How to detect WORMS/VIRUS that send spam
Steve Phils
My firm is using Linux Mandrake configuartion for our mail server and
the internal computers connect through LAN technologies like Ethernet
which used with DSL/Cablemodems and dialup connections. This mail
server act as the proxy or firewall for all sort of internet
activities(browsing,chating,file transfers,..).Internal computers are
mostly Windows and Linux based(maximum of 20 PCs altogether).
Currently we noticed that all of our staff members are receiving lot
of spam mails with some attachments(mostly with some *.pif extension)
in their official mail address. I notice that the spamming is
happening only the days our mail server is up(On holidays spam is not
happening). Unfortunately I'm the one who administering the
configuration and all other computer related activities.I'm not an
expert in networking or even in Linux OS internals though :-).
I'm digging deep to find any VIRUS/WORMS really reside in our LINUX
mailserver. How can I know any vulnerabilities in LINUX machine?
Also I like to know whether some outsider can use our LINUX SMTP
server to send the spam mail to happen spamming. Is anyway to check
this outside intrusion?
What are the common ways to find such vulnerabilities in LINUX
configuration?
Thanks!
Alan Connor
>
>
> Hi Linux Techies,
>
> My firm is using Linux Mandrake configuartion for our mail server
Which one does Mandrake use? Sendmail? Exim? Postfix?...
> and
> the internal computers connect through LAN technologies like Ethernet
> which used with DSL/Cablemodems and dialup connections. This mail
> server act as the proxy or firewall for all sort of internet
> activities(browsing,chating,file transfers,..)
A mail server can't do that. You must mean the box that it is on.
>.Internal computers are
> mostly Windows and Linux based(maximum of 20 PCs altogether).
> Currently we noticed that all of our staff members are receiving lot
> of spam mails with some attachments(mostly with some *.pif extension)
> in their official mail address. I notice that the spamming is
> happening only the days our mail server is up(On holidays spam is not
> happening).
How would you know that if the server wasn't up?
What do you use for a spamfilter?
> Unfortunately I'm the one who administering the
> configuration and all other computer related activities.I'm not an
> expert in networking or even in Linux OS internals though :-).
>
No kidding.
> I'm digging deep to find any VIRUS/WORMS really reside in our LINUX
> mailserver.
There probably aren't any. It could pass on mails that contained
executables that are dangerous to Windoze boxes but that's about it.
> How can I know any vulnerabilities in LINUX machine?
Make sure you have a good firewall. Iptables with a decent ruleset
will do it. You probably already *have* one, actually.
> Also I like to know whether some outsider can use our LINUX SMTP
> server to send the spam mail to happen spamming. Is anyway to check
> this outside intrusion?
>
Your MTA should not be configured to act as an open relay, but your
firewall should also block any but very selective forwarding.
> What are the common ways to find such vulnerabilities in LINUX
> configuration?
>
> Thanks!
You have some serious homework to do.
I've added comp.mail.misc to the crossposting. If you use sendmail,
then see comp.mail.sendmail.
If you use postfix, see mailing.postfix.users
If you use exim subscribe to the mailing list at www.exim.org.
AC
--
Pass-List -----> Block-List ----> Challenge-Response
The key to taking control of your mailbox. Design Parameters:
http://tinyurl.com/2t5kp || http://tinyurl.com/3c3ag
Challenge-Response links -- http://tinyurl.com/yrfjb
Patrick McDonnell
You may want to look into programs like clamav and amavis. Also, one thing
I find useful on my mail server is pop-before-smtp. Basically, it means
that you must log in to the IMAP or POP server before that IP address can
use the SMTP server. IE, if I log in to my IMAP server, I can also send
email using my SMTP server within 20 minutes (or whatever value you
choose). That should help prevent unauthorized parties from relaying spam
through you, if you set it up right.
David Brown
"Patrick McDonnell" <pmcdo...@muncc.marmionacademy.org> wrote in message
news:peWdnbg5S7a...@comcast.com...
You want to use something like clamav for filtering out viruses from
incomming emails before they get to windows machines (although it would be
wrong to say linux is immune to viruses, the huge majority of viruses are
windows-based, so virus-checking on linux mainly refers to using the the
linux box to protect windows machines). However, you can also add some
simple general rules that will block most viruses even before the anti-virus
definitions are updated. Simply remove any attachments with dangerous
extensions - .pif, .com., .bat., .exe., .vbs., .scr, .dll, .cpl There is
no good reason for any such files being sent directly by email - on the rare
occasions when you might want to pass an exe file, it is easy enough to zip
it. This won't block viruses hiding in zip files, but these require an
extra step by the recipient before they run, giving the victim a chance to
use the most important anti-virus weapon - their brain!
nessuno
Dear Steve,
What kind of mail server are you using? Sendmail, postfix and qmail
are common ones. Mandrake probably makes a default choice of one of
these, assuming that whoever installed the mail server did it the easy
way, using what is on the Mandrake distribution.
The most common way spammers use an email server is when the server is
configured for open relaying. This means that your server will
forward any email received from anyone to anywhere else in the world.
For this reason, noboby (Mandrake or anyone else) gives you a default
configuration with open relaying. You'd have to set that up
deliberately, by changing the configuration. So it's unlikely that
you have an open relay. Nor can a virus take over or reside in your
mail server.
Current Microsoft worms and viruses these days send out junk or
infected emails from zombie machines using falsified return addresses,
which they get from address books on infected machines or from the
web. I will certainly receive some spam emails at the address above
(nessuno) just for posting this message. (It's a spam trap address,
however.) So just because you receive an email apparently from
someone you know doesn't mean that that person is actually sending you
junk. Your mail server has nothing to do with this, apart from the
fact that it delivers to your users the infected emails with the false
return addresses. With some effort, however, you can configure your
mail server to reject these emails.
You'll have to learn how to configure your mail server. Sendmail is
notorious for being hard to configure. I've used postfix, which is
easier. The postfix web site contains good documentation on its
configuration. Qmail is also supposed to be easy. If you run into
troubles, try Google search of the news groups, there are several that
deal with mail.
Nessuno
Bill Unruh
]steve...@yahoo.com (Steve Phils) wrote in message news:<c4fe2718.04080...@posting.google.com>...
]> Hi Linux Techies,
]>
]> My firm is using Linux Mandrake configuartion for our mail server and
]> the internal computers connect through LAN technologies like Ethernet
]> which used with DSL/Cablemodems and dialup connections. This mail
]> server act as the proxy or firewall for all sort of internet
]> activities(browsing,chating,file transfers,..).Internal computers are
]> mostly Windows and Linux based(maximum of 20 PCs altogether).
]> Currently we noticed that all of our staff members are receiving lot
]> of spam mails with some attachments(mostly with some *.pif extension)
]> in their official mail address. I notice that the spamming is
]> happening only the days our mail server is up(On holidays spam is not
]> happening). Unfortunately I'm the one who administering the
]> configuration and all other computer related activities.I'm not an
]> expert in networking or even in Linux OS internals though :-).
That suggests that the spam is coming from outside. It is not surprising
that spam comes through only when the mail server is up.
Spam is mail. ordinary mail also does not come through I assume when the
mail server is down.
]>
]> I'm digging deep to find any VIRUS/WORMS really reside in our LINUX
]> mailserver. How can I know any vulnerabilities in LINUX machine?
]> Also I like to know whether some outsider can use our LINUX SMTP
]> server to send the spam mail to happen spamming. Is anyway to check
]> this outside intrusion?
]>
]> What are the common ways to find such vulnerabilities in LINUX
]> configuration?
Who says it is a vulnerability in the Linux configuration.
]>
]> Thanks!
]Dear Steve,
]What kind of mail server are you using? Sendmail, postfix and qmail
]are common ones. Mandrake probably makes a default choice of one of
]these, assuming that whoever installed the mail server did it the easy
]way, using what is on the Mandrake distribution.
Mandrake uses postfix by default, and closes off mail relaying be default.
Now the user will have to have edited the main.cf file to make it run.
Maybe they altered something.
Anyway, look at the spam emails. Find out where they are coming from (look
at the last Received: line in the email header. It has the first address the
mail came from).
]The most common way spammers use an email server is when the server is
Michael Heiming
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message
In comp.os.linux.networking Bill Unruh <un...@string.physics.ubc.ca> suggested:
> nes...@wigner.berkeley.edu (nessuno) writes:
> ]steve...@yahoo.com (Steve Phils) wrote in message news:<c4fe2718.04080...@posting.google.com>...
[..]
> ]> Currently we noticed that all of our staff members are receiving lot
> ]> of spam mails with some attachments(mostly with some *.pif extension)
> ]> in their official mail address. I notice that the spamming is
> ]> happening only the days our mail server is up(On holidays spam is not
> ]> happening). Unfortunately I'm the one who administering the
> ]> configuration and all other computer related activities.I'm not an
> ]> expert in networking or even in Linux OS internals though :-).
> That suggests that the spam is coming from outside. It is not surprising
Strong point, but that would mean someone on this 20 PCs is
sending the spam, not very likely, to simple detectable.
> that spam comes through only when the mail server is up.
> Spam is mail. ordinary mail also does not come through I assume when the
> mail server is down.
Yup.
[..]
> ]> What are the common ways to find such vulnerabilities in LINUX
> ]> configuration?
> Who says it is a vulnerability in the Linux configuration.
Might be someone near/in the company simply released those email
addresses to the internet, that will guarantee a fair share fair of
spam. I get about 70-100 in 24h, about 98% is dropped via SA,
without intervention right now. Looks like I have to upgrade
or/and double-check spamd config, like every few month spam
starts to get beyond spamassassin.;(
[..]
> Anyway, look at the spam emails. Find out where they are coming from (look
> at the last Received: line in the email header. It has the first address the
> mail came from).
Now that would be best idea, the headers will tell the origin of
the crap.
--
Michael Heiming (GPG-Key ID: 0xEDD27B94)
mail: echo zvp...@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBD+5gAkPEju3Se5QRAtDUAJwOTzc0bcqemGAFeEvY5tscjxqzXQCeNeU7
qPzEKFxup3gBDCjN719AeNU=
=70R/
-----END PGP SIGNATURE-----
Martin Blume
>> I notice that the spamming is happening only the days our mail
>> server is up(On holidays spam is not happening).
In earnest, also ordinary mail does not get through during
holidays, no?
>
> That suggests that the spam is coming from outside.
Does it? I don't think we may infer that from the description
given above.
> It is not surprising that spam comes through only when the mail
> server is up. Spam is mail. ordinary mail also does not come
> through I assume when the mail server is down.
Yes, so how can we differentiate between spam retrieved from
other servers and spam sent directly to the poor mail server?
Only by looking at the mail logs. Either mail is coming into the
system by (1) the SMTP daemon (very bad, the system is being
misused as a spam relay) or by (2) the POP / IMAP daemon (also bad,
but spam is coming from their ISP along with legitimate mail).
In case (1), the admin should close the door.
In (2), install and administrate a spam filter.
But I doubt that it is (1). As a spammer, I'd use the open server
to send mails to the outside world, but not to any user on this
system so as not to draw any attention to myself.
HTH
Martin
jafar
http://linux.cudeso.be/linuxdoc/portsentry.php
It's a good little guard dog to have while you learn about properly
configuring your servers :)
You also get told about who is trying to scan your machine. An example
from one of my recent logs is below.
Warning: Portscans detected
TCP SYN/Normal from:
222.46.114.243: ports: 1023
adsl-68-253-203-63.dsl.emhril.ameritech.net (68.253.203.63): ports: 411
h228n2fls34o990.telia.com (213.67.7.228): ports: 411
Warning: Blocked route from/to h228n2fls34o990.telia.com (213.67.7.228) 1 times(s).
