For the life of me I cannot figure out how spammers are sendmail mail through my server with relaying off. I'm running Sendmail 8.14.7 on Slackware Linux 14.1. The spammers have not figured out a user's password and are therefore logging in first via SASL with AUTH LOGIN or I would see that in the log.
Heres an example from my logs, a spammer/bot from 182.234.55.47, off the top of someones head what would allow this? Any IP randomly in the world can do this, yet when I try it sendmail says "relaying denied...". I could not be more lost. I firewall them but it happens again an hour later from a different IP.
Feb 23 12:18:44 server sendmail[28315]: t1NHIIgY028315: <-- MAIL FROM: <re>
Feb 23 12:18:44 server sendmail[28315]: t1NHIIgY028315: --- 250 2.1.0 <re>... Sender ok
Feb 23 12:18:45 server sendmail[28315]: t1NHIIgY028315: <-- RCPT TO: <htucker566#gmail.com>
Feb 23 12:18:45 server sendmail[28315]: t1NHIIgY028315: --- 250 2.1.5 <htunhtunnaing.goldpot#gmail.com>... Recipient ok
Feb 23 12:18:47 server sendmail[28315]: t1NHIIgY028315: <-- DATA
Feb 23 12:18:47 server sendmail[28315]: t1NHIIgY028315: --- 354 Enter mail, end with "." on a line by itself
Feb 23 12:18:48 server sendmail[28315]: t1NHIIgY028315: from=<re>, size=496, class=0, nrcpts=5, msgid=<B3BE0AC12425C02A1FB8C9201EE5CB9E#jyvicegy>, proto=ESMTP, daemon=MTA, relay=host-47.55-234-182.cable.dynamic.kbtelecom.net [182.234.55.47]
Feb 23 12:18:48 central sendmail[28315]: t1NHIIgY028315: --- 250 2.0.0 t1NHIIgY028315 Message accepted for delivery
Related
I have installed FreeBSD and need to run regularly reverse shell to establish and keep alive SSH connection to the client (no public IP). When running the ssh -R script from the terminal, it works as expected, but when I run it as a cron command, the connection is established and disconnected right after that.
Here is auth.log from the server:
Jan 26 08:50:00 sshd[9696]: Accepted publickey for XXXX from XXX.XXX.XXX.XXX port XXXXX ssh2: RSA SHA256: xxxxxxxxx
Jan 26 08:50:00 sshd[9696]: pam_unix(sshd:session): session opened for user XXXX by (uid=0)
Jan 26 08:50:00 systemd: pam_unix(systemd-user:session): session opened for user XXXX by (uid=0)
Jan 26 08:50:01 systemd-logind[458]: New session 107 of user XXXX.
Jan 26 08:50:01 sshd[9794]: Received disconnect from XXX.XXX.XXX.XXX port XXXXX:11: disconnected by user
Jan 26 08:50:01 sshd[9794]: Disconnected from user XXXX XXX.XXX.XXX.XXX port XXXXX
Jan 26 08:50:01 sshd[9696]: pam_unix(sshd:session): session closed for user XXXX
Jan 26 08:50:01 systemd-logind[458]: Session 107 logged out. Waiting for processes to exit.
Jan 26 08:50:01 systemd-logind[458]: Removed session 107.
Do you have an idea, what causes this behavior and how to fix it?
Solved - see posts above. Thanks
I'm quite new to OpenWRT and I'm facing some problems here.
I set up the OpenVPN server on a Ubuntu using OpenVPN Access Server web GUI, and correspondingly I got the client profile client.ovpn. Also I enabled "Google Authenticator Multi-Factor Authentication". When I configured as a client using client.ovpn, it worked perfectly on my phone, my other PC, but it just failed when I tried to start a client on OpenWRT on my router.
