My cobalt model Raq - 4 has lost the directory SBIN After it lost its directory. It doesn't reboot and on the display screen in lcd kernel loading. I copied S-BIN from another COBALt, but did not work. I also tried a ghost from another cobalt, but I could not sort the problem. If you have any idea, how to solve this! Please e-mail me. I will appreciate your help.
----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 26, 2003 5:00 PM Subject: cobalt-security digest, Vol 1 #1101 - 3 msgs > Send cobalt-security mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://list.cobalt.com/mailman/listinfo/cobalt-security > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of cobalt-security digest..." > > > Today's Topics: > > 1. spoofed spam slipping through pop before relay? (David Black) > 2. Re: spoofed spam slipping through pop before relay? (Rashid Abdullah) > 3. RE: spoofed spam slipping through pop before relay? (aljuhani) > > --__--__-- > > Message: 1 > From: "David Black" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Date: Tue, 25 Feb 2003 18:38:38 -0600 > Organization: SiteDesignAndHosting.com > Subject: [cobalt-security] spoofed spam slipping through pop before relay? > Reply-To: [EMAIL PROTECTED] > > I think someone is relaying spam through our servers, by spoofing > their originating IP, so the spam appears to come from one of my > legitimate hosting customers' home IP addresses. > > I've noticed a repeating pattern of short bursts, similar to the events > listed below... which seem to last from 2 - 5 minutes each. Since my > up-to-date RaQ4 includes pop-before-relay (with a 5 minute window), > I'm wondering if the spoofer is randomly catching my customer's > relay window, then exploiting it, by spoofing my customer's IP. (?) > > I'd be very grateful if anyone with relevant expertise or experience > would share some information with me (and the rest of the list). > Thank you all very much, for your valuable time and knowledge. > I'd be lost without you :�) > > Sincerely, > -- > David Black > Houston, TX > > suspicious maillog events follow... > > Feb 25 14:03:11 www sendmail[18401]: h1PK3Ab18401: > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > ('size=0' repeats 77 times between 14:03:11 and 14:04:09) > > > Feb 25 14:04:09 www sendmail[18874]: h1PK48b18874: > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > Feb 25 14:04:14 www sendmail[18876]: h1PK4Db18876: > from=<>, size=2649, class=0, nrcpts=1, > msgid=<[EMAIL PROTECTED]>, > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > Feb 25 14:04:14 www sendmail[18879]: h1PK4Eb18879: > from=<>, size=2571, class=0, nrcpts=1, > msgid=<[EMAIL PROTECTED]>, > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > Feb 25 14:04:15 www sendmail[18882]: h1PK4Fb18882: > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > Feb 25 14:04:15 www sendmail[18883]: h1PK4Fb18883: > from=<>, size=2901, class=0, nrcpts=1, > msgid=<[EMAIL PROTECTED]>, > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > (119 lines - snipped - similar pattern: 1 or 2 'size=0', then 1 or 2 > successful relays) > > > Feb 25 14:05:13 www sendmail[19525]: h1PK5Cb19525: > from=<>, size=2842, class=0, nrcpts=1, > msgid=<[EMAIL PROTECTED]>, > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > (108 more successful relays - snipped - ) > > > Feb 25 14:06:47 www sendmail[20347]: h1PK6lb20347: > from=<>, size=2790, class=0, nrcpts=1, > msgid=<[EMAIL PROTECTED]>, > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > (this (above) was the last related event, for several hours) > > > --__--__-- > > Message: 2 > From: "Rashid Abdullah" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Re: [cobalt-security] spoofed spam slipping through pop before relay? > Date: Tue, 25 Feb 2003 14:52:42 -1000 > Reply-To: [EMAIL PROTECTED] > > David, > > Read this page (http://www.solarspeed.net/kb/659.php) and pay attention to > the mention of Formmail.pl. I think this may solve your problem, it did it > for me. > > -Rashid > ----- Original Message ----- > From: "David Black" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, February 25, 2003 2:38 PM > Subject: [cobalt-security] spoofed spam slipping through pop before relay? > > > > I think someone is relaying spam through our servers, by spoofing > > their originating IP, so the spam appears to come from one of my > > legitimate hosting customers' home IP addresses. > > > > I've noticed a repeating pattern of short bursts, similar to the events > > listed below... which seem to last from 2 - 5 minutes each. Since my > > up-to-date RaQ4 includes pop-before-relay (with a 5 minute window), > > I'm wondering if the spoofer is randomly catching my customer's > > relay window, then exploiting it, by spoofing my customer's IP. (?) > > > > I'd be very grateful if anyone with relevant expertise or experience > > would share some information with me (and the rest of the list). > > Thank you all very much, for your valuable time and knowledge. > > I'd be lost without you :�) > > > > Sincerely, > > -- > > David Black > > Houston, TX > > > > suspicious maillog events follow... > > > > Feb 25 14:03:11 www sendmail[18401]: h1PK3Ab18401: > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > > > > ('size=0' repeats 