Hello,

I have found out that someone accessed my server and sent adult spam.

I was told by my server host that people can access sendmail when formmail.pl is used or when an email is sent through the server but they offered no help in fixing this problem.

I have a RAQ4.
I host only my own sites on this server.

Does anyone know how I can prevent this from happening again?

You should install a firewall and block the SMTP port (usually 25). It's hard to block only not for your customers.

Go to your CP, control panel, services, e-mail server parameters, then change relay

I would recommend POP before SMTP. It can be downloaded as a .pkg file from the Cobalt web site, and it adds a check box to your email server control panel which allows you to enable it after installation.

It would be wise to install all the available patches for your Raq 4i. they are available for download under Cobalt Support webpage. One of the patch is for SMTP Before POP.

I had that problem earlier with someone spamming through my server as it was acting as a open-relay. Now with the patch, things are alot faster. No more spamming through the server.

The entire server was actually hosting only my own sites.

Check out :-
http://www.cobalt.com/support/download/raq4.eng.html

Edwin

I would recommend POP before SMTP.
============================

I had that installed at the time and was updated with many of the patches.

I installed all the patches up to 05-04-2001
I will see if it happens again.

I also reduced the open window time to 5 min.

I really don't know what else to do.

Well, if you have not done so, remove all entries under 'Relay for following host/domains' and make sure that the 'SMTP before POP' is selected.

This way, each time anyone wants to send an email through your server would be challenged to authenticate their identity.

If you do leave something under 'relay for host', it would be like providing an 'open-port' for that particular user or domain name. This proves to be a risky venture for me.

Hope that helps.

Edwin

eddy2099,

In Fact, I have every IP on my server under there.

If I take them away, how will I be able to get my email?

It says,

"The following is a list of IP networks, host names, and Internet domain names that are allowed to use this server to relay mail. To allow a remote user to send and receive email, add their computer name, IP network, or Internet domain name to this list."

So basically if I took all them out, I would not be able to get my email?

Well, actually I have mine taken out and I am still using the
full SMTP and POP3 services of my Raq 3.

Basically, the key would be to set the POP before SMTP on and once that is done, all outgoing mails would need to authenticated via POP3 before they can be sent out via SMTP.

Your ability to receive emails would not be affected. I believe you can set the Window time to be more than 5 minutes since if I am not wrong, they would validate your posting using your IP address or email address/login or something like that.

The Host to Relay from what I understand is the host you want to have Open Relay for. And Open Relay can be a real dangerous thing from what we experience.

Remove those entries and try sending an email out to your other email addresses. It should work fine.


Edwin

Hey, that worked.

I am still able to send and receive, so maybe that will do the trick?

:)

Thanks

I don't understand this. You told that you are using formmail.pl
So, you use a perl script that is being abused. Change the perl script and you're done. I alway use my own (php) script which can only send something to me and it has no possibility to send stuff to other people.

Eriky,

Im not sure you understand what the problem was.
Maybe try reading more closely.

It was not formail.pl that was causing the problem.

I think ericky is confused only because you never stated whether you were, or were not, using formmail.pl on the server. Assuming you aren't, you should be ok now (in theory).

Just some Formmail Info
If formmail is on your server, then it can be exploited to send email. Many people install formmail because it is easy to use. Security scanners, e.g. Nessus, and others check for formmail exploits.

Formmail expoits...
Mail Relay
http://www.securiteam.com/securitynews/Formmail_pl_Can_Be_Used_As_An_Open_Mail_Relay.html

Environement Variables
http://www.securiteam.com/exploits/5NP0I0U1GG.html

Early version even allowed for abritrary commands to be executed.

POP before SMTP
The POP before SMTP will stop direct spam through your mailserver. You can check for an open relay by using the utility at abuse.net:
http://www.abuse.net/relay.html



POP before SMTP and Formmail.pl
Implementing POP before SMTP will not stop exploitation of formmail. This is because formmail.pl runs as the web user or the cgi-bin owner (if using CGIwrap), thus making it a permitted user of the SMTP server. If you must use formmail, be sure to set the refferrers option and hardcode the To: address in either the form or the script. It is very easy to pass formmail variables and have it send email on your behalf if it is not secured. A few lines of PERL code would allow you to spam thousands.

Remember, formmail is about 4 years old now and was written in a time when there were not thousands of script kiddies on their cable modems trying to cause you problems. ;)

I know this is an old thread, but it came up in a search I did so I thought I would add an update.

formmail.pl is a great, easy to use script and the security holes have been fixed in an updated version. The new version also allows you to add in more environment variables, which is cool.

I have installed and tested the security and it worked well for me.

You can get info on the new version at http://worldwidemart.com/scripts/formmail.shtm .

Mark

Sun & Fun Nude Travel
nudetravel.tv

<<MOD NOTE:>>
Please set up a signature (see profile).
<</MOD NOTE>>