Date: Mon, 8 Sep 2008 10:10:30 -0700 From: Chris Pratt <eagletree@hughes.net> To: FreeBSD-Questions Questions <freebsd-questions@freebsd.org> Subject: Re: Sendmail become open relay Message-ID: <E68B9AD5-0467-4C06-9DDB-BBEF04476A51@hughes.net> In-Reply-To: <48C53620.10804@ifdnrg.com> References: <907677.98158.qm@web52202.mail.re2.yahoo.com> <48C53620.10804@ifdnrg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 8, 2008, at 7:26 AM, Paul Macdonald wrote: > > This might be more general advice than a specific help, but i've > found most bad mail originating from me comes from php driven forum > sites. > After originally patching the php src to log sitenames that send > mail, i found enabling MAILHEAD support in php build adds customs > headers which help to identify the site anyway. > > I plan on adding a milter to pick these up dynamically, but for > now, it helps identify sites from stuck items in mailq. > > i.e a grep into mailq for X-PHP-Script > > /var/spool/mqueue/qfm83AltWj045560:H??X-PHP-Script: > www.siteonserver.com/signup.php for x.101.27.178 > > Its easy to spot dubious scripts as the ip is commonly the same. > > gd luck. > Paul. > I was thinking somewhat the same thing. It can be the leveraging of any scripts if the server is a web server of any sort. Spammers test every possible crack against your scripts. While you attempt to find which is being leveraged, you can minimize the damage by using the MAX_RCPTS_PER_MESSAGE within sendmail. It allows you to catch and destroy their use of your system prior to much mail going out. You set this value to 2 and it's impossible to send in one pass to more than two recipients. Monitoring your mailq will allow you to see quickly if someone has got your number. This will help keep you off BLs while you tighten your security. > lyd mc wrote: >> Hi guys need help.. >> >> My mailserver become an open relay. >> >> Unknown user can now send mail. >> >> snippet from mailq >> >> m88C8iWq042874 689 Mon Sep 8 20:08 <osxch@mail.mydomain.com> >> (Deferred: Name server: mx1.mail.tw.yahoo.com.: >> host name loo) >> <chenaa00@yahoo.com.tw> >> <chena0.tw@yahoo.com.tw> >> <chena0877@yahoo.com.tw> >> <chena0@yahoo.com.tw> >> <chena11@yahoo.com.tw> >> >> <chena121959330@yahoo.com.tw> >> <chena1238@yahoo.com.tw> >> <chena186890@yahoo.com.tw> >> <chena1966@yahoo.com.tw> >> <chena20155@yahoo.com.tw> >> <chena226@yahoo.com.tw> >> <chena22@yahoo.com.tw> >> <chena26232000@yahoo.com.tw> >> >> I don't have user 'osxch' and there others can also send.. >> >> >> best regars thnx >> >> alydio >> >> >> >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions- >> unsubscribe@freebsd.org" >> > > -- > > <http://www.ifdnrg.com>; *Ultra fast and secure web hosting > Live and on demand video streaming > Custom online Solutions * > > *Paul Macdonald* > Director > paul@ifdnrg.com <mailto:paul@ifdnrg.com> > www.ifdnrg.com <http://www.ifdnrg.com>; > > *IFDNRG* > 127 Rose St South Lane, Edinburgh, EH2 4BB > 0044.(0)131.2257470 > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E68B9AD5-0467-4C06-9DDB-BBEF04476A51>