WOW!
By the days end yesterday, I had 45 replies!! My sincere thanks to
everyone who took time to write (some of them writing multiple times). My
summary below is in two parts. The first is what I did to handle the
attack that was underway. The second is a long list of the many
preventative measures people shared with me.
PROBLEM:
The original problem was that I came in yesterday morning to find that my
mail server was dishing out mail for some Spammer which I wanted
desperately to stop.
SUMMARY:
In short, the best way to stop a spam attack is through prevention. There
really wasn't a quick fix to my problem yesterday except to write to the
source of the attack and complain. The attack did finally stop...at least
for now.
For those who haven't been "lucky" enough to experience this sort of thing
here is how I coped with it. I don't know if I did everything I could
have, or even if I've interpreted everything correctly (I *am* still new to
this)...but for what it's worth...
WHAT I DID:
1) Once I was alerted to the problem by a complaint from a site who had
just received the spam from my server, I confirmed it was still in the
queue with "mailq".
2) Next I went to /var/spool/mqueue and renamed the qf..... file so that
I'd have a record of the full header (which contained the address the spam
was coming from). This also stopped the job from processing (at least
temporarily).
3) Having obtained the ID from the mail queue, I then used "ps ax | grep
ID" and was able to see the following:
30828 ?? I 0:11.41 sendmail: EAA27911 byreferralonly
This seemed to confirm that my site was being used as a relay.
4) If you aren't lucky enough to grab the qf file, you can obtain the same
information from /var/adm/syslog.dated/DD-MO-TIME/mail.log. Note that
you'll want to find the first entry for the attack. It will contain the
spammers address. The subsequent entries will contain the status of the
messages processed for that job. In my case it looked like:
Oct 28 05:49:53 ruby sendmail[27911]: EAA27911: from=<Reports_at_info.net>,
size=20
156, class=0, pri=30020156, nrcpts=1000,
msgid=<199705231601.LAC19172_at_Homepublis
her_at_dollar.com>, proto=SMTP, relay=105.beachaccess.com.au [203.57.14.105]
5) Having sufficient evidence to confirm the source address, I wrote to
their sysadmin and postmaster with a request to stop anything coming to my
address. Despite a huge time difference between my site and theirs, the
attack did finally stop. I'm not sure if they actually complied with my
request, or if the job finally finished processing while I wasn't looking.
PREVENTION: (This section is long...sorry)
1) Many people suggested upgrading Sendmail to 8.8.7 and using the Spam
rulesets. From what I read, the Spam rulesets will work with 8.8.6 too. You
can use the following web addresses to read up on this *and* to obtain
other great tips for preventing Spam.
http://www.sendmail.org -- Home page
http://www.sendmail.org/antispam.html -- Anti-Spam provisions in Sendmail 8.8
http://www.informatik.uni-kiel.de/%7Eca/email/check.html --Spam Rulesets
explained.
http://spam.abuse.net/ -- great general info. about stopping Spam
http://www.cauce.org/ -- Coalition Against Unsolicited Commercial E-mail
Home Page
http://www.stopspam.org/ -- Home Page
http://www.gtoal.com/spam -- Graham Toal Anti-Spam page
http://www.gtoal.com/spam/sendmail.html -- G. Toal's Sendmail Anti-Spam
modification program.
http://www.oit.duke.edu/sa/antispam/acpub.html more good info on Spam and
Sendmail anti-spam measures
http://www.nepean.uws.edu.au/users/david/pe/blockmail.html -- lists known
Spammer addresses
2) Someone receiving the spam dished out by my server sent the following:
At least fix your sendmail.cf to use a Received: template like the following
so you capture the IP address of the source:
HReceived: $?sfrom $s $.$?_($?s$|from $.$_) $.by $j ($v/$Z)$?r via $r$. id
$i$?u
for $u$.; $b
env-from ($g)
Notice from this message that template line works in this variant of
sendmail 8.8.6.
3) Elliot Smorodinsky sent the following:
I don't know if it will run on Digital, but try the Obtuse
SMTPD/SMTPFWDD proxy instead of sendmail. We've had problems with spammers
using our mail server to bounce messages: root and su passwords have
nothing to do with it, what the spammers do is connect to the sendmail
port on your system and use that to forward their filth throughout the
net. the Obtuse package stopped it cold.
