Limit From only authorized senders HELP ME PLEASE!

I have a problem from time to time with spam coming from my server. I only
have about 7 legitimate email senders that use my domains for email. My
server hosts all three of my domains.

1. How do I restrict sendmail so it will only send mail from a specific
return address, or at least from a specific domain address? I want it to
simply not send any email that doesn't have an approved return address.

Thanks, this will really help me keep my IP clean.

Also any linux/sendmail techs in the NY area who might help with some work,
please let me know.

Re: Limit From only authorized senders HELP ME PLEASE!

Noam Dworman wrote:
> I have a problem from time to time with spam coming from my server. I only
> have about 7 legitimate email senders that use my domains for email. My
> server hosts all three of my domains.

Use smtp auth and restrict relay

>
> 1. How do I restrict sendmail so it will only send mail from a specific
> return address, or at least from a specific domain address? I want it to
> simply not send any email that doesn't have an approved return address.

Use smtp auth

See

http://www.jmaimon.com/sendmail/#rewritesender

It sounds like you have an unsecured relay, which is a much larger
problem.


>
> Thanks, this will really help me keep my IP clean.
>
> Also any linux/sendmail techs in the NY area who might help with some work,
> please let me know.

NY here.

Re: Limit From only authorized senders HELP ME PLEASE!

No, I think there is some PHP script somewhere on my server which someone
has figured out how to use to send spam from time to time. When I watch the
mail log I sometimes see spoofed messages from support@paypal.com or that
type of thing going out from my server.

I'm trying to track it down, and I'm working with rfxnetworks to help secure
the server better, but it occurred to me that if I could just make sure that
the From: field in my emails was actually a legitimate address, the problem
would bascially stop. A band-aid, but at least it would work.

I can't figure out the access.db and relay parameters to get them to allow
only my legitimate domain addresses. There must be a way.



wrote in message
news:1165706510.551538.169730@j72g2000cwa.googlegroups.com.. .
>
> Noam Dworman wrote:
>> I have a problem from time to time with spam coming from my server. I
>> only
>> have about 7 legitimate email senders that use my domains for email. My
>> server hosts all three of my domains.
>
> Use smtp auth and restrict relay
>
>>
>> 1. How do I restrict sendmail so it will only send mail from a specific
>> return address, or at least from a specific domain address? I want it to
>> simply not send any email that doesn't have an approved return address.
>
> Use smtp auth
>
> See
>
> http://www.jmaimon.com/sendmail/#rewritesender
>
> It sounds like you have an unsecured relay, which is a much larger
> problem.
>
>
>>
>> Thanks, this will really help me keep my IP clean.
>>
>> Also any linux/sendmail techs in the NY area who might help with some
>> work,
>> please let me know.
>
> NY here.
>

Re: Limit From only authorized senders HELP ME PLEASE!

In article ,
"Noam Dworman" wrote:

> No, I think there is some PHP script somewhere on my server which someone
> has figured out how to use to send spam from time to time.

If that is the case, you need to to fix or remove that script. What runs
on your machine is your responsibility.

> When I watch the
> mail log I sometimes see spoofed messages from support@paypal.com or that
> type of thing going out from my server.

If the log shows your own machine as the source, you probably need to
start by not automatically relaying for 127.0.0.1 or your public
address.


> I'm trying to track it down, and I'm working with rfxnetworks to help secure
> the server better, but it occurred to me that if I could just make sure that
> the From: field in my emails was actually a legitimate address, the problem
> would bascially stop. A band-aid, but at least it would work.
>
> I can't figure out the access.db and relay parameters to get them to allow
> only my legitimate domain addresses. There must be a way.

Keep in mind that access rules are evaluated in order, so you can put
entries at the start that allow mail from your own domain, and end with
rules that reject mail from your own maqchine.

Note that using the access map is not an ideal approach. The ideal
approach is to secure your system so that you can trust that nothing
running on it is sending junk, and require authenticated submission to
relay mail from anywhere else.

--
Now where did I hide that website...

Re: Limit From only authorized senders HELP ME PLEASE!

My goodness.

Yes I understand that what runs on my machine is my repsonsibility. But
that doesn't mean I have the expertise to fix it. I've been on the phone
for hours trying to fix this problem.

Still, If I could find a way to have sendmail filter out messages that
don't have authorized return addresses I could stop the problem. That would
be taking responsibility yes? I don't know if I can find the script or
close the security hole. I've had professional Linux administrators trying
to fix this and they're having a problem.

I really came her for help, not arrogance.


