PDA

View Full Version : Prevent Sendmail from relaying spam



trinity.westhost.com
07-07-2004, 10:59 AM
Every so often I get rashes of emails from various postmaster@... and MAILER-DAEMON@... where the received from is not anywhere that I or any of my roaming users are and the recipients are clearly hapless people who's email addresses got on some bulk email list (but it looks like were lucky enough to have their account nuked) since they're nobody I or any of my users know.

So it looks to me like people are using my host to relay their spam. I've read sendmail.org's website about check_* hacks to install, but I'm afraid of messing with my sendmail.cf file for fear of disabling email altogether.

1) Does anyone know what version of sendmail is installed on our VDS?
2) Does anyone know if sendmail is in fact configured by default to be a spammer's paradise?
3) Has anyone managed to find a good solution to close the hole while allowing users to roam about?
4) Can someone post precise instructions for what to do?

Thanks,

FZ
07-07-2004, 11:18 AM
I doubt people are actually using your account to relay spam: you have to keep in mind that WestHost, by default, will have enabled all security/anti-spam measures for you. The other thing you need to keep in mind is that it is pathetically easy for anyone to fake any e-mail address in the From: - without having had any contact with the/your actual host at all. I think we've all been victims of spoofed From: headers at one point or another... There isn't much you can do, except set up some Procmail filters to delete that mail since you do not want to see it.

However, if you still believe your account is being used, you can enable more verbose logging for Sendmail and view the log from time to time to see if you can spot anything suspicious. If you would like to go that route, let me know and I'll help you out there.

Finally, if it is feasible, you could set up IP filtering via your 2.0 Site Manager (assuming you are on 2.0) to only allow POP3, SMTP and "other" access to the IP addresses/blocks that you and your clients use. Alternatively, if you know the IP addresses/domains of the "spoofers", you can bar them from having access to your site at all.

Good luck.

dansroka
07-08-2004, 06:52 AM
I'm often spoofed with spam that appears to be coming from a user on my server who doesn't exist. As Fayez mentioned, it is easy to do. I think spammers do it precisely because of the gut reaction it gets from us: "hey, who is this esmeralda wiffinpoof who seems to have and account on my domain?". Even though I know that its fake, one of these fakes never fails to catch my eye as I scan a list of spam. (Grrr..!)