You can get it from
ftp://ftp.obtuse.com/pub/smtpd/smtpd-2.0.tar.gz,
and the main documentation page is
http://www.obtuse.com/smtpd.html.
You'll have to configure the rulesets, but it's about 15 minutes of work,
and the package is free.
4) Several people mentioned tcp wrapper settings for your hosts.allow and
hosts.deny files when running Sendmail from /etc/inetd.conf. It sounds
like most folks *don't* run Sendmail this way (including me) but if you're
interested in this please write me for details.
5) I do run telnet through /etc/inetd.conf with tcp wrappers and it was
suggested that I examine my hosts.allow & hosts.deny files to better limit
the use of telnet.
6) This may duplicate the Sendmail Spam rulesets (I'm not sure), but in
case it is helpful, I've included it here. This solution was sent by Len
Senetza <len_at_helix.net>.
Add the following to your .mc file and regenerate your sendmail.cf file:
-- cut here --
LOCAL_CONFIG
# IP you relay mail for
F{LocalIP} -o /etc/mail/sendmail.local
LOCAL_RULESETS
Scheck_rcpt
# first: get client addr
R$+ $: $(dequote "" $&{client_addr} $) $| $1
R0 $| $* $_at_ ok no client addr: directly invoked
R$={LocalIP}$* $| $* $_at_ ok from here
# not local, check rcpt
R$* $| $* $: $>3 $2
# remove local part, maybe repeatedly
R$*<_at_$=w.>$* $>3 $1 $3
# still something left?
R$*<_at_$+>$* $#error $_at_ 5.7.1 $: 551 HAMILTON we do not relay
-- cut here --
then in /etc/mail/sendmail.local, put in class C networks (or even
hosts) which you will allow to use your SMTP port. please note that
this patch does not effect incoming mail.
-- sample sendmail.local --
150.209.8
150.209.34
150.209.35
-- sample sendmail.local --
we're using this in numerous sites and it works quite well.
7) Grab smtpd from
http://www.cih.com/~hagan/smtpd-hacks
and configure it to get rid of either the spammers address, or non-resolving
sites. Author, Craig Hagan, isn't sure this will compile on DU4.0b.
8) Paul Casteels wrote with instructions for adding lines to your
sendmail.cf which point to files which contain domain and user IDs to
block. I'll be glad to forward those to anyone wishing to see them.
9) Martin Mokrejs wrote with instructions for installing tcp wrappers.
I'll be glad to forward those to anyone wishing to see them.
List of contributors:
Richard Eisenman <eisenman_at_tricity.wsu.edu>
<john_at_iastate.edu> John Hascall
Becki Kain <beckers_at_josephus.furph.com>
"Paul.Casteels" <casteels_at_uia.ua.ac.be>
HBW <blakew_at_fullerbrush.com>
barry_at_aealpha.aeix.com
vjs_at_sgi.sgi.com (Vernon Schryver)
John Stoffel <jfs_at_fluent.com>
Elliot Smorodinsky <elliots_at_eclipseamerica.com>
Ann Cantelow <cantelow_at_athena.csdco.com>
Peter Chapin <pchapin_at_twilight.vtc.vsc.edu>
Rainer Freis <freis_at_santix.de>
Jon Reeves <reeves_at_zk3.dec.com>
Martin Mokrejs <mmokrejs_at_prfdec.natur.cuni.cz>
Simon Tardell <Simon.Tardell_at_physto.se>
"Craig I. Hagan" <hagan_at_cih.com>
George Gallen <ggallen_at_slackinc.com>
Hans Ranke <Hans.Ranke_at_Regent.E-Technik.TU-Muenchen.DE>
Len Senetza <len_at_helix.net>
Mitko Stoyanov <mstoyan_at_newscorp.com.au>
Deen Ipaye <ipayed_at_ucs.orst.edu>
Gary Jarrell <JarrellG_at_mail.dec.com>
Received on Wed Oct 29 1997 - 19:30:17 NZDT