Firewall Wizards mailing list archives
Re: sendmail spamming
From: "Robert E. Martin" <rmartin () fishburne org>
Date: Thu, 29 May 2003 12:35:29 -0400
Behm, Jeffrey L. wrote:
Morality? Is that old thing still around? ;-) If I understand your question correctly, the gain is that the real spammer is using your web server to generate SPAM and making it look as if your web server is the real spammer (The real spammer has little risk in being labeled a "SPAMMER" from the Internet-at-large). It's just a way for a real spammer to cover his/her tracks and cause your site grief, because *you* now are at risk of being labeled a "SPAM-generating" site. To the recipient of such spam, the "from" address is legitimately from your web server. However, the exploit isn't really your email server, it's the web server <I hope you're not gonna say you have a web server on the *same* system as your email gateway :-( >. The web server legitimately uses the email gateway to send emails out to the internet, but the web server has been exploited to allow the intruder to send out emails which are tracked back to "coming from the web server." Hope this helps, and that I understood your question correctly. Jeff-----Original Message-----From: Robert E. Martin [mailto:rmartin () fishburne org] Sent: Thursday, May 29, 2003 8:31 AMTo: firewall-wizards () honor icsalabs com Subject: [fw-wiz] sendmail spamming Just a moraltiy question for you guys.I have just finished locking up and exploit in our email server. This spawned from a formmail script left on our web server I neglected to delete. I noticed CPU activity spikes on the email server and found that our web server was spamming our email server due to the classic formmail exploit. My question is this. What is the motivation behind such an expliot? What is there to gain from this other than job security for a person like me? This kind of action makes no sense to me.-- Robert E Martin IT Manager Fishburne Military School rmartin () fishburne org 540.946.7726_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
<I hope you're not gonna say you have a web server on the *same* system as your email gateway :-( >. The web server legitimately uses the email gateway to send emails out to the internet, but the web server has been exploited to allow the intruder to send out emails which are tracked back to "coming from the web server." Oh NO!! The web server and email server are separate machines and different subnets. Lots of separation there, however, there were some strange entries in the root mailbox on the web server. Here: Return-Path: <apache () fmsws fishburne org> Received: from fmsws.fishburne.org (fmsws.fishburne.org [127.0.0.1]) by fmsws.fishburne.org (8.12.5/8.12.5) with ESMTP id h4T6no4A001254; Thu, 29 May 2003 02:49:50 -0400 Received: (from apache@localhost) by fmsws.fishburne.org (8.12.5/8.12.5/Submit) id h4T6nn7Y001252; Thu, 29 May 2003 02:49:49 -0400 Date: Thu, 29 May 2003 02:49:49 -0400 Message-Id: <200305290649.h4T6nn7Y001252 () fmsws fishburne org> To: none () fishburne org From: none () fishburne org () Subject: Ignore to: Spankyparade () o2 pl */BEGINABCDFORMMAILfishburne.org/cgi-bin/formmail.cgiTSTSendMailTSTENDABCD /* --h4T6nq4A001256.1054190992/fmsws.fishburne.org--
From root () fmsws fishburne org Thu May 29 04:02:02 2003
Return-Path: <root () fmsws fishburne org> Received: from fmsws.fishburne.org (fmsws.fishburne.org [127.0.0.1]) by fmsws.fishburne.org (8.12.5/8.12.5) with ESMTP id h4T8224A001423 for <root () fmsws fishburne org>; Thu, 29 May 2003 04:02:02 -0400The highlit portion tells me that the attacker used a command in the body of an e-mail to send mail from the web server via sendmail. I also found that in the sendmail.cf , our mailserver was listed as the "smarthost". That got changed pretty quick. The formmail has been deleted as well. Things have gotten much quieter on the mail server since.
-- Robert E Martin IT Manager Fishburne Military School rmartin () fishburne org 540.946.7726 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- sendmail spamming Robert E. Martin (May 29)
- Re: sendmail spamming R. DuFresne (May 29)
- Re: sendmail spamming Chuck Swiger (May 29)
- <Possible follow-ups>
- RE: sendmail spamming Behm, Jeffrey L. (May 29)
- Re: sendmail spamming Robert E. Martin (May 29)
- RE: sendmail spamming Jim Seymour (May 30)
- RE: sendmail spamming Behm, Jeffrey L. (May 29)
- Re: sendmail spamming Don Jones (May 30)