Hi,

I`m new on sendmail, but I have an apache webserver on a linux
slackware 11.0. This webserver has a php script that sends e-mails, so
i installed the sendmail.
But I think my sendmail is open for everbody because when i do a ps
aux, this is the result:
../l4GJDbCG016266 mx3.hotmail.com.: user open
../l4GK0VCJ017007 mx2.hotmail.com.: user open

the sendmail daemon is started by rc.sendmail and looks like this
/usr/sbin/sendmail -L sm-mta -bd -q25m
/usr/sbin/sendmail -L sm-msp-queue -Ac -q25m

Running a sniffer, I see a lot of hosts connected at port 25.

So, I think they are using my sendmail to send some kind of spam.

I made some firewall rules
$iptables -A INPUT -p tcp --dport 25 -j DROP
$iptables -A OUTPUT -d 81.221.254.0/24 -p tcp --dport 25 -j ACCEPT

With these rules I can`t connect via telnet, so, i thought that the
problem was solved, but is not, they`re still using my server

So, what can I do? I just need that localhost send e-mails via the php
script using the funcion mail() from php 5.

Fravo unleashed the infinite monkeys on 16/05/2007 20:23 producing:

> So, what can I do? I just need that localhost send e-mails via the php
> script using the funcion mail() from php 5.

And the odds are good that it's that script that's responsible for the
spam, not sendmail acting as an open relay.

This type of problem has been known about, and discussed, for literally
years. If you're not sanitising the information that gets passed to the
mail() function then you're going to be used as a spam "source" (as
that's how it will appear).

--
Rob MacGregor (BOFH)

Rule 37: "There is no 'overkill'. There is only 'open fire'
and 'I need to reload.'"

In comp.mail.sendmail Fravo <fravo.crust@gmail.com>:
> Hi,

> I`m new on sendmail, but I have an apache webserver on a linux
> slackware 11.0. This webserver has a php script that sends e-mails, so
> i installed the sendmail.
[..]

> So, what can I do? I just need that localhost send e-mails via the php
> script using the funcion mail() from php 5.

No doubt the php script is the problem, abused by spammer to load
of their ratware. Recent sendmail versions on modern Linux
distribution don't relay for anyone then localhost per default
for quite some years.

You need to check the script and fix the problem, before you get
listed anywhere, shutting down sendmail until the problem is
resolved should be the first step.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 308: CD-ROM server needs recalibration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 16 May 2007, Fravo wrote:

> Hi,
>
> I`m new on sendmail, but I have an apache webserver on a linux
> slackware 11.0. This webserver has a php script that sends e-mails, so
> i installed the sendmail.
> But I think my sendmail is open for everbody because when i do a ps
> aux, this is the result:
> ./l4GJDbCG016266 mx3.hotmail.com.: user open
> ./l4GK0VCJ017007 mx2.hotmail.com.: user open

It's most likely nothing to worry about, it could be a lot of hits on the
port, however it could be your php script that is exploited, in which case
(the most likely) you'll have to take it up in another medium
and if its phpformail you probably are exploited.
make sure the only entries /etc/mail/access are something like
Connect:127.0.0.1 RELAY
Connect:[box.i.p] RELAY

and add more as you need them.

You can set debug to 30 and read your logs


- --

Cheers
Res

Vote for your favourite MTA at http://polls.ausics.net/v3.php
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGS6H9sWhAmSIQh7MRAiVcAKCbTabcHYkaxMG+GPxo/uilBHUk7QCeLAHS
vZp6fRAenaPMZQvR39BmNxU=
=gbVm
-----END PGP SIGNATURE-----

In article <1179343409.105738.118480@u30g2000hsc.googlegroups .com> Fravo
<fravo.crust@gmail.com> writes:
>
>I`m new on sendmail, but I have an apache webserver on a linux
>slackware 11.0. This webserver has a php script that sends e-mails, so
>i installed the sendmail.

Others have already pointed out that the script is probably the source
of your problems - though actually it isn't clear that you *have* any
problems.

>But I think my sendmail is open for everbody because when i do a ps
>aux, this is the result:
>./l4GJDbCG016266 mx3.hotmail.com.: user open
>./l4GK0VCJ017007 mx2.hotmail.com.: user open

You think that just because the string "open" is in there, or what?
Anyway these are client-side connections, i.e. originated by your
sendmail. "user open" means that it it's "user side" a.k.a. client side
SMTP, that is in the process of opening a connection to the hosts shown.
Whether these are legitimate uses of your script, only you can tell.

>Running a sniffer, I see a lot of hosts connected at port 25.

What does that mean? Every SMTP session has port 25 at one end. Is it at
your end, i.e. an incoming connection, or at the remote, i.e. an
outgoing one?

>So, I think they are using my sendmail to send some kind of spam.

Quite possible, but you need to investigate beyond what you have shown
here. The sendmail log (typically in /var/log/maillog) will show every
message, where it came from and where it went.

>I made some firewall rules
>$iptables -A INPUT -p tcp --dport 25 -j DROP

This will block incoming connections to port 25, but it's not clear that
you have any. And as already mentioned, most modern OS distributions
default to setting up sendmail to only accept connections on the
loopback interface.

>$iptables -A OUTPUT -d 81.221.254.0/24 -p tcp --dport 25 -j ACCEPT

Of course I don't know what the rest of your rules look like, but this
is probably redundant.

--Per Hedeland
per@hedeland.org