On 6/22/2010 5:02 PM, Eric Shubert wrote:
You need to track a message back to the smtp log, and see which user
account was used to submit it. Then change that password.
If you're having trouble with that, show us some of the queue again,
and we'll go from there.
Rafael Andrade wrote:
The problem continues :(
The queue is full of messages again
Rafael Andrade escreveu:
Now my new tcp.smtp and qmailctl cdb done.
192.168.1.:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUEUE
="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1"
189.72.77.72:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUE
UE="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1"
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan",DKSIG
N="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1"
I disable my roundcube ( yes, is up-to-date, and now disabled my
users dont use webmail, but to access webmail page need htpasswd in
apache ).
Thanks so much Eric
Eric Shubert escreveu:
Your 192.168.1. subnet is an open relay. I'd shut that down, at
least for the time being. What's coming from there?
What's in your smtp log that corresponds to the messages in the
queue? That should give an indication of where they're coming from.
Roundcube had some security issues at one point some time ago. Is
your roundcube up to date?
This happened to my production machine several months back and it was my
account that I used for Imap, which stayed up and connected at all times
24/7 so all it took was a traffic watch on my public network to see what
the passwd was being used in the clear(bad idea). The server was at its
knees and calls were coming in from all over the network. I could barely
read a log file.
isolate the address in your maillog files. I always do a tail -f
/var/log/qmail/smtp/current |grep <the name of the most listed email
address in que> this will tell you where its coming from and to.
look at times and dates in the que when it was sent. If they are within
seconds or minutes of each other then that would be a suspect. If it is
suspect then by reviewing a snapshot of those logs the from
<sen...@domain> should be revealed. This is what you are looking for.
Then do what Eric is saying about the account.
One more step I would take is to do a netstat -an |grep CONNECTED
|grep :25 to see how many connections are made with the same ip to your
machine. If more than 3 or 4 then it would be the suspect for triggering
the attack. Do a lookup on the ip and see if it is listed on any RBLs.
If so block it with an iptables drop rule.
--Dave
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]