According to https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-linux/, I used openvpn --config client.ovpn --auth-user-pass --auth-retry interact to start a connection, and I was prompted for a username and a password, which makes sense, but then I was never prompted for the authenticator code. Actually when I looked at the response, it did ask me for a code, but I never had a place to enter it. Instead, it asked to enter the username again, thus dropping into a loop. See below: (the forth line from the bottom)
root#OpenWrt:/etc/openvpn# openvpn --config client_gui.ovpn --auth-retry interac
t
Mon Mar 9 19:01:18 2020 Unrecognized option or missing or extra parameter(s) in client_gui.ovpn:124: static-challenge (2.4.7)
Mon Mar 9 19:01:18 2020 OpenVPN 2.4.7 mipsel-openwrt-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Mar 9 19:01:18 2020 library versions: mbed TLS 2.16.3, LZO 2.10
Enter Auth Username:london
Enter Auth Password:
Mon Mar 9 19:01:24 2020 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Mon Mar 9 19:01:24 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Mar 9 19:01:24 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Mar 9 19:01:24 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Mar 9 19:01:24 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.8.222:1194
Mon Mar 9 19:01:24 2020 Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Mar 9 19:01:24 2020 UDP link local: (not bound)
Mon Mar 9 19:01:24 2020 UDP link remote: [AF_INET]192.168.8.222:1194
Mon Mar 9 19:01:24 2020 TLS: Initial packet from [AF_INET]192.168.8.222:1194, sid=fb509f08 f4ae8b1f
Mon Mar 9 19:01:24 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Mar 9 19:01:24 2020 VERIFY OK: depth=1, CN=OpenVPN CA
Mon Mar 9 19:01:24 2020 VERIFY OK: nsCertType=SERVER
Mon Mar 9 19:01:24 2020 VERIFY OK: depth=0, CN=OpenVPN Server
Mon Mar 9 19:01:24 2020 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, 2048 bit key
Mon Mar 9 19:01:24 2020 [OpenVPN Server] Peer Connection Initiated with [AF_INET]192.168.8.222:1194
Mon Mar 9 19:01:25 2020 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Mon Mar 9 19:01:25 2020 AUTH: Received control message: AUTH_FAILED,CRV1:R,E:PG_09HT0rZcjdFd6GnA:bG9uZG9u:Enter Authenticator Code
Mon Mar 9 19:01:25 2020 SIGUSR1[soft,auth-failure] received, process restarting
Mon Mar 9 19:01:25 2020 Restart pause, 5 second(s)
Enter Auth Username:
How can I solve this problem? Is there anything to be modified in client.ovpn? Thank you!
In 18.04, Create a file userpass in same directory as client.ovpn.
Userpass should contains 2 lines
username in first line
password in second line
and save the file, open new terminal, Execute the script.
openvpn --config client.ovpn --auth-user-pass userpass --auth-retry interact
In 16.04
Execute the following code
sudo -s
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt-get update
apt-get dist-upgrade
Create a file userpass in same directory as client.ovpn.
Userpass should contains 2 lines
username in first line
password in second line
and save the file, open new terminal, Execute the script.
openvpn --config client.ovpn --auth-user-pass userpass --auth-retry interact
Have a question about the structure of email headers.
I've been analyzing spam sent through my Postfix MTA, and have noticed a small amount (< 5%) have the localhost address 127.0.0.1 as the final 'received: from header'.
The 2nd-to-last header shows the IP of the spam mail server.
I'm assuming that the spammer is relaying through an MTA on his local box to a remote server, and that's why the last received header (which represents the first in the sending chain) is showing the localhost IP.
I have an example below of an actual header with my servers info changed for privacy (spammer's is real).
Just wanted confirmation that my assumption is correct on this.
Return-Path: <ProsventUltraBlend#operantish.com>
Delivered-To: acme2#mx.acme.net
Received: from localhost (localhost [127.0.0.1])
by mx.acme.net (Postfix) with ESMTP id XXXXXXXXX
for <me#acme.net>; Thu, 30 Mar 2017 16:08:16 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mydomain = acme.com
Received: from mx.acme.net ([127.0.0.1])
by localhost (mx.acme.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id XXXXXXXX for <me#acme.net>;
Thu, 30 Mar 2017 16:08:15 -0400 (EDT)
Received: from layrbc.operantish.com (layrbc.operantish.com [66.118.137.94])
by mx.acme.net (Postfix) with ESMTP id 0A576D1FAE8
for <me#acme.net>; Thu, 30 Mar 2017 16:08:14 -0400 (EDT)
Received: from 025a1bf3.layrbc.operantish.com ([127.0.0.1]:19719 helo=layrbc.operantish.com)
by layrbc.operantish.com with ESMTP id 02DYCACOHN5A1BOPBVDGQKF3;
for <me#acme.net>; Thu, 30 Mar 2017 13:08:13 -0700
Date: Thu, 30 Mar 2017 13:08:13 -0700
I know hardly any more than Jon Snow, but I do know that 127.0.0.1 can appear in mail headers. I.e. when a spam filter takes the mail, checks it and sends it on it's way.
