[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

[LI] Now it is the turn of VSNL Bombay to be hit by spammers

To: Linux India <linux-india@xxxxxxxxxxxxxxxxxxxxx>
Subject: [LI] Now it is the turn of VSNL Bombay to be hit by spammers
From: "Smeagol Gollum" <smeagol@xxxxxxxxxxxx>
Date: Sun, 24 Oct 1999 23:15:16 +0530
Cc: Tarique Sani <tarique@xxxxxxxxxxxxxxxxx>, PCQ <edit@xxxxxxxxxxx>
Organization: KCircle [ http://www.kcircle.com ]
Reply-to: linux-india
Sender: owner-linux-india@xxxxxxxxxxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Folks

See below - spammers have discovered India it appears - earlier, 
they were systematically scanning for and relay raping Malaysian / 
Indonesian / Japanese / Korean open relays - most of which have 
ended up in the MAPS RBL [*], cut off from over 40% of the 
Internet. 

[*] If your server has the misfortune of landing in the RBL, several 
hosts will bounce packets from these boxes at the router level - and 
your box will crash with all the bounces if the spammer has not 
crashed it already.  To see how you can get into (or leave) the RBL  
- - visit http://maps.vix.com/rbl/candidacy.html

Additionally, all networks in the .my (Malaysia) domain were barred 
for several months from accessing all the IRC networks (Undernet, 
EFNet etc).  

Some of the larger Malaysian ISPs gave written undertakings that 
they would close open relays and crack down on spammers among 
their users and so got off the blacklist.  

Doc Tarique - could you please write an article on this and get PCQ 
to print it?  Or else, I have one which I sent to PCQ ages ago 
(before the problem really started).

And Atul (and others involved in planning Linux India's role in 
IT.COM), please devote at least some attention to this.  Linux won't 
become too popular in India if we get walled off from the Net and 
can't use most of what makes Linux a beautiful thing to use.

- ------- Forwarded message follows -------

From:           	"Suresh " <suresh@xxxxxxxxxxxxxxx> 
Organization:   	CAUCE India 
To:             	helpdesk@xxxxxxxxxxxxxxxxxxxx
Subject:		Your server is open to hacking ....
 
Dear Sir,

Your server bom4.vsnl.net.in which runs sendmail 5.65 has been 
misused by a spammer to relay spam mails.  Kindly upgrade to 
8.9.3 and update your sendmail.cf files to prevent this.

In fact, your version of sendmail is very insecure, and will allow 
remote attackers to execute any command they wish as the 
sendmail userID (usually root) and which may allow remote or local 
attackers to gain a root shell on the server.   

This happened to BARC when hackers attacked it after the Pokhran
blasts.  So, you see that the situation is very dangerous.

TIFR Bombay was also relayed thru recently as they were running 
sendmail smi/svr4.  I have sent a mail to their sysadmin (and to one
of my friends on the Linux India mailing list who works in the TIFR)
about the identity of the spammer (whom I was able to trace, by
checking up on the phone number mentioned in the spam).

The following may be of some use with regards to securing your 
server against spammers / hackers.

Sendmail admins: http://www.sendmail.org/tips/relaying.html has 
quite a few useful bits of information. 

Sun Admins: 
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-
access (url may wrap - please cut and paste into lynx)
for updates to sendmail 8.9.x. 

Sendmail 4.x, 5.x, 8.6, 8.7: These cannot be secured against 
unauthorised third party relaying without major work. Additionally, 
most versions have major vulnerabilities allowing remote attackers 
to execute arbitrary commands as the sendmail userID (usually 
root) and which may allow remote or local attackers to gain a root 
shell on the server.  

If you have one of these sendmail versions, disable or update it 
immediately and audit your machine's security. Sendmail Inc 
describe version 8.6 and earlier as "Not supported, not secure and 
should NOT be run on a network-connected computer." Sendmail 
8.8:  

Additionally all versions of sendmail prior to 8.8.9 are susceptable to 
a HELO buffer overflow attack - and most recently, several thousand 
sendmail 8.8 installations have been exploited by a spammer using 
RCPT TO:<"victim@target"> - with the "" in the envelope.  

Claus Assmann's check_rcpt Sendmail 8.8 antirelay hacks were 
updated to fix the "", %, ! and : vulnerabilties on 24 August 1998 
and his work can be viewed at 
http://www.sendmail.org/~ca/email/check.html  

More useful information is available at 
http://hexadecimal.uoregon.edu/antirelay/  

Sendmail 8.8 is effectively unsupported and there are probably 
more relaying holes lurking in it. Update to 8.9.3.  

Sendmail 8.9.0 and 8.9.1 are susceptable to relaying attacks using 
the : pathing control character in the RCPT TO:<> header. Update 
to 8.9.3  

When upgrading sendmail to secure versions: Always generate a 
new sendmail.cf - continuing to use the sendmail.cf from a previous
version which had a relaying vulnerability will usually result in that
relaying vulnerability not being fixed. 

If you are uncomfortable with M4 scripting, WIDE in Japan have a .cf
generator which may be useful. It can be downloaded from
ftp://ftp.jpcert.or.jp/pub/security/tools/CF/ 

If you need sendmail on a machine so that processes can send out 
mail, but no inbound mail facilities are needed, all you need to do is 
change sendmail's startup settings by removing the "-bd" flag. It's 
the -bd flag (-bD if run in the foreground) which tells sendmail to 
listen on port 25 and if that is deleted, it will only deliver locally 
generated mail rather than acting as a full-blown mailserver.  

Please note: this will only secure a server for as long as the -bd
flag is disabled, so should be regarded as a temporary measure.
Eventually, someone is bound to accidentally re-enable the -bd flag.
Wherever possible, please update to sendmail 8.9.3 or later. 

Redhat linux users: ftp://admin.netus.com/sendmail/ has sendmail 
8.9.3 rpms you might like to try out. Last update 27 March 1999: 
"pop-before-smtp with a DUL map fallthrough from the poprelay ed 
map".  

Linuxconf users beware! - Linuxconf was found to be generating 
faulty (old) check_rcpt tables as recently as 20 July 1999. Make sure
your version is newer than this before using it to generate
sendmail.cf files. 

- ------- End of forwarded message -------


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2 -- QDPGP 2.60 

iQA/AwUBOBL4VJqQidQMDLaoEQKDGwCfYVrBG7Hv4FawGnPoIqmK+SX5SXEAmQER
yLGbFm7+wo3ZFcyMoyfiSj2s
=ZRGm
-----END PGP SIGNATURE-----

Smeagol Gollum | Smeagol@xxxxxxxxxxxx | (aka) Suresh R.
http://www.kcircle.com | http://www.angen.net/~pegasus/
Phone: +(91-40)3736553/3745398 | eFax: +(1-603)590-5437
    A government that robs Peter to pay Paul can always count
    on the support of Paul.
         -- George Bernard Shaw

--------------------------------------------------------------------
The Linux India Mailing List Archives are now available.  Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.

Prev by Subject: [LI] note the reply address please
Next by Subject: Re: [LI] Now it is the turn of VSNL Bombay to be hit by spammers
Previous by thread: [LI] Re: Proposals for LI at IT.COM
Next by thread: Re: [LI] Now it is the turn of VSNL Bombay to be hit by spammers
Index(es):
- Subject
- Thread