[lug] Sendmail 8.12.2 & outgoing spam

Sean Reifschneider jafo at tummy.com
Tue Jan 15 13:13:30 MST 2002 

On Mon, Jan 14, 2002 at 02:50:53PM -0700, Shannon Johnston wrote:
>My server is spamming others. I want to find the source of the problem
>but I don't know what I'm looking for. Please help!!!

The first thing you need to do is find out if it's actually coming from
your server.  I've found that the reports people send in about a domain
being used for spamming are unreliable (at best).  We have one domain which
not infrequently gets used in the from address sent out by spammers.  So,
while the messages *NEVER* touch our box, we get a lot of angry reports to
our upstream ISP, etc...

You need to look at the Received lines of the messages that people are
forwarding back to you.  If you are getting abbreviated copies of the
messages, or no copy of the message being setn out at all, you need to
scold the reporters...

Take the received lines from your message, they are in reverse order of
delivery (first mail server that is hit is the last to occur in the
headers):

   Received: (qmail 10460 invoked by uid 500); 14 Jan 2002 21:01:14 -0000
   Received: (qmail 10455 invoked by uid 10); 14 Jan 2002 21:01:14 -0000
   Received: (qmail 4926 invoked by alias); 14 Jan 2002 21:01:11 -0000
   Received: (qmail 4921 invoked by uid 0); 14 Jan 2002 21:01:11 -0000

These are all local deliveries as the mail funnels down to my mailbox
(across a couple of machines via UUCP).

   Received: from fr.pythoneers.org (HELO community.tummy.com) (216.17.150.13)
     by tummy.com with SMTP; 14 Jan 2002 21:01:09 -0000

Ok, here my mail server ("by tummy.com") received the mail from the mailing
list server (216.17.150.13, community.tummy.com).  The "from
fr.pythoneers.org" means that the reverse DNS for the IP that sent the mail
resolves to that name.  The "HELO community.tummy.com" means that the mail
server identified itself as that name to my mail server.

   Received: from localhost (HELO community.tummy.com) (mailman at 127.0.0.1)
     by localhost with SMTP; 14 Jan 2002 21:01:02 -0000

This line is because of the mailing list software, which sends the mail
via SMTP to the localhost.

   Received: from engineer.lanxtra.com (HELO localhost.localdomain)
     (63.214.33.10) by community.tummy.com with SMTP; 14 Jan 2002 21:00:30 -0000

This is where your machine sent the mail to the mailing list server.  You
can see that it's configured to identify itself as "localhost.localdomain",
while it's reverse DNS is "engineer.lanxtra.com"...  You probably want to
fix that.

Looking at the above, I can see that the mail came from the
community.tummy.com box, so if somone were reporting this as a spam, I'd
know that somone had found a way to send mail from that server.

I'd then start digging through the mail server logs looking for instances
of this mail or similar mails (it shouldn't be hard to find if somone is
using you to spam).  Look at where that mail is coming from, see if it's
coming in via SMTP from another host which is allowed to relay for some
reason, or from a web-based form, or what have you...

Hopefully, this give you some hints on tracking down where mail is actually
occuring.

Remember, the from line of an e-mail address is incredibly easy to forge.

Sean
-- 
 This mountain is PURE SNOW!  Do you know what the street value of this
 mountain is!?!                -- Better Off Dead
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python

More information about the LUG mailing list