https://bugs.koozali.org/show_bug.cgi?id=11771
[email protected] changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |[email protected]
--- Comment #13 from [email protected] ---
(In reply to John Crisp from comment #2)
> Ooooh that looks ugly. Need to close that off fast.
>
> This is one for JP to look at.
Its been dire for me - the unwitting victim. Once it is fixed I will have to
get our ip off all the blacklists. And it is not at all straightforward doing
that with outlook/live/hotmail.
This is the 4th long day I've spent on chasing all this down. Open ports on a
new smeserver10 install and after a week some botnet finds it and off we go...
I installed fail2ban which seems to work but of course the open relay sidesteps
that entirely. It does seem to be detecting the various bots testing user names
and passwords and jailing them for a while so that will be a good thing.
It took 3 days for me to find the open relay because I was focusing on password
changing and all that entailed.
I'm going to suggest a contrib that watches for breaches like this. In this
present case of ours it wasn't an exposed password but if one were exposed the
same could happen again.
The emails the bot sent, over 40k of them before I managed to stop it could
easily be identified by a monitor of some sort. Each email had around 100 "To"
addresses and there were multiple copies with the same content and "to" and
"reply to" quite unrelated to us.
Clearly there should be default setting to ensure that a mass mailing (defined
in some simple way) is held for specific management approval, or rejection,
before qmail sends it on its way. If a mass mailing was needed it could perhaps
be identified and approved in advance by a one time token in the email.
A further major complication is that qmail/qpsmtpd insisted on trying to resend
the rejected ones and now, by some mysterious process (I cannot find what is
doing it), it is trying to notify the bounces to the target domains. I think I
might have switched those off with the devnull option.
I did have smeadmin on and it was diligently reporting to me that I had 1000+
outgoing emails every 5 minutes but I didn't see those as it started on Friday
night and I was out all day on Saturday. It had a clear run of 20+ hours.
So yes John - it's been a major problem and will continue thus for several more
days, perhaps weeks.
--
You are receiving this mail because:
You are the assignee for the bug._______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/
