On 6/22/2010 5:02 PM, Eric Shubert wrote:
You need to track a message back to the smtp log, and see which user account was used to submit it. Then change that password.

If you're having trouble with that, show us some of the queue again, and we'll go from there.

Rafael Andrade wrote:
The problem continues :(

The queue is full of messages again


Rafael Andrade escreveu:
Now my new tcp.smtp  and qmailctl cdb done.
192.168.1.:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUEUE ="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1" 189.72.77.72:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUE UE="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1" :allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan",DKSIG
N="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1"

I disable my roundcube ( yes, is up-to-date, and now disabled my users dont use webmail, but to access webmail page need htpasswd in apache ).

Thanks so much Eric




Eric Shubert escreveu:
Your 192.168.1. subnet is an open relay. I'd shut that down, at least for the time being. What's coming from there?

What's in your smtp log that corresponds to the messages in the queue? That should give an indication of where they're coming from.

Roundcube had some security issues at one point some time ago. Is your roundcube up to date?

This happened to my production machine several months back and it was my account that I used for Imap, which stayed up and connected at all times 24/7 so all it took was a traffic watch on my public network to see what the passwd was being used in the clear(bad idea). The server was at its knees and calls were coming in from all over the network. I could barely read a log file. isolate the address in your maillog files. I always do a tail -f /var/log/qmail/smtp/current |grep <the name of the most listed email address in que> this will tell you where its coming from and to. look at times and dates in the que when it was sent. If they are within seconds or minutes of each other then that would be a suspect. If it is suspect then by reviewing a snapshot of those logs the from <sen...@domain> should be revealed. This is what you are looking for. Then do what Eric is saying about the account. One more step I would take is to do a netstat -an |grep CONNECTED |grep :25 to see how many connections are made with the same ip to your machine. If more than 3 or 4 then it would be the suspect for triggering the attack. Do a lookup on the ip and see if it is listed on any RBLs. If so block it with an iptables drop rule.
--Dave



---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
     If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
    Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: [email protected]
    For additional commands, e-mail: [email protected]


Reply via email to