Topic: Qmail E-Mail DOS Attack Spoofing localhost

[Jay Dee]

On release 5.1.2 I noticed my cpu was pegged a good deal of the time.  My mail logs showed qmail trying to forward a few 20MB files which looked like:

smtp connection from UNKNOWN@localhost(127.0.0.1) MAIL FROM: <> RCPT TO: , allowed by line 22 of /etc/smtpd_check_rules

I disabled forwarding of localhost and that took care of it.

I found the same thing going on with 3 other e-smith boxes.  Time to upgrade to 5.5.

Jay

[Nathan Fowler]

Are you using any kind of FormMail applications or CGI based mail applications?  Mail coming from localhost is often a good indicator of someone exploiting a web-based email/mailing application.  It's likely that an upgrade to 5.6 won't help you out if that is the case.

[Jay Dee]

I am not running any cgi on these boxes.  Just has the default construction webpage.  All 4 boxes are at different companies and domains.  My 5.6 box didn't have the condition.

Jay

[Nathan Fowler]

How lax, or not lax have you been in apply updates to the system outside of the rather outdated (no offense intended) errata packages supplied by E-Smith/Mitel/SME.  IE, using Redhat Errata for the 5.1.2 series, by using the RH Errata packages for RH 7.1 since 5.1.2 is based off Redhat 5.1.2?

http://rhn.redhat.com/errata

Don't use RH Errata packages for:
Kernel updates
xinetd updates
imapd updates
qmail updates

Everything else should work perfectly, including OpenSSL, Apache, PHP, MySQL, etc.

[Nathan Fowler]

Sorry for the typo, SME/E-Smitih 5.1.2 is based off RH 7.1..