Re: How to stop SPAMMER??!
At 09:00 11/11/2002, Joan Picanyol i Puig wrote: * W. D. [EMAIL PROTECTED] [20021110 14:00]: lrwxr-xr-x 1 root wheel33 Dec 10 2001 sendmail - /usr/local/psa/qmail/bin/sendmail Using qmail. How to configure to avoid spam? What is the name of configuration file? You did _NOT_ install qmail following the instructions. You are right. I didn't install it at all! It was installed as per Plesk Server Administrator: http://www.Google.com/search?q=qmail+site%3APlesk.com I'll check deeper into this. qmail is to be installed in /var/qmail. qmail's standard install instructions do not configure an open relay, you have done it yourself. Please: 1.- close port 25 while reconfiguring qmail How? 2.- reinstall qmail. The Way To Go instructions are found at http://www.lifewithqmail.org. Follow this instructions _to the letter_ Thanks for this link! 3.- open port 25 for a safe and reliable email server qvb -- pica To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message Start Here to Find It Fast!© - http://www.US-Webmasters.com/best-start-page/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: How to stop SPAMMER??!
1.- close port 25 while reconfiguring qmail How? It depends. Find out who is listening in port 25 (lsof). Kill it. Make sure it doesn't restart. qvb -- pica To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: How to stop SPAMMER??!
At 12:16 AM 11.10.2002 -0600, W. D. wrote:
At 21:17 11/9/2002, Jack L. Stone wrote:
At 03:04 AM 11.10.2002 +0100, Gustaf Sjoberg wrote:
On Sat, 09 Nov 2002 15:13:09 -0600
W. D. [EMAIL PROTECTED] wrote:
either block incomming port 25 connections or set the smtserver to require
authentication.
ipfw entry could look something like:
add rule# deny log tcp from any to yourip 25 in recv interface
This would completely block SMTP wouldn't it? I do have clients
on this server using email.
Hi folks,
I've got some bozo from:
SpaWeb1.spaelegance.com..auth
doing all kinds of SMTP activity on my FreeBSD server. Does anyone
know how to stop this? What kind of entry would I add to ipfw?
Does anyone know what vulnerability this might be? How to stop
permanently?
Get the IP of the spammer if possible. I've had to use a total block like
this:
# DENY INTRUDER through external interface
#${fwcmd} add deny all from 66.000.00.000 to any via ${oif}
Where is ${oif} defined?
When I run a command like this it doesn't understand 'fwcmd'.
usw2# {fwcmd} add deny log all from 168.93.100.59/16 to any in via ${oif}
oif: Undefined variable.
usw2# {fwcmd} add deny log all from 168.93.100.59/16 to any in via lo0
fwcmd: Command not found.
Sorry, that was a defined variable in my script:
# Firewall program
fwcmd=/sbin/ipfw
Best regards,
Jack L. Stone,
Administrator
SageOne Net
http://www.sage-one.net
[EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: How to stop SPAMMER??!
On Sat, 9 Nov 2002, W. D. wrote: At 19:49 11/9/2002, Steve Wingate wrote: 2. Are you the recipient of spam or is your box being used as a relay? Relay. If your system is an open relay, close it. I have no idea how to do that with qmail--a web search will help. In fact, if your system is an open relay, you should disconnect it from the net until you have it closed. There are two reasons for that. The first is to stop the abuse of your system. The second is to keep your system from being added to lists of open relays or spam sources. -Warren Block * Rapid City, South Dakota USA To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: How to stop SPAMMER??!
-Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd-questions;FreeBSD.ORG] On Behalf Of Warren Block Sent: Sunday, November 10, 2002 10:50 AM To: W. D. Cc: [EMAIL PROTECTED] Subject: Re: How to stop SPAMMER??! On Sat, 9 Nov 2002, W. D. wrote: At 19:49 11/9/2002, Steve Wingate wrote: 2. Are you the recipient of spam or is your box being used as a relay? Relay. http://logicsquad.net/freebsd/qmail-how-to.html That is the site I used to get a basic qmail system up and running. The file which determines who can use qmail to relay is /etc/tcp.smtp 127.0.0.1:allow,RELAYCLIENT= 192.168.1.:allow,RELAYCLIENT= :allow The first two lines allow localhost and local network to relay using the box, the third line I believe allows anyone to send mail to the box. If the people using your qmail have fairly static ip addys, then just added them to this file with the relayclient option. Ranges of ips are enabled via dropping the last octet as shown in line two above. After modifying tcp.smtp, you need to run this line for tcpserver /usr/local/bin/tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp /etc/tcp.smtp Hope this helps. In fact, if your system is an open relay, you should disconnect it from the net until you have it closed. There are two reasons for that. The first is to stop the abuse of your system. The second is to keep your system from being added to lists of open relays or spam sources. -Warren Block * Rapid City, South Dakota USA To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: How to stop SPAMMER??!
Hi Stephen, I hope you don't mind, I've CC'd the list as well: Guys: I locked myself out of my server using the hosts.allow script below. I couldn't get in with SSH, FTP, and *ALL* email was blocked. I changed back to the old hosts.allow and I can get back in, but so are the slimy spammers. It seems that hosts.allow is very powerfull--perhaps the way to go. However, I can't shut off FTP and email for all the other users. Does anyone have ready-to-go hosts.allow file? At 08:39 11/10/2002, Stephen Hovey, wrote: Its a tuffy - why do you have both a sendmail and a qmail entry? you run both? Nope. Nor EXIM. I just wanted them there for the time being. I was going to delete them once I was sure the script worked. the only thing I can think of is that ALL: paranoid line if you tried to connect from an ip with bad in-addr.arpa/ident - and I dont think this is correct form: ALL : 209.152.117.190192.0.2.35 : allow What would work? On Sun, 10 Nov 2002, W. D. wrote: At 01:14 11/10/2002, Stephen Hovey, wrote: Put an entry in /etc/hosts.allow with that domain and DENY.. it will give them a 550 denied no matter what they try, and/or an entry in /etc/mail/access Hi Stephen, Well, I tried the 'hosts.allow' route. It seems I've disallowed SSH FTP for myself now! Assuming I can get into the ISP tomorrow, which are the offending lines below? How can I get back into my own server I had to go to the colo and switch back to the old hosts.allow # # hosts.allow access control file for tcp wrapped applications. # $FreeBSD: src/etc/hosts.allow,v 1.8.2.5 2001/08/30 16:02:37 dwmalone Exp $ # # NOTE: The hosts.deny file is deprecated. # Place both 'allow' and 'deny' rules in the hosts.allow file. #See hosts_options(5) for the format of this file. #hosts_access(5) no longer fully applies. #_ _ _ #| | __ __ __ _ _ __ ____ __ | | ___ | | #| _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | #| |___ | (_| | | | | | | | | |_) | | | | __/ |_| #|_| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) # |_| # !!! This is an example! You will need to modify it for your specific # !!! requirements! # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a First match wins basis. # Commented out 2002 Nov 10 - WD: # ALL : ALL : allow # Wrapping sshd(8) is not normally a good idea, but if you # need to do it, here's how #sshd : .evil.cracker.example.com : deny # Protect against simple DNS spoofing attacks by checking that the # forward and reverse records for the remote host match. If a mismatch # occurs, access is denied, and any positive ident response within # 20 seconds is logged. No protection is afforded against DNS poisoning, # IP spoofing or more complicated attacks. Hosts with no reverse DNS # pass this rule. ALL : PARANOID : RFC931 20 : deny # Allow anything from localhost. Note that an IP address (not a host # name) *MUST* be specified for portmap(8). ALL : localhost 127.0.0.1 : allow #ALL : my.machine.example.com 192.0.2.35 : allow # Added 2002 Nov. 10 - WD: ALL : 209.152.117.190192.0.2.35 : allow # To use IPv6 addresses you must enclose them in []'s ALL : [fe80::%fxp0]/10 : allow ALL : [fe80::]/10 : deny ALL : [3ffe:fffe:2:1:2:3:4:3fe1] : deny ALL : [3ffe:fffe:2:1::]/64 : allow # Added 2002 Nov. 10 - WD: # Qmail qmail : localhost : allow #qmail : .nice.guy.example.com : allow #qmail : .evil.cracker.example.com : deny # Added 2002 Nov. 10 - WD qmail : .spaelegance.com : deny qmail : .SpaWeb1.spaelegance.com : deny qmail : .testargeted.com : deny qmail : .tesdaily.com : deny qmail : ALL : allow # Sendmail can help protect you against spammers and relay-rapers sendmail : localhost : allow sendmail : .nice.guy.example.com : allow sendmail : .evil.cracker.example.com : deny # Added 2002 Nov. 10 - WD sendmail : .spaelegance.com : deny sendmail : .SpaWeb1.spaelegance.com : deny sendmail : .testargeted.com : deny sendmail : .tesdaily.com : deny sendmail : ALL : allow # Exim is an alternative to sendmail, available in the ports tree exim : localhost : allow # exim : .nice.guy.example.com : allow # exim : .evil.cracker.example.com : deny # Added 2002 Nov. 10 - WD exim : .spaelegance.com : deny exim : .SpaWeb1.spaelegance.com : deny exim : .testargeted.com : deny exim : .tesdaily.com : deny exim : ALL : allow # Portmapper is used for all RPC services; protect your NFS! # (IP addresses rather than hostnames *MUST* be used here) portmap : 192.0.2.32/255.255.255.224 : allow portmap : 192.0.2.96/255.255.255.224 :
Re: How to stop SPAMMER??!