"Bill Cole" wrote in message
news:bill-0200E6.23294309122006@news.det.sbcglobal.net...
> In article ,
> "Noam Dworman" wrote:
>
>> No, I think there is some PHP script somewhere on my server which someone
>> has figured out how to use to send spam from time to time.
>
> If that is the case, you need to to fix or remove that script. What runs
> on your machine is your responsibility.
>
>> When I watch the
>> mail log I sometimes see spoofed messages from support@paypal.com or that
>> type of thing going out from my server.
>
> If the log shows your own machine as the source, you probably need to
> start by not automatically relaying for 127.0.0.1 or your public
> address.
>
>
>> I'm trying to track it down, and I'm working with rfxnetworks to help
>> secure
>> the server better, but it occurred to me that if I could just make sure
>> that
>> the From: field in my emails was actually a legitimate address, the
>> problem
>> would bascially stop. A band-aid, but at least it would work.
>>
>> I can't figure out the access.db and relay parameters to get them to
>> allow
>> only my legitimate domain addresses. There must be a way.
>
> Keep in mind that access rules are evaluated in order, so you can put
> entries at the start that allow mail from your own domain, and end with
> rules that reject mail from your own maqchine.
>
> Note that using the access map is not an ideal approach. The ideal
> approach is to secure your system so that you can trust that nothing
> running on it is sending junk, and require authenticated submission to
> relay mail from anywhere else.
>
> --
> Now where did I hide that website...

Re: Limit From only authorized senders HELP ME PLEASE!

"Noam Dworman" wrote in message
news:L62dnfqKvuH_BubYnZ2dnUVZ_t6qnZ2d@speakeasy.net...
> My goodness.
>
> Yes I understand that what runs on my machine is my repsonsibility. But
> that doesn't mean I have the expertise to fix it. I've been on the phone
> for hours trying to fix this problem.

Then you should probably shut it down until it is fixed. Pull the network
wire before your ISP shuts you down. It's isn't a punishable crime yet, but
this is "Careless computing" to leave that connected. Read on.

If you don't have the expertise, pay someone who does. At least shut it
down now.

> Still, If I could find a way to have sendmail filter out messages that
> don't have authorized return addresses I could stop the problem. That
> would be taking responsibility yes? I don't know if I can find the script
> or close the security hole. I've had professional Linux administrators
> trying to fix this and they're having a problem.

The hole is likely the way you configured it and once your system has been
compromised you should re-install it from scratch. Take if offline, and
read about how to configure it properly before you put it back on line.

If you don't plenty in this forum with not think very highly of you. Many
are already laughing.

>
> I really came her for help, not arrogance.

> "Bill Cole" wrote in message
> news:bill-0200E6.23294309122006@news.det.sbcglobal.net...
>> In article ,
>> "Noam Dworman" wrote:
>>
>>> No, I think there is some PHP script somewhere on my server which
>>> someone
>>> has figured out how to use to send spam from time to time.
>>
>> If that is the case, you need to to fix or remove that script. What runs
>> on your machine is your responsibility.
>>
>>> When I watch the
>>> mail log I sometimes see spoofed messages from support@paypal.com or
>>> that
>>> type of thing going out from my server.
>>
>> If the log shows your own machine as the source, you probably need to
>> start by not automatically relaying for 127.0.0.1 or your public
>> address.
>>
>>
>>> I'm trying to track it down, and I'm working with rfxnetworks to help
>>> secure
>>> the server better, but it occurred to me that if I could just make sure
>>> that
>>> the From: field in my emails was actually a legitimate address, the
>>> problem
>>> would bascially stop. A band-aid, but at least it would work.
>>>
>>> I can't figure out the access.db and relay parameters to get them to
>>> allow
>>> only my legitimate domain addresses. There must be a way.
>>
>> Keep in mind that access rules are evaluated in order, so you can put
>> entries at the start that allow mail from your own domain, and end with
>> rules that reject mail from your own maqchine.
>>
>> Note that using the access map is not an ideal approach. The ideal
>> approach is to secure your system so that you can trust that nothing
>> running on it is sending junk, and require authenticated submission to
>> relay mail from anywhere else.
>>
>> --
>> Now where did I hide that website...
>
>

Re: Limit From only authorized senders HELP ME PLEASE!

Bill Cole writes in comp.mail.sendmail:

> Keep in mind that access rules are evaluated in order, so you can put
> entries at the start that allow mail from your own domain, and end with
> rules that reject mail from your own maqchine.

Sendmail access -file is strored to database. It do not store
order of original lines.

/ Kari Hurtta

Re: Limit From only authorized senders HELP ME PLEASE!

