOptions=goaway

step 1 is just a good idea
step 2 makes sure the IP address = thier long address i.e.
204.216.27.18 = FreeBSD.org
and step 3 forces smtp mailers to greet you with hello and doesn't let 
them expand on any lists or verify any users. 
this dosen't make you 100% safe but every little bit counts.

 On Sat, 19 Oct 1996, Timothy P. Layton, Sr. wrote:

> Help !!!
> 
> my mail host is receiving a couple thousand messages per night 
> from a ficticous user at a fake domain.
> 
> I looked in the maillog and found what domain the messages where
> coming from.  
> 
> Can I reject all mail from a single domain, and can I take it even 
> further by refusing any type of connection from a domain ??

Yes. TCP wrappers can do this for you

Jay Erickson
Erickson@server.gf-net.af.mil
or Jay@Erickson.gf-net.af.mil