Scalix Forums

Hi all-

I'm desperate. My scalix server seems to have been under seige since mid march & I can't stop it. I am getting hundreds of sendmail connections to a variety of tlds all ending in .hinet.net None of my own mail is processing - sendmail is fully consumed dealing with these connections to .hinet.net 'servers'.

I have shut sendmail down to avoid passing spam, but everything I've done to try to fix this has gone nowhere. I've added every blacklist to sendmail that I can think of. I've added a hosts.deny entry for ALL aimed at .hinet.net . I've spent hours searching the net trying to find a solution. Nothing has stopped it.

Any pointers either within Scalix, or sites I should go read would be enormously helpful.

Thanks,

Mark

Can you post your /var/opt/scalix/??/s/sys/smtpd.cfg file?

Thanks,
Shredder

Here's the file. I am enormously suspicious of the line RELAY accept .net -- how did such a thing get there?


# NB Authenticated RELAYs are always allowed
RELAY accept 127.0.0.1
RELAY accept .net
RELAY Log_Reject ALL

# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

# The following group sets the configuration for the submission listener
# This listener is only active if SUBMIT=ON is above
# By default it binds to port 587
[SUBMIT]
#LISTEN=localhost:587
# Reject all anonymous connections
ANONYMOUS Log_Reject ALL



# The following group sets the configuration for the lmtp listener
# This listener is only active if LMTP=ON is above
[LMTP]
LISTEN=localhost:24
# Use the following line to listen on a unix domain socket
#LISTEN=~/tmp/lmtp.unix

That is the problem.

That line should be:
Make sure of the leading period before the domain.

Then do a

Post if that clears it up.

Thanks,
Shredder

Thanks very much for the assistance. I made the necessary change in the smtpd.cfg file, but the omoff command did not run as exepcted. Here is the log:

omoff -d0 -w 0 smtpd && omon smtpd
omoff : [OM 4901] Sub-system not installed: '0'
No subsystems shut down.

take the second 0 out..just -w smtpd && omon smtpd

Ran the command without the second 0 and it completed normally.

Restarted Sendmail, and...

... about 100 connections with *.hinet.net opened within seconds.

So, while I believe this was definitely a problem that needed fixing, it does not seem to have addressed my problem. Should I restart the entire server -- i.e., is something cached that a restart will flush?

Any other ideas?

Mark

Sorry about the extra 0 in there.

The connections could be valid connections.

The setting in the smtpd.cfg file says which domains you receive email from.

Hopefully your system is now rejecting those connections, but there are so many trying to send mail through you. I would check your /var/log/mail.info (or maillog) file to see if mail is being relayed to other domains or just being dropped.

Shredder

Well, I don't think I'm out of the woods -- here's a snippet of my maillog -- sure looks like things are getting relayed through via 127.0.0.1??? Boy, I'd really like to grab these guys by the throat...

