spam sucks

Well I've got sendmail installed and relaying mail for me. My next step is to secure it so that it doesnt relay spam mail for people who're just scanning or whatever. I installed pop-before-smtp so that it would only relay mail for people who've logged into the pop server (qpopper in my case) so that spammers couldnt use my server. I got this email tonight in my postermaster box.. am I safe?

@postmaster email:

The original message was received at Fri, 27 Jun 2003 22:21:50 -0400 from localhost with id h5S2Logs028050

–--- The following addresses had permanent fatal errors ----- <[email protected]>

(reason: 550 is now disabled with SMTP service.)

----- Transcript of session follows -----

… while talking to mta.21cn.com.:

RCPT To:<[email protected]>

<<< 550 is now disabled with SMTP service.

550 5.1.1 <[email protected]>… User unknown

I was curious so I check the /var/log/mail.log file to see if there was anything suspicious and here is what I found.

@/var/log/mail.log:

Jun 27 22:21:49 (none) sm-mta[28048]: h5S2Llgt028048: from=<[email protected]>, size=159, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=[211.104.38.234]

Jun 27 22:21:50 (none) sm-mta[28050]: h5S2Llgt028048: to=<[email protected]>, delay=00:00:02, xdelay=00:00:01, mailer=esmtp, pri=120144, relay=mta.21cn.com. [202.104.32.232], dsn=5.5.2, stat=Service unavailable

Jun 27 22:21:50 (none) sm-mta[28050]: h5S2Llgt028048: h5S2Logs028050: DSN: Service unavailable

Jun 27 22:21:52 (none) sm-mta[28050]: h5S2Logs028050: to=<[email protected]>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=31452, relay=mta.21cn.com. [202.104.32.232], dsn=5.1.1, stat=User unknown

Jun 27 22:21:52 (none) sm-mta[28050]: h5S2Logs028050: h5S2Logt028050: return to sender: User unknown

So did I actually relay that spam mail? Doesnt seem so but I want to make sure.

11 Replies

li-24.members.linode.com just relayed a test message for me. If you didn't relay that message you could have.

ps. if i did it, sorry chris (he knows what i'm talking about :)

@kenny:

li-24.members.linode.com just relayed a test message for me. If you didn't relay that message you could have.

ps. if i did it, sorry chris (he knows what i'm talking about :)

hrmm.. what should i do to stop it so that you cant relay?

EDIT: hehe yea, saw it in the log file. I need to fix this problem with pop-before-smtp. Think thats the problem.

> Jun 28 00:49:25 (none) sm-mta[28366]: h5S4msgs028366: SYSERR(root): Cannot open hash database /etc/mail/popauth.db: Invalid argument

Stop sendmail as soon as possible. The risk isn't a few spam messages, it's getting blacklisted.

I'm not a sendmail user so I can't help much there, but check out: http://relays.osirusoft.com/mtafix/ it should at lead you the right direction.

Kenny

@kenny:

Stop sendmail as soon as possible. The risk isn't a few spam messages, it's getting blacklisted.

I'm not a sendmail user so I can't help much there, but check out: http://relays.osirusoft.com/mtafix/ it should at lead you the right direction.

Kenny

Kenny,

Can you give it another shot for me?

550 5.7.1 [email protected]… Relaying denied. Proper authentication required.

Looks good :) For future reference, a lookup for "openrelay test" on google will return a number of automated sites that can test this.

Kenny

@kenny:

550 5.7.1 [email protected]… Relaying denied. Proper authentication required.

Looks good :) For future reference, a lookup for "openrelay test" on google will return a number of automated sites that can test this.

Kenny

ok neat.. well. i still dont have relay working for me. just got rid of this pop-before-smtp script i had going.

POP before SMTP is notoriously braindamaged and not really a proper solution to the relaying problem. Assuming your e-mail client software supports it–and if not, consider upgrading to something that does--a much better solution is SMTP AUTH and STARTTLS. There are plenty of resources out there to help you get it set up and it works great!

Hope that helps

--James

You should be very careful. Sooner or later (perhaps you already have) you will be responsible for getting Linode listed in various SPAM databases on the Internet, and this will seriously impoverish not only your email system, but everyone else on your IP block!

My advice to you is, stop your email server immediately and don't even think about starting it again before you know that it won't relay. Besides, you should use your ISP's SMTP server like everyone else does; there is no good reason not to use your ISP's SMTP server.

Good luck.

@antelope:

Besides, you should use your ISP's SMTP server like everyone else does; there is no good reason not to use your ISP's SMTP server.

