[Mailman-Users] SPAM relayed mail through Mailman.
Colorado Tech Support
Jon.Slater at ColoTechSupport.Com
Sun May 15 17:59:11 CEST 2005
Hi, I'm pretty new to this, but I've got a problem.
Last night, a SPAMer was able to relay 250 mail messages through my
server and I can't figure out how they did it.
Here's my configuration:
Fedora Core 2 - kernel-2.6.10-1.771_FC2
apache - httpd-2.0.51-2.9
mailman-2.1.5-10.fc2
sendmail-8.12.11-4.6
Here's what I know...
My sendmail is configured in a way to only allow relaying from IP
addresses within my network (the 192.168.blah.blah range).
I believe this is configured correctly because I get "RELAYING DENIED"
messages all the time from SPAMers trying to relay through my server.
The only reason I know about the attempt is because I received over 100
bounced messages to "mailman-ower at mydomain.com" from the target of the
attack.
The bounced messages all contained the original message (which came from
mailman-owner at mydomain.com).
My /etc/log/maillog file shows all 250 sendmails being relayed (here's
just one):
maillog:May 14 21:02:52 nameofmyserver sendmail[14830]: j4F32px8014830:
from=<popcap-route at enki.popcap.com>, size=2408, class=0, nrcpts=1,
msgid=<courier.4286BBD9.000052C9 at enki.popcap.com>, bodytype=7BIT,
proto=ESMTP, daemon=MTA, relay=mail.popcap.com [69.25.140.155]
My mailman settings don't allow anyone from any groups to send
mass-mailings without approval. (I verified this all this morning.)
So, I guess I have two questions:
1) How did they do it?
(and more importantly) 2) How do I stop it?
Thank you all for your time!
Jon
--
Jon D Slater Colorado Tech Support
p: 970.988.7246 P.O. Box 143
f: 970.674.8060 Windsor, Colorado
www.ColoTechSupport.Com 80550
More information about the Mailman-Users
mailing list