SUMMARY: What is using sendmail

From: Cian O'Sullivan (Cian@logic.bm)
Date: Mon Jun 10 2002 - 10:56:26 EDT

• Next message: Copper, Steve: "Installing WEBES"
• Previous message: Tripathi, Ashish: "removing software with setld"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks to

Jay Leafey
Lucio Chiappetti
Derek Tegler
Kresimir Kudumija
Prithwish Chatterjee

Everyone indicated formmail as a culprit. Further as a result of some suggestions I cross referenced the /var/adm/syslog.dated/[date]/mail.log files with the access.log files. I also used netstat, and set the box up as a honey pot, trapping the culprit in the middle of the use of the formmail script. I set up a /usr/sbin/route add -net ip/24 127.0.0.1 as the culprit was a dsl user, so I wanted the whole subnet blocked. Spam has stopped and the ISP has been notified with all the logs. Surprising but in 3 days, they had spawned of 1 million messages to nearly 45,000 independent domains.

I found the new script at www.worldwidemart.com/scripts/, and also upgraded the sendmail. I just now need to talk to the WebDEV team to see what vhost domains need this script. The major fix in it, is that it wont send mail to domains that are not pre-defined in the script itself. Further it wont allow remote servers from using it as a gateway.

I was also told to write a wrapper on my sendmail binary, which was a good idea, that would then take a ps snappshot, or I could use it to call lsof, etc etc. I may actually do that anyway. I have also enabled a logwatcher on the mail.log for activity that is greater then one message every 5 minutes.

Thanks Again.

Cian

ORIG Question

Gurus,
 
I have an old 4.0D box that has been a web server since the titanic was built. Unfortunately it is still being used, and the handful of customers have all sorts of individual customized chi's.
 
 Spam Cop has indicated that this box may have been compromised, and being used as a relay, however a telnet mail.server 25 still gives a 550 relay reject error. So I think someone is routing the mail through a local cgi.
 
I chmod -x /usr/lib/sendmail, however I need to have that enabled for legit mail. Can someone please give me guidance in determining where this mail might be spawning from. I dont want this /24 ending up on a spam list.

• Next message: Copper, Steve: "Installing WEBES"
• Previous message: Tripathi, Ashish: "removing software with setld"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:48:43 EDT