High CPU load with sendmail

[Demontager]

My problem is related to the Sendmail service which is running on FreeBSD 9.1. Found it consuming a lot of CPU power, sometimes load average peaks 5 - 7. Actually tried to disable it by placing

sendmail_enable="NONE"

in rc.conf, but it runs again.

The mail log is showing plenty of unauthorized attempts to send messages from my relay:

May  7 00:00:01 freebsd9 sendmail[32277]: r46LQ1fD032277: to=lynnette_sosa@corby.com, delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=31851, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
May  7 00:00:01 freebsd9 sendmail[32277]: r44GArKY050571: to=funkdat02882@yahoo.com, delay=2+05:49:08, xdelay=00:00:00, mailer=relay, pri=120453, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
May  7 00:00:01 freebsd9 sendmail[32277]: r44GArKY050571: r46LQ1fE032277: sender notify: Warning: could not send message for past 4 hours
May  7 00:00:02 freebsd9 sendmail[32277]: r46LQ1fE032277: to=erma_morris@corby.com, delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=31847, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
May  7 00:00:03 freebsd9 sendmail[32277]: r44Kg8Hv065035: to=robertpinto@yahoo.ca, delay=2+01:17:55, xdelay=00:00:00, mailer=relay, pri=120453, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
May  7 00:00:03 freebsd9 sendmail[32277]: r44Kg8Hv065035: r46LQ1fF032277: sender notify: Warning: could not send message for past 4 hours

Actually I don't need Sendmail at all as I stick to a PHP mailer on my websites.

 

[SirDice]

Why do you even allow access to port 25 from outside? How are you running sendmail? If you used

sendmail_enable="NO"

it will be running as a local-submit-only. If you still get these relay attempts there's something really screwed up and they found a hole in your site they're abusing.

 

[kpa]

The default setting when you don't have sendmail_enable in rc.conf(5) is to listen ONLY on localhost, you don't have touch the setting. Have you actually restarted the sendmail(8) service? What does sockstat -l report for sendmail(8)?

 

[Demontager]

After full mail log examination found that messages coming in and out from one my website. Suspect it been compromised. As to the sockstat -l it shows no info for Sendmail. To restart Sendmail I switched to /etc/mail and done

make stop
make start

For now I did small optimization in sendmail.cf

# load average at which we just queue messages
O QueueLA=1

# load average at which we refuse connections
O RefuseLA=2

No more LA 5 - 7 peaks, but still the Sendmail process is in top consuming CPU power http://simplest-image-hosting.net/png-0-scrot

@SirDice, currently have

sendmail_enable="NONE"

or is it better put "NO"?

 

[Demontager]

Now sure been uncovered, found doorways inside website directory. But how can I stop Sendmail from sending and receiving messages using this one domain? Plenty coming every second. http://pastebin.com/KrWnJJ7i

 

[SirDice]

I was afraid of something like that. Plug the hole in the website.

 

[Demontager]

Finally stopped SPAM! This http://pastebin.com/asg9LTeD malicious PHP script was sending mails originating from my domain. How I traced that - opened few mails in /var/spool/clientmqueue and found that messages generated by option.php file, so checked and indeed it was.

H??X-PHP-Originating-Script: 80:options.php

 

[SirDice]

Interesting script, thanks for sharing that. I'm always interested in things like that.

There's one new problem now though, you need to figure out how they got that script on the server. If you don't plug that hole it's likely they'll just upload something similar again.