Saying that "everyone else" uses their ISPs SMTP server is a gross generalization and saying that "there is no good reason not to use your ISP's SMTP server" is just plain false.

I have a laptop and use four different providers for connectivity on a regular basis. I have ricochet for home connectivity, but the speed isn't great and I will often go to one of my local wired cafes when I need a faster connection. Using my linode as my SMTP server (with SMTP AUTH and STARTTLS of course) my e-mail "just works"™. Without it, I'd have to reconfigure my mail software every the time I left the house. What a pain!

Also, what if your connectivity is from a small provider and some spammer gets an account with them? The spammer will start spamming, either through their mis-configured server or through open relays. Either way, there's a good chance that their addresses will be added to at least some blackholes before they can shut down the spammer. It will take time to get out of those blackholes and during that time your e-mail would be crippled to some extent. If you rely on e-mail for a living you can't afford to have it crippled. By using your own SMTP server and controlling who can bounce mail off of it, the chance that your e-mail will be blocked somewhere is almost zero.

I'm sure that your ISPs SMTP server is fine for you, but for some people there definitely are good reasons not to use their provider's SMTP server ss long as they set up the own server correctly.

@sec39:

Can you give it another shot for me?

Back to the real issue. I pointed http://www.abuse.net/relay.html at your linode and it did not relay any messages so you're OK for the moment and your machine most likely won't be relaying any mail for spammers. Next thing is to get relaying working for yourself. I telneted into you SMTP port, and it looks like you're running some flavor of debian. I don't know the specifics if getting things working under that distro, but the easiest way to relay for people you know is using SMTP AUTH. You'll need to have the SASL V1 library for this to work. I'm sure that debain has a package for this somewhere. Try looking here for help:

http://www.sendmail.org/~ca/email/auth.html

Once you get that working, you should think about getting STARTTLS working. It will encrypt all communication–including the username & password. Are you getting the impression that I'm paranoid about security? Well I am, and I always encourage others to be. If you want help with getting STARTTLS try looking here:

http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml

The two pages pointed to here are what I used to get it working. Ignore the parts about recompiling unless you can't get it to work after doing everything else, most of the distros I've done this under had everything compiled in and it just needed to configured or installed. If you need more help, feel free to drop me an e-mail and I'll see what I can do.

--James

Saying that "everyone else" use their ISP's SMTP is a generalization, as as such not entirely and absolutely true; there will always be cases who end on the outside of a generalization. So IMHO your response is irrelevant.

@irgeek:

Saying that "everyone else" uses their ISPs SMTP server is a gross generalization and saying that "there is no good reason not to use your ISP's SMTP server" is just plain false.

I have a laptop and use four different providers for connectivity on a regular basis. I have ricochet for home connectivity, but the speed isn't great and I will often go to one of my local wired cafes when I need a faster connection. Using my linode as my SMTP server (with SMTP AUTH and STARTTLS of course) my e-mail "just works"™. Without it, I'd have to reconfigure my mail software every the time I left the house. What a pain!

Also, what if your connectivity is from a small provider and some spammer gets an account with them? The spammer will start spamming, either through their mis-configured server or through open relays. Either way, there's a good chance that their addresses will be added to at least some blackholes before they can shut down the spammer. It will take time to get out of those blackholes and during that time your e-mail would be crippled to some extent. If you rely on e-mail for a living you can't afford to have it crippled. By using your own SMTP server and controlling who can bounce mail off of it, the chance that your e-mail will be blocked somewhere is almost zero.

I'm sure that your ISPs SMTP server is fine for you, but for some people there definitely are good reasons not to use their provider's SMTP server ss long as they set up the own server correctly.

Sec - What distribution are you using? (helps us know the default configurations you are working with).

You should perhaps make sure relaying from non-local addresses is disabled before installing pop-before-smtp… is it easy for you to run through the package configuration again?

Also, you may want to look at using exim or postfix.. they are somewhat simple to set up, yet still very powerful. Sendmail can be an unforgiving beast.

To the guy ranting about blacklitss and irrelevancy: Someone asking in the proper forum for help securing their mail server is responsible and appropriate, and suggesting in a condescending way that they should not be using it because they don't know how is inappropriate, and not helpful in the least. The person wants to learn.

Blacklists are not as severe a problem as you think, and in the case of an ISP wide blacklist, it would be up to linode to deal with the issue, or advise against it. It takes more than one open relay for a few days to get an entire ISP blacklisted.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct