Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Unknown users not being rejected at source

86 views
Skip to first unread message

Tony

unread,
Feb 7, 2003, 5:21:50 AM2/7/03
to
Hi all.

We are running Sendmail 8.12 on a Redhat 8 box.
From time to time we get a massive influx of spam emails to the local
domain to different combinations of usernames.
This is causing some load issues as for some reason Sendamil is
accepting the emails, because it sees the domain as being local.
Then once it receives the email it finds that the user is invalid and
tries to bounce the email back, which it can't always do for one
reason or another. Either the server listed as MX for the senders
domains does not accept incoming connections on port 25 or the sender
does not exist.

I thought Sendmail by default would reject the email at source during
the SMTP transaction if the user did not exist, am I wrong?
Can I make Sendmail check the user during the SMTP transaction so it
does not accept the email if the domain is local but the user unknown?

I have tried many ways to stop the emails from being accepted, but
unfortunately this spammer is very clever. The emails seem to come
from a lot of different IP address, which I guess are open relays, and
a lot of different email addresses with the same number of different
subject lines.

I have tried to do my best by writing a script that will run through
the mailq and find all the MAILER-DAEMON emails then scan the emails
for the subject lines and sender IP addresses. When it finds a high
number of the same subject lines it enters the senders IP address into
the servers firewall and also our deny database.
Works pretty well for now but I know my firewall and deny database is
going to get very full eventually and thus start slowing things down.

Has anyone else seen this massive spam once a month, some of the
emails seem to come from the user CacheFlowServer@<some ip address>
???

Thanks in advance.
Tony

Andrzej Filip

unread,
Feb 7, 2003, 3:53:16 PM2/7/03
to
Tony wrote:

1) Could you post the relevant log entries ?
[ accepted message that should be rejected straight away ]

2) Had anything unusual been reported in the log files before such event
?

--
Andrzej [pl>en: Andrew] Adam Filip http://www.polbox.com/a/anfi/
*Random epigram* :
What good is an obscenity trial except to popularize literature?
-- Nero Wolfe, "The League of Frightened Men"

Per Hedeland

unread,
Feb 7, 2003, 9:48:54 PM2/7/03
to
In article <tb174v0im4imprhgv...@4ax.com> Tony

<to...@tonyspencer.co.uk> writes:
>
>I thought Sendmail by default would reject the email at source during
>the SMTP transaction if the user did not exist, am I wrong?

No, you're right - assuming those users are really local to the host
sendmail is running on, and it's not just relaying the mail to some
other server - in the latter case you have to tell sendmail one way or
another which users actually exist, it can't know that otherwise.

>Can I make Sendmail check the user during the SMTP transaction so it
>does not accept the email if the domain is local but the user unknown?

Well, that *is* the default. If your case isn't the "relay" one above,
you must have done something to your config to change it. Maybe post
your .mc (*not* sendmail.cf!) file?

--Per Hedeland
p...@hedeland.org

Tony

unread,
Feb 9, 2003, 12:47:38 PM2/9/03
to

>> ???
>
>1) Could you post the relevant log entries ?
>[ accepted message that should be rejected straight away ]
>
>2) Had anything unusual been reported in the log files before such event
>?

Here is full logs of the email being accepted during the transaction
and although it sees the user as unknown it still accpets the email.
I think the problem lies in the fact that we use Cyrus Imap as the
local delivery agent, but I could be wrong as Cyrus is the one that
sees the user as unknown.


Feb 9 17:36:22 tragic sendmail[24140]: h19Ha3924140: <-- rcpt
to:thisuserdo...@cerbernet.co.uk
Feb 9 17:36:22 tragic sendmail[24140]: h19Ha3924140: --> 250 2.1.5
thisuserdo...@cerbernet.co.uk... Recipient ok
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: --> 050
thisuserdo...@cerbernet.co.uk... Connecting to cyrus...
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: --> 550 5.1.1
thisuserdo...@cerbernet.co.uk... User unknown (held)
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140:
to=thisuserdo...@cerbernet.co.uk, delay=00:00:03,
xdelay=00:00:00, mailer=cyrus, pri=30005, dsn=5.1.1, stat=User unknown
[root@tragic log]# grep h19Ha3924140 maillog
Feb 9 17:36:03 tragic sendmail[24140]: h19Ha3924140: assigned id
Feb 9 17:36:03 tragic sendmail[24140]: h19Ha3924140: --> 250 2.1.0
to...@tonyspencer.co.uk... Sender ok
Feb 9 17:36:22 tragic sendmail[24140]: h19Ha3924140: <-- rcpt
to:thisuserdo...@cerbernet.co.uk
Feb 9 17:36:22 tragic sendmail[24140]: h19Ha3924140: --> 250 2.1.5
thisuserdo...@cerbernet.co.uk... Recipient ok
Feb 9 17:36:23 tragic sendmail[24140]: h19Ha3924140: <-- data
Feb 9 17:36:23 tragic sendmail[24140]: h19Ha3924140: --> 354 Enter
mail, end with "." on a line by itself
Feb 9 17:36:25 tragic sendmail[24140]: h19Ha3924140:
from=to...@tonyspencer.co.uk, size=5, class=0, nrcpts=1,
msgid=<200302091736...@mailhost.cerbernet.co.uk>,
proto=SMTP, daemon=MTA, relay=ns.californianjobs.com [217.199.174.43]
Feb 9 17:36:25 tragic sendmail[24140]: h19Ha3924140: queueup,
qf=./qfh19Ha3924140
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: disconnect level
2
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: in background,
pid=24154
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: sendenvelope,
flags=0x204003
Feb 9 17:36:25 tragic sendmail[24140]: NOQUEUE: --> 250 2.0.0
h19Ha3924140 Message accepted for delivery
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: --> 050
thisuserdo...@cerbernet.co.uk... Connecting to cyrus...
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: --> 550 5.1.1
thisuserdo...@cerbernet.co.uk... User unknown (held)
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140:
to=thisuserdo...@cerbernet.co.uk, delay=00:00:03,
xdelay=00:00:00, mailer=cyrus, pri=30005, dsn=5.1.1, stat=User unknown
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: dropenvelope,
e_flags=0x205023, OpMode=d, pid=24154
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: h19HaP924154:
DSN: User unknown
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: --> 050
MAILER-DAEMON... aliased to postmaster
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: alias
MAILER-DAEMON => postmaster
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: h19HaPA24154:
postmaster notify: User unknown
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: unlink
./dfh19Ha3924140
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: unlink
./qfh19Ha3924140
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: done;
delay=00:00:03, ntries=1
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: unlock
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140: unlink
./xfh19Ha3924140
Feb 9 17:36:25 tragic sendmail[24154]: h19Ha3924140:
./xfh19Ha3924140: unlink-fail 2

Tony

unread,
Feb 9, 2003, 12:51:18 PM2/9/03
to
I think this si the mc file that was used.


include(`../m4/cf.m4')
define(`confDEF_USER_ID',``8:12'')
OSTYPE(`linux')
FEATURE(`mailertable',`hash -o /etc/mail/mailertable')
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')
FEATURE(`domaintable',`hash -o /etc/mail/domaintable')
FEATURE(`genericstable',`hash -o /etc/mail/genericstable')
FEATURE(`redirect')
FEATURE(`use_cw_file')
FEATURE(`always_add_domain')
FEATURE(`local_procmail')
FEATURE(`relay_based_on_MX')
FEATURE(`rbl')
MAILER(`procmail')
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')
MAILER(`smtp')
FEATURE(`access_db')
FEATURE(`blacklist_recipients')
MAILER(`cyrus')
define(`confLOCAL_MAILER',`cyrus')

Per Hedeland

unread,
Feb 9, 2003, 3:52:59 PM2/9/03
to
In article <885d4vgs208t5jjoj...@4ax.com> Tony

<to...@tonyspencer.co.uk> writes:
>I think this si the mc file that was used.

You "think"? If you don't *know*, you'd better find out - how are you
going to apply any suggested changes to the .mc file if you don't know
where/which it is?

>include(`../m4/cf.m4')
>define(`confDEF_USER_ID',``8:12'')
>OSTYPE(`linux')
>FEATURE(`mailertable',`hash -o /etc/mail/mailertable')
>FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')
>FEATURE(`domaintable',`hash -o /etc/mail/domaintable')
>FEATURE(`genericstable',`hash -o /etc/mail/genericstable')
>FEATURE(`redirect')
>FEATURE(`use_cw_file')
>FEATURE(`always_add_domain')
>FEATURE(`local_procmail')
>FEATURE(`relay_based_on_MX')
>FEATURE(`rbl')

Since this feature doesn't exist anymore in 8.12, it's unlikely that
this is the .mc file used - that line would give a fatal error (assuming
you actually *are* using 8.12, and not just "think" so).

>MAILER(`procmail')
>define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')
>MAILER(`smtp')
>FEATURE(`access_db')
>FEATURE(`blacklist_recipients')
>MAILER(`cyrus')
>define(`confLOCAL_MAILER',`cyrus')

All MAILER() lines should be after all FEATURE()/define() lines -
violating this will also generate an error (though not fatal) in an 8.12
.cf build.

As to your reported problem, like you suspected in the other branch of
the thread, it's due to using the cyrus mailer - since this allows for
users that don't actually exist as Unix users, there's no (simple) way
for sendmail to know which users actually exist. If all your cyrus users
also exist as Unix users (i.e. in the passwd file), you can use

MODIFY_MAILER_FLAGS(`CYRUS', `+w')

in your .mc file. This should also go *before* any MAILER() lines, and
in particular before the MAILER(`cyrus') line. If (any of) the cyrus
users *don't* exist as Unix users, you need to do something else - I
think Andrzej has some canned suggestion for that case.

--Per Hedeland
p...@hedeland.org

Andrzej Filip

unread,
Feb 9, 2003, 3:55:00 PM2/9/03
to
Tony wrote:

> >> ???
> >
> >1) Could you post the relevant log entries ?
> >[ accepted message that should be rejected straight away ]
> >
> >2) Had anything unusual been reported in the log files before such event
> >?
>
> Here is full logs of the email being accepted during the transaction
> and although it sees the user as unknown it still accpets the email.
> I think the problem lies in the fact that we use Cyrus Imap as the
> local delivery agent, but I could be wrong as Cyrus is the one that
> sees the user as unknown.

Cyrus as local mailer is the most likely cause of such problems.

Are you ready to list all valid cyrus addresses in sendmail's database ?

YES =>
http://www.polbox.com/a/anfi/sendmail/localNalias.html
Cyrus aliases
OR
http://www.polbox.com/a/anfi/sendmail/localtab.html
Local table

NO =>
http://www.polbox.com/a/anfi/sendmail/rtcyrus.html
Real Time Cyrus Integration
1) It requires sendmail source code patch
2) New version should be available next week
[ there has been a problem with alias loops ]

> [...]

--
Andrzej [pl>en: Andrew] Adam Filip http://www.polbox.com/a/anfi/
*Random epigram* :

Too much of everything is just enough.
-- Bob Wier

Doug Robb

unread,
Feb 9, 2003, 9:40:54 PM2/9/03
to
Tony <to...@tonyspencer.co.uk> wrote in message news:<885d4vgs208t5jjoj...@4ax.com>...

Had the same problem myself and following the advice above I found I
had to remove FEATURE(`local_procmail') and then it worked as the
default
setting. I'm not sure why I had trhis feature set in the first place
but hopefully nothing else breaks!

regards doug

0 new messages