Ubuntu

unsecured email server

Asked by Peter

I have discovered I have an unsecured email server that's being exploited by spammers and I need simple instructions on how to close it down please. I run Dapper Drake and initially used Evolution but uninstalled it and now use Thunderbird. Any advice would be appreciated, please bear in mind i have rudimentary programming ability

Peter

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Matt Mossholder
Solved:
Last query:
Last reply:
Revision history for this message
cut (cut) said : 		#1

I haven't used Dapper Drake in a while, but if you didn't set up one and use a desktop install, I don't think there is an email server running open to the outside. What did you discover exactly, if I may ask?

Revision history for this message
Peter (toobmany) said : 		#2

Thanks for the response. Since installing Ubuntu my daily internet
traffic is about 25meg download and 5meg upload. We don't download
movies or music, don't have a website to maintain and only ever send
basic email so the traffic seems out of proportion. It was suggested I
check for relaying of third-party email through an open mailbox on the
pc. I went through www.abuse.net and the test came back positive for
relay. The text of the result is below. I installed ubuntu from CD and
get the updates via auto update. I checked the information offered and
nothing was suitable for the Linux/Thunderbird config
> This is a test of third-party mail relay, generated via the
> Network Abuse Clearinghouse at http://www.abuse.net.
>
> Target host = mail.bigpond.com [144.140.90.10]
> Test performed by <email address hidden> from 58.168.179.41
>
> A well-configured mail server should NOT relay third-party email.
> Otherwise, the server is subject to abuse by vandals and spammers,
> and probable blacklisting by recipients of the unwanted third-party
> e-mail.
>
> For information on how to secure a mail server against third-party
> relay, visit <URL: http://www.mail-abuse.com/support/an_sec3rdparty.html>.
 Peter

cut wrote:
> Your question #11489 on Ubuntu changed:
> https://answers.launchpad.net/ubuntu/+question/11489
>
> Status: Open => Needs information
>
> cut requested for more information:
> I haven't used Dapper Drake in a while, but if you didn't set up one and
> use a desktop install, I don't think there is an email server running
> open to the outside. What did you discover exactly, if I may ask?
>
>

Revision history for this message
Matt Mossholder (matt-mossholder) said : 		#3

Peter,
   The following command will identify what process is listening for incoming mail:

netstat -avp | grep smtp

For example, on my email server, things look like this:

root@mail:~# netstat -avp | grep smtp
tcp 0 0 *:smtp *:* LISTEN 30613/master
netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.
unix 2 [ ACC ] STREAM LISTENING 665478 30613/master private/smtp
unix 2 [ ACC ] STREAM LISTENING 665534 30613/master private/bsmtp

The program listening on the mail port in this installs in "master", running with PID 30613 (first line of output). It is the line that starts with "tcp".

If you could provide us with the output, we can tell you which specific commands to run to uninstall the mail server, or, if you plan on keeping it, where to look for instructions on how to prevent unauthorized users from using it as a mail relay.

   --Matt

Revision history for this message
Peter (toobmany) said : 		#4

Matt, thanks for the advice. Below is the ouput from that command
entered into the root terminal

root@toobmany:/home/toobmany# netstat -avp | grep smtp
netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.
root@toobmany:/home/toobmany#

Guess I should look somewhere else for the problem?

Peter

Matt Mossholder wrote:
> Your question #11489 on Ubuntu changed:
> https://answers.launchpad.net/ubuntu/+question/11489
>
> Status: Open => Needs information
>
> Matt Mossholder requested for more information:
> Peter,
> The following command will identify what process is listening for incoming mail:
>
> netstat -avp | grep smtp
>
> For example, on my email server, things look like this:
>
> root@mail:~# netstat -avp | grep smtp
> tcp 0 0 *:smtp *:* LISTEN 30613/master
> netstat: no support for `AF IPX' on this system.
> netstat: no support for `AF AX25' on this system.
> netstat: no support for `AF X25' on this system.
> netstat: no support for `AF NETROM' on this system.
> unix 2 [ ACC ] STREAM LISTENING 665478 30613/master private/smtp
> unix 2 [ ACC ] STREAM LISTENING 665534 30613/master private/bsmtp
>
>
> The program listening on the mail port in this installs in "master", running with PID 30613 (first line of output). It is the line that starts with "tcp".
>
> If you could provide us with the output, we can tell you which specific
> commands to run to uninstall the mail server, or, if you plan on keeping
> it, where to look for instructions on how to prevent unauthorized users
> from using it as a mail relay.
>
> --Matt
>
>

Revision history for this message
Best Matt Mossholder (matt-mossholder) said : 		#5

Peter,
     I finally got around to expanding out your message above. Naughty me for not completely reading your message before responding.

     You gave abuse.net the IP of your ISP's mail relay, which is supposed to be a relay. No real issue there, and definitely not your problem. Given more thought, 25 MB Down and 5 MB up isn't actually that high of a volume. An open mail relay would typically have those numbers reversed (because the spam would be going out, not in). 25 MB in downstream traffic is fairly normal for a day worth of web surfing.

     If you want to investigate what you system is doing further, you might want to check out the "ntop" program. It isn't something that should be run all the time, but when you want to see what is coming and going from your machine, it provides a lot of detail (which systems are you talking to, with what services, how many bytes, etc.). It does install a minimal web server on your system, but it is bound to the loopback adress, which means only the local computer can reach it.

    Let us know how you make out,
                 --Matt

Revision history for this message
Peter (toobmany) said : 		#6

Matt, thanks for the reassurance. I'll try the ntop programme and see
what happens

Peter

Matt Mossholder wrote:
> Your question #11489 on Ubuntu changed:
> https://answers.launchpad.net/ubuntu/+question/11489
>
> Status: Open => Answered
>
> Matt Mossholder proposed the following answer:
> Peter,
> I finally got around to expanding out your message above. Naughty me for not completely reading your message before responding.
>
> You gave abuse.net the IP of your ISP's mail relay, which is
> supposed to be a relay. No real issue there, and definitely not your
> problem. Given more thought, 25 MB Down and 5 MB up isn't actually that
> high of a volume. An open mail relay would typically have those numbers
> reversed (because the spam would be going out, not in). 25 MB in
> downstream traffic is fairly normal for a day worth of web surfing.
>
> If you want to investigate what you system is doing further, you
> might want to check out the "ntop" program. It isn't something that
> should be run all the time, but when you want to see what is coming and
> going from your machine, it provides a lot of detail (which systems are
> you talking to, with what services, how many bytes, etc.). It does
> install a minimal web server on your system, but it is bound to the
> loopback adress, which means only the local computer can reach it.
>
> Let us know how you make out,
> --Matt
>
>

Revision history for this message
Peter (toobmany) said : 		#7

Thanks Matt Mossholder, that solved my question.

Revision history for this message
Peter (toobmany) said : 		#8

Matt, thanks for your help. I've run ntop and to my (admittedly
untrained) eye there doesn't seem to be anything amiss. I've closed the
question in launchpad

Peter

Matt Mossholder wrote:
> Your question #11489 on Ubuntu changed:
> https://answers.launchpad.net/ubuntu/+question/11489
>
> Status: Open => Answered
>
> Matt Mossholder proposed the following answer:
> Peter,
> I finally got around to expanding out your message above. Naughty me for not completely reading your message before responding.
>
> You gave abuse.net the IP of your ISP's mail relay, which is
> supposed to be a relay. No real issue there, and definitely not your
> problem. Given more thought, 25 MB Down and 5 MB up isn't actually that
> high of a volume. An open mail relay would typically have those numbers
> reversed (because the spam would be going out, not in). 25 MB in
> downstream traffic is fairly normal for a day worth of web surfing.
>
> If you want to investigate what you system is doing further, you
> might want to check out the "ntop" program. It isn't something that
> should be run all the time, but when you want to see what is coming and
> going from your machine, it provides a lot of detail (which systems are
> you talking to, with what services, how many bytes, etc.). It does
> install a minimal web server on your system, but it is bound to the
> loopback adress, which means only the local computer can reach it.
>
> Let us know how you make out,
> --Matt
>
>