77 times between 14:03:11 and 14:04:09) > > > > > > Feb 25 14:04:09 www sendmail[18874]: h1PK48b18874: > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > > Feb 25 14:04:14 www sendmail[18876]: h1PK4Db18876: > > from=<>, size=2649, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > Feb 25 14:04:14 www sendmail[18879]: h1PK4Eb18879: > > from=<>, size=2571, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > Feb 25 14:04:15 www sendmail[18882]: h1PK4Fb18882: > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > > Feb 25 14:04:15 www sendmail[18883]: h1PK4Fb18883: > > from=<>, size=2901, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > > > (119 lines - snipped - similar pattern: 1 or 2 'size=0', then 1 or 2 > > successful relays) > > > > > > Feb 25 14:05:13 www sendmail[19525]: h1PK5Cb19525: > > from=<>, size=2842, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > > > (108 more successful relays - snipped - ) > > > > > > Feb 25 14:06:47 www sendmail[20347]: h1PK6lb20347: > > from=<>, size=2790, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > (this (above) was the last related event, for several hours) > > > > _______________________________________________ > > cobalt-security mailing list > > [EMAIL PROTECTED] > > http://list.cobalt.com/mailman/listinfo/cobalt-security > > > > > --__--__-- > > Message: 3 > Date: Wed, 26 Feb 2003 10:21:39 +0300 > From: "aljuhani" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: RE: [cobalt-security] spoofed spam slipping through pop before relay? > Reply-To: [EMAIL PROTECTED] > > Hello, > > Situation could be that as your Client having a DSL connection > with a static IP address, They: > > Have an Exchange Server for email that relay ougoing email > to the Internet through your SMTP service as thier domain is > hosted on your server. > > -What is happening- > > Thier Mail Exchanger or whatever mail server have an Open > Relay SMTP. If that is the case, then a spammer will only need > thier static IP and use it as SMTP gateway and therefore your > server is acceping these messages as your Client Server I think > is doing POP before SMTP (i.e checking email before sending any > outgoing message). > > -Solution- > > There is no solution for this from your side other than blocking > your client or individual emails. Your client has to apply > Pop before SMTP or SMTP Access Limitation to his mail server. > > In your message you masked the dsl IP of your client but > anyway just to verify you can test thier IP address if > open relay using telnet or from this website > http://www.abuse.net/relay.html . > > Regards, > Al-Juhani > [EMAIL PROTECTED]' > > ==Original Message== > > David Black [EMAIL PROTECTED] > Tue, 25 Feb 2003 18:38:38 -0600 > > I think someone is relaying spam through our servers, by spoofing > their originating IP, so the spam appears to come from one of my > legitimate hosting customers' home IP addresses. > > I've noticed a repeating pattern of short bursts, similar to the events > listed below... which seem to last from 2 - 5 minutes each. Since my > up-to-date RaQ4 includes pop-before-relay (with a 5 minute window), > I'm wondering if the spoofer is randomly catching my customer's > relay window, then exploiting it, by spoofing my customer's IP. (?) > > I'd be very grateful if anyone with relevant expertise or experience > would share some information with me (and the rest of the list). > Thank you all very much, for your valuable time and knowledge. > I'd be lost without you :�) > > Sincerely, > -- > David Black > Houston, TX > > suspicious maillog events follow... > > Feb 25 14:03:11 www sendmail[18401]: h1PK3Ab18401: > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > ('size=0' repeats 77 times between 14:03:11 and 14:04:09) > > > Feb 25 14:04:09 www sendmail[18874]: h1PK48b18874: > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > Feb 25 14:04:14 www sendmail[18876]: h1PK4Db18876: > from=<>, size=2649, class=0, nrcpts=1, > msgid=<[EMAIL PROTECTED]>, > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > Feb 25 14:04:14 www sendmail[18879]: h1PK4Eb18879: > from=<>, size=2571, class=0, nrcpts=1, > msgid=<[EMAIL PROTECTED]>, > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > Feb 25 14:04:15 www sendmail[18882]: h1PK4Fb18882: > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > Feb 25 14:04:15 www sendmail[18883]: h1PK4Fb18883: > from=<>, size=2901, class=0, nrcpts=1, > msgid=<[EMAIL PROTECTED]>, > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > (119 lines - snipped - similar pattern: 1 or 2 'size=0', then 1 or 2 > successful relays) > > > Feb 25 14:05:13 www sendmail[19525]: h1PK5Cb19525: > from=<>, size=2842, class=0, nrcpts=1, > msgid=<[EMAIL PROTECTED]>, > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > (108 more successful relays - snipped - ) > > > Feb 25 14:06:47 www sendmail[20347]: h1PK6lb20347: > from=<>, size=2790, class=0, nrcpts=1, > msgid=<[EMAIL PROTECTED]>, > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > (this (above) was the last related event, for several hours) > > > > --__--__-- > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > > > End of cobalt-security Digest _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
