spam sucks
@postmaster email:
The original message was received at Fri, 27 Jun 2003 22:21:50 -0400 from localhost with id h5S2Logs028050
–--- The following addresses had permanent fatal errors ----- <
china9988@21cn.com >(reason: 550
is now disabled with SMTP service.) ----- Transcript of session follows -----
… while talking to mta.21cn.com.:
RCPT To:<
china9988@21cn.com ><<< 550
is now disabled with SMTP service. 550 5.1.1 <
china9988@21cn.com >… User unknown
I was curious so I check the /var/log/mail.log file to see if there was anything suspicious and here is what I found.
@/var/log/mail.log:
Jun 27 22:21:49 (none) sm-mta[28048]: h5S2Llgt028048: from=<
china9988@21cn.com >, size=159, class=0, nrcpts=1, msgid=<200306280221.h5S2Llgt028048@li-24.members.linode.com >, proto=ESMTP, daemon=MTA, relay=[211.104.38.234]Jun 27 22:21:50 (none) sm-mta[28050]: h5S2Llgt028048: to=<
china9988@21cn.com >, delay=00:00:02, xdelay=00:00:01, mailer=esmtp, pri=120144, relay=mta.21cn.com. [202.104.32.232], dsn=5.5.2, stat=Service unavailableJun 27 22:21:50 (none) sm-mta[28050]: h5S2Llgt028048: h5S2Logs028050: DSN: Service unavailable
Jun 27 22:21:52 (none) sm-mta[28050]: h5S2Logs028050: to=<
china9988@21cn.com >, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=31452, relay=mta.21cn.com. [202.104.32.232], dsn=5.1.1, stat=User unknownJun 27 22:21:52 (none) sm-mta[28050]: h5S2Logs028050: h5S2Logt028050: return to sender: User unknown
So did I actually relay that spam mail? Doesnt seem so but I want to make sure.
11 Replies
ps. if i did it, sorry chris (he knows what i'm talking about :)
@kenny:
li-24.members.linode.com just relayed a test message for me. If you didn't relay that message you could have.
ps. if i did it, sorry chris (he knows what i'm talking about
:)
hrmm.. what should i do to stop it so that you cant relay?
EDIT: hehe yea, saw it in the log file. I need to fix this problem with pop-before-smtp. Think thats the problem.
> Jun 28 00:49:25 (none) sm-mta[28366]: h5S4msgs028366: SYSERR(root): Cannot open hash database /etc/mail/popauth.db: Invalid argument
I'm not a sendmail user so I can't help much there, but check out:
Kenny
@kenny:
Stop sendmail as soon as possible. The risk isn't a few spam messages, it's getting blacklisted.
I'm not a sendmail user so I can't help much there, but check out:
http://relays.osirusoft.com/mtafix/ it should at lead you the right direction.Kenny
Kenny,
Can you give it another shot for me?
Looks good
Kenny
@kenny:
550 5.7.1
kenny@example.net … Relaying denied. Proper authentication required.Looks good
:) For future reference, a lookup for "openrelay test" on google will return a number of automated sites that can test this.Kenny
ok neat.. well. i still dont have relay working for me. just got rid of this pop-before-smtp script i had going.
Hope that helps
--James
My advice to you is, stop your email server immediately and don't even think about starting it again before you know that it won't relay. Besides, you should use your ISP's SMTP server like everyone else does; there is no good reason not to use your ISP's SMTP server.
Good luck.
@antelope:
Besides, you should use your ISP's SMTP server like everyone else does; there is no good reason not to use your ISP's SMTP server.
I have a laptop and use four different providers for connectivity on a regular basis. I have ricochet for home connectivity, but the speed isn't great and I will often go to one of my local wired cafes when I need a faster connection. Using my linode as my SMTP server (with SMTP AUTH and STARTTLS of course) my e-mail "just works"™. Without it, I'd have to reconfigure my mail software every the time I left the house. What a pain!
Also, what if your connectivity is from a small provider and some spammer gets an account with them? The spammer will start spamming, either through their mis-configured server or through open relays. Either way, there's a good chance that their addresses will be added to at least some blackholes before they can shut down the spammer. It will take time to get out of those blackholes and during that time your e-mail would be crippled to some extent. If you rely on e-mail for a living you can't afford to have it crippled. By using your own SMTP server and controlling who can bounce mail off of it, the chance that your e-mail will be blocked somewhere is almost zero.
I'm sure that your ISPs SMTP server is fine for you, but for some people there definitely are good reasons not to use their provider's SMTP server ss long as they set up the own server correctly.
@sec39:
Can you give it another shot for me?
Back to the real issue. I pointed
Once you get that working, you should think about getting STARTTLS working. It will encrypt all communication–including the username & password. Are you getting the impression that I'm paranoid about security? Well I am, and I always encourage others to be. If you want help with getting STARTTLS try looking here:
The two pages pointed to here are what I used to get it working. Ignore the parts about recompiling unless you can't get it to work after doing everything else, most of the distros I've done this under had everything compiled in and it just needed to configured or installed. If you need more help, feel free to drop me an e-mail and I'll see what I can do.
--James
@irgeek:
Saying that "everyone else" uses their ISPs SMTP server is a gross generalization and saying that "there is no good reason not to use your ISP's SMTP server" is just plain false. I have a laptop and use four different providers for connectivity on a regular basis. I have ricochet for home connectivity, but the speed isn't great and I will often go to one of my local wired cafes when I need a faster connection. Using my linode as my SMTP server (with SMTP AUTH and STARTTLS of course) my e-mail "just works"™. Without it, I'd have to reconfigure my mail software every the time I left the house. What a pain!
Also, what if your connectivity is from a small provider and some spammer gets an account with them? The spammer will start spamming, either through their mis-configured server or through open relays. Either way, there's a good chance that their addresses will be added to at least some blackholes before they can shut down the spammer. It will take time to get out of those blackholes and during that time your e-mail would be crippled to some extent. If you rely on e-mail for a living you can't afford to have it crippled. By using your own SMTP server and controlling who can bounce mail off of it, the chance that your e-mail will be blocked somewhere is almost zero.
I'm sure that your ISPs SMTP server is fine for you, but for some people there definitely are good reasons not to use their provider's SMTP server ss long as they set up the own server correctly.
You should perhaps make sure relaying from non-local addresses is disabled before installing pop-before-smtp… is it easy for you to run through the package configuration again?
Also, you may want to look at using exim or postfix.. they are somewhat simple to set up, yet still very powerful. Sendmail can be an unforgiving beast.
To the guy ranting about blacklitss and irrelevancy: Someone asking in the proper forum for help securing their mail server is responsible and appropriate, and suggesting in a condescending way that they should not be using it because they don't know how is inappropriate, and not helpful in the least. The person wants to learn.
Blacklists are not as severe a problem as you think, and in the case of an ISP wide blacklist, it would be up to linode to deal with the issue, or advise against it. It takes more than one open relay for a few days to get an entire ISP blacklisted.