I don't think so. The hacker is trying to authenticate, and failing. Greylisting would prohibit mail from being received, but the problem occurs before an email is transmitted.
Thanks for the suggestion though.
--
-Eric 'shubes'

On 03/01/2011 06:38 PM, Carlos Herrera Polo wrote:
Greylisting process not work in this problem ?


2011/3/1, Eric Shubert<e...@shubes.net>:
Sergio,

.) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions
had a bug where rejected sessions would not terminate immediately,
causing excessive idle smtp sessions (and ultimately TIMEOUTs). That may
no be affecting you, but you should check to be sure. Run
qtp-install-spamdyke to upgrade to the latest version.

.) I would recommend installing fail2ban. This will automatically ban IP
addresses which have several failed login attempts. There doesn't appear
to be a wiki page about this yet (ANY TAKERS??), but you should find
info about it in the list archives. Someone here should be able to help
if you run into difficulty with it. (Not me though, as I haven't
implemented it yet).

.) 25 smtp sessions is rather low. I've seen a Celeron 1GH processor
handle twice that number. You might need to bump up the spamassassin
child processes to get there, but it should be doable. What are your HW
specs?

That's all that comes to my mind right now. Let us know how you make out.

--
-Eric 'shubes'

On 03/01/2011 05:25 PM, Sergio M wrote:
Hi there list,
i have been under heavy traffic since sunday, and its been using all my
inbound connections.
I have a QMT updated box, running the latest spamdyke:
# qtp-whatami
/qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011
DISTRO=CentOS
OSVER=5.5
QTARCH=x86_64
QTKERN=2.6.18-194.32.1.el5
BUILD_DIST=cnt5064
BUILD_DIR=/usr/src/redhat
This machine's OS is supported and has been tested/


Even though spamdyke does not let the spammers relay the mail, i still
get all the connections used, making it very hard for authenticated
users to send mail.
For now I stopped smtpd, but i wanna see if you guys have some other
thoughts to solve this.

If I see the maillog, i see LOTS of entries like these:
/Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip:
201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail
vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi')
lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail
spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl:
zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]:
FILTER_BLACKLIST_IP ip: 187.106.1.158 file:
/var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail
vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253')
jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail
spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl:
zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp:
password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb
27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244
rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail
vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi')
lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail
vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi')
lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail
spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns:
rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]:
vchkpw-smtp: password fail (pass: 'jdorm253')
jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail
vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi')
lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail
spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org
Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass:
'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail
spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org
Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip:
187.119.172.80 file: /var/qmail/control/ip-blacklist(75)
Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass:
'luckymi') lucianos...@domain.com:189.114.176.151
Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass:
'luckymi') lucianos...@domain.com:190.158.93.231
Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass:
'edos1kd9') eduardos...@domain.com:93.39.224.8/

So i guess some botnet is trying to relay mail guessing a specific
domain user's passwords. Most of the attempts are blocked by RBL
checking, but that still create a connection.

Looking at # cat /var/log/qmail/smtp/current | tai64nlocal
/2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77
2011-03-01 20:54:01.906030500 tcpserver: ok 4879
mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01
20:54:02.157286500 tcpserver: end 4797 status 0
2011-03-01 20:54:02.157289500 tcpserver: status: 24/25
2011-03-01 20:54:02.157290500 tcpserver: status: 25/25
2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24
2011-03-01 20:54:02.157530500 tcpserver: ok 4881
mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01
20:54:05.433208500 tcpserver: end 4857 status 0
2011-03-01 20:54:05.433211500 tcpserver: status: 24/25
2011-03-01 20:54:05.433212500 tcpserver: status: 25/25
2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139
2011-03-01 20:54:05.433215500 tcpserver: ok 4903
mail.myhost.com.ar:11.22.33.44:25 :189.78.49.139::36877 2011-03-01
20:54:06.075161500 tcpserver: end 4800 status 0
2011-03-01 20:54:06.075164500 tcpserver: status: 24/25
2011-03-01 20:54:06.075165500 tcpserver: status: 25/25
2011-03-01 20:54:06.075166500 tcpserver: pid 4908 from 186.114.65.254
2011-03-01 20:54:06.075168500 tcpserver: ok 4908
mail.myhost.com.ar:11.22.33.44:25 :186.114.65.254::13026 2011-03-01
20:54:06.441699500 tcpserver: end 4821 status 0
2011-03-01 20:54:06.441702500 tcpserver: status: 24/25
2011-03-01 20:54:06.441735500 tcpserver: status: 25/25 /
You see how it got clogged with incoming connections.

so, any ideas or tips to help me solve this?
As for now smtpd is stopped.

thanks a lot!
-Sergio

---------------------------------------------------------------------------------

Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!



---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
     Vickers Consulting Group offers Qmailtoaster support and installations.
       If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
      Please visit qmailtoaster.com for the latest news, updates, and
packages.

       To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
      For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com







---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
     If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
    Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


Reply via email to