Help - Search - Members - Calendar
Full Version: how stop out going mail
The Planet Forums > Security > General Security
z0diac
Oct 7 2004, 12:59 PM
I recently received a msg from the ev1 Abuse Team saying they had complaints about my one domain sending spam. I have sendmail COMPLETELY shut off on this server, I have NO perl directory, my CGI-BIN directory is EMPTY, and I have perl and cgi-bin service set to STOPPED in my control panel, and if you try telnetting to port 25 it just says "Connection lost to host" because there's nothing there. I do NOT have formmail anywhere on the server (that's what they said how it was happening even though they didn't even check my logs).

With all I've done, is it still possible for my server/domain to send out spam mail?

I told them the msg headers were OBVIOUSLY forged but they didn't believe me, and didn't seem to check my server to even see if it was possible for it to send spam, they just went by what SPAMCop.com said.

this is very frustrating as I have NEVER sent spam in my life, nor would I, as I hate spam more than ANYONE.

I don't know much about linux (I'm a windows guy) but I had a friend who's a "linux god" completely firewall/block all traffic on port 25 for this domain, and that seems to have satisfied the ev1 Abuse team, and they've closed the trouble ticket. But I really feel that they've threatened to close down my entire server (all domains) due to this fact, when it doesn't even seem that they've investigated it to see if it was even possible for my domain to send mail. GRRR!
TMX
Oct 7 2004, 01:58 PM
QUOTE
Originally posted by z0diac
With all I've done, is it still possible for my server/domain to send out spam mail?


It would be possible. Even if the sendmail daemon is shut down, the sendmail binary can still be accessed directly.

Try this to completely kill outbound port 25, if that's what you're after:

iptables -A OUTPUT -p tcp --dport 25 -j DROP

QUOTE
I told them the msg headers were OBVIOUSLY forged


Can you post them?

-B
TMX
Oct 7 2004, 02:13 PM
Just saw a copy of the spam in question at the dnsbl.net.au site. based on the headers in that particular message, it leaves little doubt that it did actually originate from your IP:

http://dnsbl.net.au/spam/samples/0/0/4/7/8.../8/00478441.txt

There's some stuff in news.admin.net-abuse.sightings from the same IP from April and May of this year as well.

-B
z0diac
Oct 11 2004, 08:42 PM
Now, would that command affect JUST that one domain or the entire box? Because there's another domain I run from there (never it spoofed for spam) that I need port 25 open for for a Paypal script.

QUOTE
Originally posted by TMX
It would be possible. Even if the sendmail daemon is shut down, the sendmail binary can still be accessed directly.

Try this to completely kill outbound port 25, if that's what you're after:

[b]iptables -A OUTPUT -p tcp --dport 25 -j DROP



Can you post them?

-B [/B]
Err0r
Oct 12 2004, 02:46 AM
That would drop anything on port 25 outgoing...
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.