Warning: Blocked route from/to 222.46.114.243 1 times(s).
Warning: Blocked route from/to adsl-68-253-203-63.dsl.emhril.ameritech.net (68.253.203.63) 1 times(s).
I then use http://isc.sans.org/ to get info about the ports and any
possible exploits. Usually, its scans from infected windows boxes who's
users are blissfully unaware their machines are the technological
equivalent of a leper with a bad case of herpes and a raging flu ;)
--
Jafar Calley
-----BEGIN GEEK CODE BLOCK-----
d+ s-:+ a C++++ L++ E--- W++ N++ w-- PE- t* 5++ R+ !tv D+ G e* h---- x?
------END GEEK CODE BLOCK------
Registered Linux User #359623
http://fatcatftp.homelinux.org
Steve Phils
Its very nice to see lot of prompt replies for my query.
In my Mandrake LINUX machine MTA agent using is Postfix(some of you
already quoted correctly) and I suppose its uses default configuration
choice of Mandrake distribution.
I'm summarizing what I comprehended from all of yours valuable posts:
1. LINUX is very less vulnerable when compared to Windows systems; so
its rare chance to have any SMTP Worms or any type of VIRUS(Initial
mail, I compared with SMTP Worms in Windows; that is why I asked that
question)
2.There may be a chance of open relay in my configuartion(I need to
look into it).
3.Need to have a good firewall ie IPTABLES with decent ruleset(There
is a firewall script with some RULES im my distribution).
4.Chances are there for spamming is happening from the internal
networked machines as well as from any external spamers(Need more
vigilance in this ).
5..Utilities like clamav,amavis & portsentry helps greatly to fight
against the spamming (Really its a great piece of information)
Gurus,I'm not a technical person; so dont get offended to see my silly
questions .I'm more a layman in this field and like to know these;
How can I know whether my machine is configured as Open Relay? Which
script or file specifically I need to look into?
Which all services really requires for smooth functioning of mail
server (Now there are lot like crond,dhcrelay,gpm,....about 16
altogether).
Kudos to all for your helping minds!
Thanks Again.
Jean-David Beyer
> How can I know whether my machine is configured as Open Relay? Which
> script or file specifically I need to look into?
>
You might visit this URL and have it test your machine...
http://www.abuse.net/relay.html
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 09:15:00 up 50 min, 3 users, load average: 4.16, 4.16, 3.93
Solbu
Hash: SHA1
On tirsdag 3. august 2004, 09:31 Steve Phils tried to express an opinion:
> Currently we noticed that all of our staff members are receiving lot
> of spam mails with some attachments(mostly with some *.pif extension)
> in their official mail address.
I see you got a few idčas already.
I thought I'd share with you my solution to these spam problems.
Visit this page, and follow the instructions.
http://advosys.ca/papers/postfix-filtering.html
It's a kind of an idiots guide, so it's easy to set up.
I had this working on the first try. :-)
The script removes all executeable windows-attachments,
leave a note in the mail explaining what was done, and why.
i've also modified it to remove all HTML from the email as well :-)
(I really do hate html in email.)
NOTE: This guide assume you use POSTFIX as your mailserver,
and not sendmail or Qmail.
- --
Solbu - http://www.solbu.net
Remove 'ugyldig' for email
PGP key ID: 0xFA687324
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFBFeplT1rWTfpocyQRAuvZAKC3bYAJf6forSJav+Tb4jhnWSsi5gCg6sCL
MEiaZgBznN1phEK53U7LlxY=
=9Kul
-----END PGP SIGNATURE-----
karthik bala guru
U all toooo receive this .pif . I thought someone is playing
with me and trying to blow off my email account.
thanx,
karthik bala guru
Solbu <so...@ugyldig.start.no> wrote in message news:<GTlRc.222$%y3....@news4.e.nsc.no>...