Sorry to bother you, but I would like to show you some aspects
about how a Sendmail running on an OpenBSD 3.8 system can be involved in a
spam attack. I'm not quite sure that OpenBSD 3.8 or Sendmail are exploitable,
but I would like some help to clarify this problem.
More precisely, one day I've noticed that /var/spool/mqueue was full with
30000 messages (in fact return messages, showing that some servers including
Yahoo! do not accept some mails from me). I've noticed that the "mailstats"
command reports 130000 (!!!) messages sent (!) outside. My computer is a
small server running OpenBSD 3.8, MySQL+PHP+Apache for the website; it's a
FRESH install so that I don't think it's a problem in the system. I have around
30 users that use POP3+Outlook Express to send and receive their mail messages.
The problem is that I have antispoofing on, "scrub in all"; some suspect
(probably Windows machines from the neighbouring departament which are supposed
to have some viruses are bloked through the PF). I also have NAT for my local
network (192.128.x.x) and ip forwarding for the global addresses.
Relaying is stopped so this could not be a problem (Yahoo! asks me if I am
am open-relay!).
My machine seems quite secure, but I cannot say why my machine sends so much
mail messages (day & night). Maybe some accounts are compromised, but I have no
way of determining this. How can I see how many mail messages a user sends?
I don't think this is an ordinary problem. I have some experience on
FreeBSD (2 years) and on OpenBSD; moreover, I have 2.5 years of experience
with GNU/Linux systems. Maybe this is a simple problem, but I can't solve
it all by myself and thus I now requested help from our great OpenBSD community.
My OpenBSD 3.8 system was not patched and the kernel was not recompiled.
Thank you very much for your attention and I hope someone can help me with
this (could it be problem with Sendmail on OpenBSD 3.8? - I really don't think
this could happen).
Respectfully yours,
George Popa
