Results 1 to 7 of 7

Thread: How find if is being used as open relay?

  1. #1

    Default How find if is being used as open relay?

    A friend has a small company with an opensuse linux computer and their ISP just told them that something's sending spam. The person who set this computer up is long since gone. They don't know anything about linux and have no idea what programs are on there.

    How would I figure out:

    1. If there's an emailing program on there
    2. Whether it's sending or capable of sending spam
    3. Lock it down

  2. #2

    Default Re: How find if is being used as open relay?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Two things to consider. Any box, ever, can be the source of spam if a
    user on that box wants it to be. It does not matter at all if the system
    is running an open relay as a mail server or not if the box is compromised.

    To see if your box is an open relay... well, there are several ways to be
    an open relay. What kind of spam is the ISP saying is coming from their
    box? Should the box be sending mail at all? If so, what kind of mail
    from where to where? If the box should never be relaying mail via SMTP
    just make sure the firewall is, as is the default, block SMTP port 25.
    The mail server also, by default, only listens on localhost so you could
    prevent that though changing the firewall is an easier and usually better
    solution in this case. If the box should never be sending mail at all
    then watch for when it does and what it sends and work back from there.

    Good luck.





    On 06/11/2010 10:56 AM, 6tr6tr wrote:
    >
    > A friend has a small company with an opensuse linux computer and their
    > ISP just told them that something's sending spam. The person who set
    > this computer up is long since gone. They don't know anything about
    > linux and have no idea what programs are on there.
    >
    > How would I figure out:
    >
    > 1. If there's an emailing program on there
    > 2. Whether it's sending or capable of sending spam
    > 3. Lock it down
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.12 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJMEnCBAAoJEF+XTK08PnB5sEkP/1olZ6XKVxqT5/8D5dlBTWVZ
    OCBIu9k5SnzgefwokeWZEmhn+7it0dLH1NMxeyIj+83hzTardA6i5YbogYL5Jt9o
    n1UNSAd7e7oqxEf313V3Mn33oOuGmuoHpiqgTXRxzHU3K+fMJhHKAzfXF4SFC7nD
    Rp7Q8N0dxVqUJU+1zuzrjaZI5LHrgZh5lRQGhwAajDDXXT8Ooc3MyOkhrNddlyGj
    jkxBrG55wp7yEjurUXR3m3Eh8Yva5OMZBJWhZcVTQ2bn5Bq3WJL2SrAamPlhRIOT
    gti0XXnLCCEO654XO8r9ShwcU6DzwbR8uk+0vuYBQGUJLFUDTSvw0FDYFpOvINXR
    +YXO7KMHywFaYilrSGerTZ+RnfIqjdjvCQaqwuUqq+51dlMkjWgvPjXNDSZ9vSMC
    Ujdh1KwEoShfqKmah6TMtatCHfPQ6VlAliSlYabRezmQRvgJHhSiPiwfwkEpwyTH
    YJfoGoaZSwa/Kj7bD6NaxS8QkImYhZWHlcao6v5OlZJwC6aFqcLhWXSxp8wlUcNd
    C/9u0J7O43DEEQWmChE5PmQubCyH0jz62PzXc+DCZcJroAmxtXRRX4F+c4z4ANYW
    DevIUvV92mRzPc0afYGL3ygXYEUlulzybzokcNIqaQduwc+iB/Qn4GDqY9geUgtk
    66sk1SuOLOUyKpge0i0o
    =7Fxv
    -----END PGP SIGNATURE-----

  3. #3

    Default Re: How find if is being used as open relay?

    Thanks for the help!

    Quote Originally Posted by ab@novell.com View Post
    If the box should never be sending mail at all
    then watch for when it does and what it sends and work back from there.
    How do I do this?

  4. #4
    Join Date
    Jun 2008
    Location
    Earth - Denmark
    Posts
    10,730

    Default Re: How find if is being used as open relay?

    ab@novell.com wrote:
    > watch for when it does and what it sends and work back from there.


    and, i'd suggest looking for the root kit that may be in charge of
    that machine..

    what version of openSUSE is it running?

    --
    DenverD (Linux Counter 282315)
    CAVEAT: http://is.gd/bpoMD
    posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
    2.6.22.19-0.4-default SMP i686
    AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
    CMedia 9761 AC'97 Audio

  5. #5
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,079

    Default Re: How find if is being used as open relay?

    On Fri, 11 Jun 2010 17:56:01 +0000, 6tr6tr wrote:

    > Thanks for the help!
    >
    > ab@novell.com;2175474 Wrote:
    >> If the box should never be sending mail at all then watch for when it
    >> does and what it sends and work back from there.

    >
    > How do I do this?


    Easiest thing to do would be to start by disabling postfix and/or
    sendmail. Do this in YaST's runlevel editor.

    If it's supposed to send mail, then you'll need to use YaST's
    configuration editor for the mailer program (I believe Postfix is the
    default selection these days) and set up security options to allow mail
    only from the local machine, or to use authenticated SMTP, or from a
    local network (of course, if a machine on the local network is
    compromised, that may be what's causing the issue, too).

    Jim

    --
    Jim Henderson
    openSUSE Forums Administrator

  6. #6
    Join Date
    Jun 2008
    Location
    Earth - Denmark
    Posts
    10,730

    Default Re: How find if is being used as open relay?

    you may need to advise your friend to hire a temporary or part time
    *nix administrator..

    what country are you in...that is what language is the operation
    language on the server? i ask because i know a top notch, trustworthy
    admin guy in Slovenia that could do all this from afar...for a fair
    and reasonable price..

    --
    DenverD (Linux Counter 282315)
    CAVEAT: http://is.gd/bpoMD
    posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
    2.6.22.19-0.4-default SMP i686
    AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
    CMedia 9761 AC'97 Audio

  7. #7

    Default Re: How find if is being used as open relay?

    Thank you to EVERYONE for your help! We blocked the ports, changed firewall settings and were able to figure out who/what was attempting to send spam!

    Thanks again!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •