Massive outgoing on port 25. Under attack?

[bluemike]

Ove the past few days I have been seeing about 8K/hour messages in my syslog showing somethin similar to the following:

Code: Select all

allow out eth1:0 60 tcp 20 64 192.168.111.17 (emailserver) 68.142.82.239 (badaling2.goldenware.com) 51218 25 syn (SMTP-Outgoing)

Not all the traffic is going to (or attempting to go to) that specific goldenware.com server. There are many different servers involved, but all from goldenware.com.
Interestingly, the corresponding incoming traffic is also listed, but it is being blocked by the firewall. I guess I don't understand how I have nothing coming in from these servers, but so much going out....

I have used three different methods to make sure I'm not an open relay. I have blocked all INCOMING traffic from all the goldenware.com IP's. I have even blacklisted all theri IP's in my Barracuda spam firewall. But I continue to get all these outgoing attempts.

I rebooted the Scalix server, and after the restart the message did not appear for about an hour. But then they all started again.

Is there some newbie mistake I am making here? My typical syslog traffic is 3K message per hour. Now I am running at 13K and its' still climbing...

[ianare]

I was having similar problems. I'll save you the trouble of searching around and redirect you to what worked for me.
This one is the 'starter' one. It may resolve your issue. It helped a lot, but didn't completly fix my problem:
http://www.scalix.com/community/viewtopic.php?t=3950

This one shows the setup I used and the outcome of it, the final solution to the problem is linked at the end.
http://www.scalix.com/community/viewtopic.php?p=19413

Also, these settings in /etc/mail/sendmail.mc helped:

Code: Select all

define(`confPRIVACY_FLAGS', `goaway,noreceipts')dnl
define(`confDONT_PROBE_INTERFACES',true)dnl

make sure to run 'omsendin' after 'make'ing your sendmail.mc!!

Good luck!

[bluemike]

Well, I add those lines to sendmail.ms and remade the cf. We will see what that does.
Regarding the other thread, the last post pointed me an yet another thread about switching to smtps. I'm not sure if I am ready to go that far....

Thanks for the advice though!

[ianare]

Unfortunatly for me, it didn't stop completly until I switched to smtps. But doing that only took 10-15 minutes to do, but then again I didn't have thousands of messages piled up in my mailq. When I first started to do something about this, I had about 450,000 messages stuck in queue, I just deleted them all, otherwise restarting the scalix server was taking a looooong time.

[bluemike]

Well I think I buggered it up.

While trying to edit sendmail.mc, I accidently opened and edited submit.mc instead. As soon as I realized what I did I changed it back, but no NO mail is coming in. Good times...

[bluemike]

I got it working again :D

And I added this to sendmail (I made sure it wasn't 'submit' this time):

Code: Select all

define(`confPRIVACY_FLAGS', `goaway,noreceipts')dnl
define(`confDONT_PROBE_INTERFACES',true)dnl

Then I remade sendmail. The problem went away for about 24 hours. Nut now we are back up to 15K message/hour.

Maybe I will look into the whole smtps thing. Is that transparent on the sender side? I mean, ir's not like anybody sending me mail has to use a specail port os something, is it?

[ianare]

yes, receiving email still works the exact same way, but sending is done through the secure socket.

[bluemike]

So when sending, does the receipient on the other end need a special socket open or something?

[ianare]

People sending you mail or receiving your mail do not need to make any changes.

Really the only part that's secure is the internal relaying, like from scalix webmail -> smtp server, or local client -> smtp server. However this does makes it harder for your server to act as a spam relay, since you are only accepting to relay on 127.0.0.1. At least that's how I'm understanding it.

[bluemike]

Okay, so the secure SMTP step indicate this:

Code: Select all

cert = /path/to/stunnel-cert.pem
key = /path/to/stunnel-key.pem

Don't I have to create those? How is that done? Through openssh maybe?