In comp.mail.sendmail Noam Dworman :
>> Noam Dworman wrote:

>>> I have a problem from time to time with spam coming from my server. I
[..]

> No, I think there is some PHP script somewhere on my server which someone
> has figured out how to use to send spam from time to time. When I watch the
> mail log I sometimes see spoofed messages from support@paypal.com or that
> type of thing going out from my server.

Take this script away first, have you installed all patches for
your system, including php? There are quite often vulnerabilities
in php detected and fixed. It doesn't sound like a sendmail
problem at all, since the stuff is coming from localhost were one
would expect sendmail to relay.

Your apache + sendmail logs should tell the whole story of what
is happening, presuming your system isn't completely compromised.

None knows though it isn't unlikely it is just some vulnerable
php script which happens frequently. You want to hurry up before
your IP ends up in a bunch of RBL lists for good reasons or/and
your ISP cuts down your line.

Good luck

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 250: Program load too heavy for processor to lift.

Re: Limit From only authorized senders HELP ME PLEASE!

It's very easy to tell somebody to shut down there machine, however that
would also shut down my business and probably put me and about 100 people
out of work.

What I'm trying to do is fix the problem which is why I came here asking for
advice on how to stop the spam. It's such a reasonable thing to do, I can't
believe the response I'm getting. If I could limit the mail to just what
comes from my addresses the problem would be fixed, and I wouldn't have to
shut down my machine. What am I missing?

I have also paid rf-x to do a security audit and install a full security
package on my machine, but they have taken over a week to install it.

I am so amazed at the level of nastiness and arrogance that people permit
themselves to spew on someone who is earnestly asking for help. I'm not
trying to spam, I'm looking to stop the spam without bankrupting myself in
the process.

I'm here to try and fix my problem. If you think I'm going to shut my
machine off you're ridiculous. What I'm doing is what any reasonable person
does when they have a problem: reach out to experts and professionals who
can help.

"Canuck57" wrote in message
news:xaVeh.461788$5R2.135516@pd7urf3no...
>
> "Noam Dworman" wrote in message
> news:L62dnfqKvuH_BubYnZ2dnUVZ_t6qnZ2d@speakeasy.net...
>> My goodness.
>>
>> Yes I understand that what runs on my machine is my repsonsibility. But
>> that doesn't mean I have the expertise to fix it. I've been on the phone
>> for hours trying to fix this problem.
>
> Then you should probably shut it down until it is fixed. Pull the network
> wire before your ISP shuts you down. It's isn't a punishable crime yet,
> but this is "Careless computing" to leave that connected. Read on.
>
> If you don't have the expertise, pay someone who does. At least shut it
> down now.
>
>> Still, If I could find a way to have sendmail filter out messages that
>> don't have authorized return addresses I could stop the problem. That
>> would be taking responsibility yes? I don't know if I can find the
>> script or close the security hole. I've had professional Linux
>> administrators trying to fix this and they're having a problem.
>
> The hole is likely the way you configured it and once your system has been
> compromised you should re-install it from scratch. Take if offline, and
> read about how to configure it properly before you put it back on line.
>
> If you don't plenty in this forum with not think very highly of you. Many
> are already laughing.
>
>>
>> I really came her for help, not arrogance.
>
>> "Bill Cole" wrote in message
>> news:bill-0200E6.23294309122006@news.det.sbcglobal.net...
>>> In article ,
>>> "Noam Dworman" wrote:
>>>
>>>> No, I think there is some PHP script somewhere on my server which
>>>> someone
>>>> has figured out how to use to send spam from time to time.
>>>
>>> If that is the case, you need to to fix or remove that script. What runs
>>> on your machine is your responsibility.
>>>
>>>> When I watch the
>>>> mail log I sometimes see spoofed messages from support@paypal.com or
>>>> that
>>>> type of thing going out from my server.
>>>
>>> If the log shows your own machine as the source, you probably need to
>>> start by not automatically relaying for 127.0.0.1 or your public
>>> address.
>>>
>>>
>>>> I'm trying to track it down, and I'm working with rfxnetworks to help
>>>> secure
>>>> the server better, but it occurred to me that if I could just make sure
>>>> that
>>>> the From: field in my emails was actually a legitimate address, the
>>>> problem
>>>> would bascially stop. A band-aid, but at least it would work.
>>>>
>>>> I can't figure out the access.db and relay parameters to get them to
>>>> allow
>>>> only my legitimate domain addresses. There must be a way.
>>>
>>> Keep in mind that access rules are evaluated in order, so you can put
>>> entries at the start that allow mail from your own domain, and end with
>>> rules that reject mail from your own maqchine.
>>>
>>> Note that using the access map is not an ideal approach. The ideal
>>> approach is to secure your system so that you can trust that nothing
>>> running on it is sending junk, and require authenticated submission to
>>> relay mail from anywhere else.
>>>
>>> --
>>> Now where did I hide that website...
>>
>>
>
>

Re: Limit From only authorized senders HELP ME PLEASE!

