sendmail attacked !!! help 2

[mangyun]

My mail server is attacked, i don't know if it come from inside or out side. lots of email were sent to yahoo, hotmail, etc, making other legitimate email on queue. please help.....
machine. sun cobalt qube 3 pro, (like redhat). sendmail v8.10.2, apache v1.3.20 Sun Cobalt, mailscanner v4.45.4-1
got lot like this on the log.

Dec 12 05:58:49 kube3 sendmail[31696]: kBBLho831696: from=httpd, size=8993, class=0, nrcpts=329, msgid=<200612112143.kBBLho831696@kube3.surfer-girl.com>, relay=httpd@localhost
Dec 12 05:58:49 kube3 sendmail[31696]: kBBLho831696: kBBLho931696: DSN: User unknown
************
next i also found these coresponding message id
************

Dec 12 06:40:17 kube3 sendmail[2011]: kBBLho831696: to=zero_0081@yahoo.com, ctladdr=httpd (15/11), delay=00:56:27, xdelay=00:13:24, mailer=esmtp, pri=9968993, relay=b.mx.mail.yahoo.com. [66.196.97.250], dsn=4.3.1, stat=Deferred: 452 Too many recipients
Dec 12 06:40:17 kube3 sendmail[7518]: kBBMeB607514: to=admin, delay=00:00:06, xdelay=00:00:06, mailer=local, pri=47009, dsn=2.0.0, stat=Sent
Dec 12 06:40:17 kube3 sendmail[2011]: kBBLho831696: to=sandman_13_13@yahoo.com, ctladdr=httpd (15/11), delay=00:56:27, xdelay=00:13:24, mailer=esmtp, pri=9968993, relay=b.mx.mail.yahoo.com. [66.196.97.250], dsn=4.3.1, stat=Deferred: 452 Too many recipients
Dec 12 06:40:18 kube3 sendmail[2011]: kBBLho831696: to=gracefulchick1967@yahoo.com, ctladdr=httpd (15/11), delay=00:56:28, xdelay=00:13:25, mailer=esmtp, pri=9968993, relay=b.mx.mail.yahoo.com. [66.196.97.250], dsn=4.3.1, stat=Deferred: 452 Too many recipients
Dec 12 06:40:18 kube3 MailScanner[3706]: New Batch: Found 52 messages waiting
Dec 12 06:40:18 kube3 MailScanner[3706]: New Batch: Scanning 1 messages, 27971 bytes
Dec 12 06:40:18 kube3 sendmail[2011]: kBBLho831696: to=acesmx@yahoo.com, ctladdr=httpd (15/11), delay=00:56:28, xdelay=00:13:25, mailer=esmtp, pri=9968993, relay=b.mx.mail.yahoo.com. [66.196.97.250], dsn=4.3.1, stat=Deferred: 452 Too many recipients

 

[RhythmAce]

I looks like someone is trying to relay spam through your server. In the cases you show, they were rejected for having too many recipients. This is standard for most mail servers since a whole lot of mail from one sender can only be spam. You can't prevent anybody from trying to test for an open relay but you sure can prevent them from finding one. one of the best ways is to use smtp authentication. Normally smtp mail is processed first, then pop3. Pop3 requires authenticasion but by then the spammer has already done his deed. There are too ways to correct this. One is seldom used these days but is a method called 'pop before smtp'. The pop3 authentication would would have to be valid before accessing the smtp server. The most common way )and easier is smtp authentication. It usually rquires just adding or uncommenting these lines:

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

Then make sure saslauthd is running. Now all users will need to configure their mail clients to authenticate smtp. For example if they are using Outlook, they would click on Tools>Accounts>Properties in their mail client's tool bar. Then click the Servers tab. In the lower section for 'Outgoing Mail Server', check the box that says "My server requires authentication". Then click the Settings button and choose the option that says "Use the same settings as incoming server". That's all there is to it. Now without a user/password noone can relay mail through your server. If you have any entries in the access file, you will need to remove them. The only ones in there should be localhost and localhost.localdomain. Don't forget to rebuild the sendmail.cf file and the access.db files any time you edit these files. Restart sendmail and you're good to go.

 

[mangyun]

Thanks RhythmAce,
but I can't find "TRUST_AUTH_MECH......" on my sendmail.cf
should it be exists in (or added to) sendmail.cf

I only found this, but i don't know what it does either
**********************************************
# authenticated by a trusted mechanism?
R$* $: $1 $| $&{auth_type}
R$* $| $: $1
R$* $| $={TrustAuthMech} $# RELAYAUTH
R$* $| $* $: $1
# anything terminating locally is ok
R$+ < @ $=w > $@ RELAYTO
R$+ < @ $* $=R > $@ RELAYTO
R$+ < @ $+ > $: $>LookUpDomain <$2> <?> <$1 < @ $2 >> <+To>
R<RELAY> $* $@ RELAYTO
R<$*> <$*> $: $2

 

[RhythmAce]

The file you want to edit is sendmail.mc. It is a lot easier to read and understand. Then you use m4 to build a new sendmail.cf. As I said before, you can copy and paste the lines I have above to sendmail.mc then run the following:

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

If your path is different, change it to whatever yours is or just run m4 in the same directory as sendmail.mc. If you have to edit access, you will need to rebuild that database also. This is how that is done:

makemap hash /etc/mail/access.db < /etc/mail/access

Then restart sendmail:

/etc/rc.d/init.d/sendmail restart

These will work on most flavors of linux but I don't know anything about the setup you have.

 

[carikira]

problem here is, that the mails seem to come from the web server.

so some1 has a web page on your server, that is insecure and is beeing abused.
perhaps you run a wiki or forum which has a known bug and someone took advantage of it.

shut down your web server and see if this stops the messages.

and update your forum software or get rid of html sites that are sending mail.