OS Restore. ----- Original Message ----- From: "paulo.cabral" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 27, 2003 10:42 AM Subject: [cobalt-security] Re: cobalt-security digest, Vol 1 #1101 - 3 msgs
> My cobalt model Raq - 4 has lost the directory SBIN > After it lost its directory. It doesn't reboot and on the display screen in > lcd kernel loading. > I copied S-BIN from another COBALt, but did not work. I also tried a ghost > from another cobalt, but I could not sort the problem. > If you have any idea, how to solve this! > Please e-mail me. > I will appreciate your help. > > > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, February 26, 2003 5:00 PM > Subject: cobalt-security digest, Vol 1 #1101 - 3 msgs > > > > Send cobalt-security mailing list submissions to > > [EMAIL PROTECTED] > > > > To subscribe or unsubscribe via the World Wide Web, visit > > http://list.cobalt.com/mailman/listinfo/cobalt-security > > or, via email, send a message with subject or body 'help' to > > [EMAIL PROTECTED] > > > > You can reach the person managing the list at > > [EMAIL PROTECTED] > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of cobalt-security digest..." > > > > > > Today's Topics: > > > > 1. spoofed spam slipping through pop before relay? (David Black) > > 2. Re: spoofed spam slipping through pop before relay? (Rashid > Abdullah) > > 3. RE: spoofed spam slipping through pop before relay? (aljuhani) > > > > --__--__-- > > > > Message: 1 > > From: "David Black" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Date: Tue, 25 Feb 2003 18:38:38 -0600 > > Organization: SiteDesignAndHosting.com > > Subject: [cobalt-security] spoofed spam slipping through pop before relay? > > Reply-To: [EMAIL PROTECTED] > > > > I think someone is relaying spam through our servers, by spoofing > > their originating IP, so the spam appears to come from one of my > > legitimate hosting customers' home IP addresses. > > > > I've noticed a repeating pattern of short bursts, similar to the events > > listed below... which seem to last from 2 - 5 minutes each. Since my > > up-to-date RaQ4 includes pop-before-relay (with a 5 minute window), > > I'm wondering if the spoofer is randomly catching my customer's > > relay window, then exploiting it, by spoofing my customer's IP. (?) > > > > I'd be very grateful if anyone with relevant expertise or experience > > would share some information with me (and the rest of the list). > > Thank you all very much, for your valuable time and knowledge. > > I'd be lost without you :�) > > > > Sincerely, > > -- > > David Black > > Houston, TX > > > > suspicious maillog events follow... > > > > Feb 25 14:03:11 www sendmail[18401]: h1PK3Ab18401: > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > > > > ('size=0' repeats 77 times between 14:03:11 and 14:04:09) > > > > > > Feb 25 14:04:09 www sendmail[18874]: h1PK48b18874: > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > > Feb 25 14:04:14 www sendmail[18876]: h1PK4Db18876: > > from=<>, size=2649, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > Feb 25 14:04:14 www sendmail[18879]: h1PK4Eb18879: > > from=<>, size=2571, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > Feb 25 14:04:15 www sendmail[18882]: h1PK4Fb18882: > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > > Feb 25 14:04:15 www sendmail[18883]: h1PK4Fb18883: > > from=<>, size=2901, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > > > (119 lines - snipped - similar pattern: 1 or 2 'size=0', then 1 or 2 > > successful relays) > > > > > > Feb 25 14:05:13 www sendmail[19525]: h1PK5Cb19525: > > from=<>, size=2842, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > > > (108 more successful relays - snipped - ) > > > > > > Feb 25 14:06:47 www sendmail[20347]: h1PK6lb20347: > > from=<>, size=2790, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > (this (above) was the last related event, for several hours) > > > > > > --__--__-- > > > > Message: 2 > > From: "Rashid Abdullah" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Subject: Re: [cobalt-security] spoofed spam slipping through pop before > relay? > > Date: Tue, 25 Feb 2003 14:52:42 -1000 > > Reply-To: [EMAIL PROTECTED] > > > > David, > > > > Read this page (http://www.solarspeed.net/kb/659.php) and pay attention to > > the mention of Formmail.pl. I think this may solve your problem, it did > it > > for me. > > > > -Rashid > > ----- Original Message ----- > > From: "David Black" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, February 25, 2003 2:38 PM > > Subject: [cobalt-security] spoofed spam slipping through pop before relay? > > > > > > > I think someone is relaying spam through our servers, by spoofing > > > their originating IP, so the spam appears to come from one of my > > > legitimate hosting customers' home IP addresses. > > > > > > I've noticed a repeating pattern of short bursts, similar to the events > > > listed below... which seem to last from 2 - 5 minutes each. Since my > > > up-to-date RaQ4 includes pop-before-relay (with a 5 minute window), > > > I'm wondering if the spoofer is randomly catching my customer's > > > relay window, then exploiting it, by spoofing my customer's IP. (?) > > > > > > I'd be very grateful if anyone with relevant expertise or experience > > > would share some information with me (and the rest of the list). > > > Thank you all very much, for your valuable time and knowledge. > > > I'd be lost without you :�) > > > > > > Sincerely, > > > -- > > > David Black > > > Houston, TX > > > > > > suspicious maillog events follow... > > > > > > Feb 25 14:03:11 www sendmail[18401]: h1PK3Ab18401: > > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > > > > > > > ('size=0' repeats 77 times between 14:03:11 and 14:04:09) > > > > > > > > > Feb 