Noam Dworman top posts with a WinBlows client:

> It's very easy to tell somebody to shut down there machine, however that
> would also shut down my business and probably put me and about 100 people
> out of work.

I dont think you have to shut the whole machine down - just the php
part of it...
Sorry if thats impractical.
Might be faster than to compile test and implement all the sendmail
hooks to restrict
outgoing mail... See at:
www.sendmail.org/~ca/email/restrict.html

Re: Limit From only authorized senders HELP ME PLEASE!

In article <5dejr7viry.fsf@Hurtta06k.keh.iki.fi>,
Kari Hurtta wrote:

> Bill Cole writes in comp.mail.sendmail:
>
> > Keep in mind that access rules are evaluated in order, so you can put
> > entries at the start that allow mail from your own domain, and end with
> > rules that reject mail from your own maqchine.
>
> Sendmail access -file is strored to database. It do not store
> order of original lines.

You are correct.

I plead age and confusion from working with Postfix regex access control
too much recently. :)

The right answer would be:

Use FEATURE(`delay_checks') so that you run all the check_* rules at
RCPT time, with the ordering changed so that you can accept mail from
senders in particular domains while generally rejecting mail from an
untrustworthy host, in this case localhost.

(and what I said about this being a sub-optimal approach still applies,
of course.)

--
Now where did I hide that website...

Re: Limit From only authorized senders HELP ME PLEASE!

In comp.mail.sendmail Noam Dworman :
> "Bill Cole" wrote in message
> news:bill-0200E6.23294309122006@news.det.sbcglobal.net...
>> In article ,
>> "Noam Dworman" wrote:

>>> No, I think there is some PHP script somewhere on my server which someone
>>> has figured out how to use to send spam from time to time.

>> If that is the case, you need to to fix or remove that script. What runs
>> on your machine is your responsibility.

[..]

> My goodness.

> Yes I understand that what runs on my machine is my repsonsibility. But
> that doesn't mean I have the expertise to fix it. I've been on the phone
> for hours trying to fix this problem.

> Still, If I could find a way to have sendmail filter out messages that
> don't have authorized return addresses I could stop the problem. That would
> be taking responsibility yes? I don't know if I can find the script or
> close the security hole. I've had professional Linux administrators trying
> to fix this and they're having a problem.

They didn't really looked, your box is completely compromised
(seems unlikely though not impossible) or they just don't have
the skills you think they have.

> I really came her for help, not arrogance.

Then show us the relevant logs, I have already pointed to them
(8o0u44-7sv.ln1@news.heiming.de), unless you box is completely
compromised they should tell the exact story of what is
happening. Any drivel won't get you closer to the solution,
provide real data, so people can have a look.

Still we don't have zero information from you, OS/version,
Apache/PHP/version, sendmail/version and alike.

Good luck

BTW
Please top top-posting, thx.
--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 434: Please state the nature of the technical
emergency

Re: Limit From only authorized senders HELP ME PLEASE!

In article ,
"Noam Dworman" wrote:

> My goodness.
>
> Yes I understand that what runs on my machine is my repsonsibility. But
> that doesn't mean I have the expertise to fix it. I've been on the phone
> for hours trying to fix this problem.
>
> Still, If I could find a way to have sendmail filter out messages that
> don't have authorized return addresses I could stop the problem. That would
> be taking responsibility yes? I don't know if I can find the script or
> close the security hole. I've had professional Linux administrators trying
> to fix this and they're having a problem.
>
> I really came her for help, not arrogance.


I don't mean to come across as arrogant, but what your "professional"
admins seem to be neglecting to tell you is a very basic rule: if your
machine is being used by others in an ongoing criminal enterprise, you
should shut it off rather than continue to be a contributor to that
activity.

If you don't stop the problem yourself, you risk having it stopped for
you by your service provider or law enforcement. Those are far worse
options than disabling PHP or shutting down a website for a day. Your
problem is not fundamentally a Sendmail issue, because in all likelihood
the most common and simple approach to meet the needs of a web server
that has to send mail is to make Sendmail trust the local machine.

The best approach is to make all mail submission (even from localhost)
require authentication, but that's likely to have more complexity to it
than you can reasonably expect to have addressed in a newsgroup.

--
Now where did I hide that website...