Apr 2 14:53:20 supinski sendmail[13291]: l32KrKiO013291: from=<min.yt@msa.hinet.net>, size=6702, class=0, nrcpts=1, msgid=<WLPLKFSWSNRVFURBMJMOSAT@msa.hinet.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Apr 2 14:53:21 supinski sendmail[13301]: l32KrKA7013301: from=<min.yt@msa.hinet.net>, size=6702, class=0, nrcpts=1, msgid=<WLPLKFSWSNRVFURBMJMOSAT@msa.hinet.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Apr 2 14:53:21 supinski sendmail[13312]: l32KrLaC013312: from=<min.yt@msa.hinet.net>, size=6702, class=0, nrcpts=1, msgid=<WLPLKFSWSNRVFURBMJMOSAT@msa.hinet.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Apr 2 14:53:21 supinski sendmail[13320]: l32KrLEg013320: from=<min.yt@msa.hinet.net>, size=6702, class=0, nrcpts=1, msgid=<WLPLKFSWSNRVFURBMJMOSAT@msa.hinet.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Apr 2 14:53:21 supinski sendmail[9490]: l32KpL4g009484: to=<nekket@ms14.hinet.net>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=126697, relay=ms14a.hinet.net. [168.95.5.14], dsn=4.0.0, stat=Deferred: Connection timed out with ms14a.hinet.net.
Apr 2 14:53:21 supinski sendmail[13335]: l32KrLT5013335: from=<min.yt@msa.hinet.net>, size=6702, class=0, nrcpts=1, msgid=<WLPLKFSWSNRVFURBMJMOSAT@msa.hinet.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Apr 2 14:53:21 supinski sendmail[9501]: l32KpL02009495: to=<nekki@ms65.hinet.net>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=126697, relay=ms65a.hinet.net. [168.95.5.65], dsn=4.0.0, stat=Deferred: Connection timed out with ms65a.hinet.net.
Apr 2 14:53:22 supinski sendmail[13343]: l32KrLPo013343: from=<min.yt@msa.hinet.net>, size=6702, class=0, nrcpts=1, msgid=<WLPLKFSWSNRVFURBMJMOSAT@msa.hinet.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Apr 2 14:53:22 supinski sendmail[13357]: l32KrM59013357: from=<min.yt@msa.hinet.net>, size=6702, class=0, nrcpts=1, msgid=<WLPLKFSWSNRVFURBMJMOSAT@msa.hinet.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Apr 2 14:53:22 supinski sendmail[13366]: l32KrMMT013366: from=<min.yt@msa.hinet.net>, size=6702, class=0, nrcpts=1, msgid=<WLPLKFSWSNRVFURBMJMOSAT@msa.hinet.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Apr 2 14:53:22 supinski sendmail[13375]: l32KrMD2013375: from=<chuang.chai@msa.hinet.net>, size=6695, class=0, nrcpts=1, msgid=<YCHGGWFDIRNYKDLKCSODJ@msa.hinet.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

That is normal. Because there is no stat=Sent entry the message was just dropped.

You'll have to weather the hit on your server for a while until those go away.

I think you are fine though for not being an OpenRelay.

You can go to www.abuse.net/relay.html to test your server as an open relay.

Shredder

Shredder I sure appreciate your help. I went searching through the mail log looking for Sent and I found a ton of them. For instance:



So I'm afraid I still have something screwed up. I noticed in the smtpd.cfg file that i could put DNSBL entries there too -- so I added the three I also added in sendmail.

It seems like I have been attacking this problem backward -- from the sendmail end vs the Scalix end. Am I correct that in fact Scalix has been receiving and relaying all the Spam? So sendmail passes everything because all it sees is a localhost connection (from scalix) and away it goes?

If I am correct, then all this time that I have had sendmail shut down, a ton of spam has been merrily queuing up in my server. How can I find this queue and delete it all? Perhaps the problems I am seeing in the sendmail maillog is just queued up stuff. What I'd like to to do is kill everything that hasn't yet been sent & then watch the logs to see if anything "new" gets past to determine if I have closed the hole.

BTW -- I did go to that link above & it reported 550 rejected -- so it at least thinks I am not relaying.

Thanks *VERY* much for the help thus far!

Ok -- looks like the changes Shredder suggested have taken hold.

I can now see lots of rejected relay attempts in SAC. And sendmail is quiet.

I have a different question now, but I'll open a different thread for it.

THANKS TO EVERYONE! I sure appreciate the timely help & info. Boy I hate the idea that I was part of the SPAM problem.

Mark

You may not be out of the woods yet.

Since you left an open relay for an extended period of time, it's possible your IP got reported and blacklisted on a number of subscriptions services, which in practice means that IP is useless now. You could now have several legitimate emails from your server being rejected by other mail servers. Trying to "clean your name" at this stage is a vain exercise.
Be prepared to have to assign a new IP to your server. Not only this, if you are behind a firewall with port forwarding or NAT, the firewall itself may need a new IP.

Good luck.
Jaime