It used to be working, but out of the blue, it stopped sending mail. I thought I set everything up in both linux and exchange to function correctly, but we're not receiving the emails - internally or externally.
I'm not that knowledgeable about linux, so I use webmin to get around.
So, we have our shopping cart and online forms on the linux server that will email users confirmations and such. It won't receive any mail, so I don't need to worry about that. It only sends mail out, both inside our network, and outside. Here is a recent addition to the mail log:
Dec 6 11:51:04 istalinux2 sendmail[1696]: rB6Gp4lr001696: from=www-data, size=246, class=0, nrcpts=1, msgid=, relay=www-data#localhost
Dec 6 11:51:05 istalinux2 sm-mta[1697]: rB6Gp4hY001697: from=, size=485, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA-v4, relay=localhost [127.0.0.1]
Dec 6 11:51:05 istalinux2 sendmail[1696]: rB6Gp4lr001696: to="John Smith" jsmith#ista-in.org, ctladdr=www-data (33/33), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30246, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (rB6Gp4hY001697 Message accepted for delivery)
Dec 6 11:51:05 istalinux2 sm-mta[1699]: rB6Gp4hY001697: to=jsmith#ista-in.org, delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=120485, relay=10.20.51.30, dsn=5.1.2, stat=Host unknown (Name server: 10.20.51.30: host not found)
Dec 6 11:51:05 istalinux2 sm-mta[1699]: rB6Gp4hY001697: to=www-data#istalinux2.ista-in.org, delay=00:00:01, mailer=local, pri=120485, dsn=5.1.1, stat=User unknown
Dec 6 11:51:05 istalinux2 sm-mta[1699]: rB6Gp4hY001697: rB6Gp5hY001699: postmaster notify: User unknown
Dec 6 11:51:05 istalinux2 sm-mta[1699]: rB6Gp5hY001699: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30000, dsn=2.0.0, stat=Sent
I have a receive connector set up in Exchange to receive incoming mail from our linux server and pass it through.
I am using sendmail in linux - but I honestly don't care how it's set up, as long as it works and doesn't break, lol. Please help me make sure all my settings in linux are correct ... and keep in mind that I am NOT a linux guy.
The problem seems to be this part:
relay=10.20.51.30, dsn=5.1.2, stat=Host unknown (Name server: 10.20.51.30: host not found)
I assume that 10.20.51.30 is the ip address of your exchange server. Now, without seeing the actual configuration files, it's a bit hard to find out what you did wrong, but normally, when you specify a mail relay, you have to use either a) a real dns name, not an ip, or b) enclose the ip in [] brackets - just like the line before that one, which says relay=[127.0.0.1].
Try enclosing the 10.20.51.30 in [] brackets, or, use the name of the exchange server instead of the IP, and make sure your DNS server can resolve that name.
I did a logger with programmatically configured SocketAppender for Chainsaw. I successfully receive messages in the SimpleReceiver of Chainsaw from code running on localhost, but from remote host i'm just getting like
63 Fri Sep 23 14:44:08 MSD
2011 INFO org.apache.log4j.chainsaw.messages.MessageCenter Connection
received from
my.host.com:50299 Chainsaw-WorkerThread log chainsaw
68 Fri Sep 23 15:12:22 MSD
2011 INFO org.apache.log4j.chainsaw.messages.MessageCenter Connection
lost! :: null Chainsaw-WorkerThread
log chainsaw 69 Fri Sep 23 15:12:22 MSD
2011 DEBUG org.apache.log4j.net.SocketReceiver accepted
socket Chainsaw-WorkerThread log chainsaw
70 Fri Sep 23 15:12:22 MSD
2011 DEBUG org.apache.log4j.net.SocketReceiver socket not null -
creating and starting
socketnode Chainsaw-WorkerThread log chainsaw
71 Fri Sep 23 15:12:22 MSD
2011 DEBUG org.apache.log4j.net.SocketReceiver w*aiting to accept
socket* Chainsaw-WorkerThread log chainsaw
but no tab with log messages from remote host. What's wrong? No firewall is running.
Tested with v2 and v2.1-trunk-today.
Solved yesterday. Log level in big app's plugin wasn't set correctly.