25 14:04:09 www sendmail[18874]: h1PK48b18874: > > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > > > > Feb 25 14:04:14 www sendmail[18876]: h1PK4Db18876: > > > from=<>, size=2649, class=0, nrcpts=1, > > > msgid=<[EMAIL PROTECTED]>, > > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > > [xx.xx.xxx.xxx] > > > > > > Feb 25 14:04:14 www sendmail[18879]: h1PK4Eb18879: > > > from=<>, size=2571, class=0, nrcpts=1, > > > msgid=<[EMAIL PROTECTED]>, > > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > > [xx.xx.xxx.xxx] > > > > > > Feb 25 14:04:15 www sendmail[18882]: h1PK4Fb18882: > > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > > > > Feb 25 14:04:15 www sendmail[18883]: h1PK4Fb18883: > > > from=<>, size=2901, class=0, nrcpts=1, > > > msgid=<[EMAIL PROTECTED]>, > > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > > [xx.xx.xxx.xxx] > > > > > > > > > (119 lines - snipped - similar pattern: 1 or 2 'size=0', then 1 or 2 > > > successful relays) > > > > > > > > > Feb 25 14:05:13 www sendmail[19525]: h1PK5Cb19525: > > > from=<>, size=2842, class=0, nrcpts=1, > > > msgid=<[EMAIL PROTECTED]>, > > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > > [xx.xx.xxx.xxx] > > > > > > > > > (108 more successful relays - snipped - ) > > > > > > > > > Feb 25 14:06:47 www sendmail[20347]: h1PK6lb20347: > > > from=<>, size=2790, class=0, nrcpts=1, > > > msgid=<[EMAIL PROTECTED]>, > > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > > [xx.xx.xxx.xxx] > > > > > > (this (above) was the last related event, for several hours) > > > > > > _______________________________________________ > > > cobalt-security mailing list > > > [EMAIL PROTECTED] > > > http://list.cobalt.com/mailman/listinfo/cobalt-security > > > > > > > > > --__--__-- > > > > Message: 3 > > Date: Wed, 26 Feb 2003 10:21:39 +0300 > > From: "aljuhani" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Subject: RE: [cobalt-security] spoofed spam slipping through pop before > relay? > > Reply-To: [EMAIL PROTECTED] > > > > Hello, > > > > Situation could be that as your Client having a DSL connection > > with a static IP address, They: > > > > Have an Exchange Server for email that relay ougoing email > > to the Internet through your SMTP service as thier domain is > > hosted on your server. > > > > -What is happening- > > > > Thier Mail Exchanger or whatever mail server have an Open > > Relay SMTP. If that is the case, then a spammer will only need > > thier static IP and use it as SMTP gateway and therefore your > > server is acceping these messages as your Client Server I think > > is doing POP before SMTP (i.e checking email before sending any > > outgoing message). > > > > -Solution- > > > > There is no solution for this from your side other than blocking > > your client or individual emails. Your client has to apply > > Pop before SMTP or SMTP Access Limitation to his mail server. > > > > In your message you masked the dsl IP of your client but > > anyway just to verify you can test thier IP address if > > open relay using telnet or from this website > > http://www.abuse.net/relay.html . > > > > Regards, > > Al-Juhani > > [EMAIL PROTECTED]' > > > > ==Original Message== > > > > David Black [EMAIL PROTECTED] > > Tue, 25 Feb 2003 18:38:38 -0600 > > > > I think someone is relaying spam through our servers, by spoofing > > their originating IP, so the spam appears to come from one of my > > legitimate hosting customers' home IP addresses. > > > > I've noticed a repeating pattern of short bursts, similar to the events > > listed below... which seem to last from 2 - 5 minutes each. Since my > > up-to-date RaQ4 includes pop-before-relay (with a 5 minute window), > > I'm wondering if the spoofer is randomly catching my customer's > > relay window, then exploiting it, by spoofing my customer's IP. (?) > > > > I'd be very grateful if anyone with relevant expertise or experience > > would share some information with me (and the rest of the list). > > Thank you all very much, for your valuable time and knowledge. > > I'd be lost without you :�) > > > > Sincerely, > > -- > > David Black > > Houston, TX > > > > suspicious maillog events follow... > > > > Feb 25 14:03:11 www sendmail[18401]: h1PK3Ab18401: > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > > > > ('size=0' repeats 77 times between 14:03:11 and 14:04:09) > > > > > > Feb 25 14:04:09 www sendmail[18874]: h1PK48b18874: > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > > Feb 25 14:04:14 www sendmail[18876]: h1PK4Db18876: > > from=<>, size=2649, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > Feb 25 14:04:14 www sendmail[18879]: h1PK4Eb18879: > > from=<>, size=2571, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > Feb 25 14:04:15 www sendmail[18882]: h1PK4Fb18882: > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] > > > > Feb 25 14:04:15 www sendmail[18883]: h1PK4Fb18883: > > from=<>, size=2901, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > > > (119 lines - snipped - similar pattern: 1 or 2 'size=0', then 1 or 2 > > successful relays) > > > > > > Feb 25 14:05:13 www sendmail[19525]: h1PK5Cb19525: > > from=<>, size=2842, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > > > (108 more successful relays - snipped - ) > > > > > > Feb 25 14:06:47 www sendmail[20347]: h1PK6lb20347: > > from=<>, size=2790, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net > [xx.xx.xxx.xxx] > > > > (this (above) was the last related event, for several hours) > > > > > > > > --__--__-- > > > > _______________________________________________ > > cobalt-security mailing list > > [EMAIL PROTECTED] > > http://list.cobalt.com/mailman/listinfo/cobalt-security > > > > > > End of cobalt-security Digest > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