From: Kevin D. Kinsey, DaleCo, S.P. [EMAIL PROTECTED] From: W. D. [EMAIL PROTECTED] Subject: Re: How to stop SPAMMER??! Well, now we see why the file comments suggest that wrapping sshd is *not* such a good idea.. Get the IP block of the system(s) from which you are remotely adminning the server into hosts.allow with something like this at the top: all: 192.168.0.0/255.255.255.0 : allow This is a sample netblock that makes sure hosts on my/the* LAN have access to the machinefigure out the netblock of your ISP at the home, office, or home office, and try, try, again. HTH, Kevin Kinsey DaleCo, S.P. *Your LAN may differ, of course. And, FWIW, hosts.allow is pretty 'ready to go' straight from 'the box.' Lots of examples.. Also, if I remember the O.P., you're running 4.4 or 4.5are you keeping up with patches? Surely an upgrade would be in order to address any issues that appeared over the summer... My $.02 Kevin Kinsey To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: How to stop SPAMMER??!
You don't mention several important things someone would need to answer this question fully. 1. Are you running a real mailserver that needs to send/receive mail to the outside world? If not then just block port 25 incoming. If yes, then configure some UCE (unsolicited commercial email) rules on sendmail (assuming this what you have since you didn't say) and/or consider using another mailserver with easier configured security (since you're probably not a sendmail wizard). I suggest qmail or Postfix, which I use. 2. Are you the recipient of spam or is your box being used as a relay? This shouldn't happen in the default configuration any longer I believe. Either check the Handbook online for sendmail configuration. 3. Dunno +-+ |Steve Wingate [EMAIL PROTECTED] |MCSE, CCNA Sat Nov 9 16:59:00 PST 2002 +-+ |FreeBSD 4.7-RC | 4:59PM up 21 days, 17:31, 2 users, load averages: 0.00, 0.00, 0.00 +-+ On Sat, 9 Nov 2002, W. D. wrote: Hi folks, I've got some bozo from: SpaWeb1.spaelegance.com..auth doing all kinds of SMTP activity on my FreeBSD server. Does anyone know how to stop this? What kind of entry would I add to ipfw? Does anyone know what vulnerability this might be? How to stop permanently? Here's what I am running: FreeBSD 4.4-RELEASE Apache/1.3.27 (Unix) mod_perl/1.26 mod_throttle/3.1.2 PHP/4.2.2 FrontPage/4.0.4.3 mod_ssl/2.8.11 OpenSSL/0.9.6f Start Here to Find It Fast!© - http://www.US-Webmasters.com/best-start-page/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: How to stop SPAMMER??!
Hey Steve, Thanks for the reply. At 19:49 11/9/2002, Steve Wingate wrote: You don't mention several important things someone would need to answer this question fully. 1. Are you running a real mailserver that needs to send/receive mail to the outside world? Yep. If not then just block port 25 incoming. If yes, then configure some UCE (unsolicited commercial email) rules on sendmail (assuming this what you have since you didn't say) and/or consider using another mailserver with easier configured security (since you're probably not a sendmail wizard). I suggest qmail lrwxr-xr-x 1 root wheel33 Dec 10 2001 sendmail - /usr/local/psa/qmail/bin/sendmail Using qmail. How to configure to avoid spam? What is the name of configuration file? or Postfix, which I use. 2. Are you the recipient of spam or is your box being used as a relay? Relay. This shouldn't happen in the default configuration any longer I believe. Either check the Handbook online for sendmail configuration. 3. Dunno I tried to block using IPFW but no luck using this line: add deny log all from 168.93.100.0/24 to any in via fxp0 (http://www.SamSpade.org/t/lookat?a=SpaWeb1.spaelegance.com - SpaWeb1.spaelegance.com resolves to 168.93.100.59) +-+ |Steve Wingate [EMAIL PROTECTED] |MCSE, CCNASat Nov 9 16:59:00 PST 2002 +-+ |FreeBSD 4.7-RC | 4:59PM up 21 days, 17:31, 2 users, load averages: 0.00, 0.00, 0.00 +-+ On Sat, 9 Nov 2002, W. D. wrote: Hi folks, I've got some bozo from: SpaWeb1.spaelegance.com..auth doing all kinds of SMTP activity on my FreeBSD server. Does anyone know how to stop this? What kind of entry would I add to ipfw? Does anyone know what vulnerability this might be? How to stop permanently? Here's what I am running: FreeBSD 4.4-RELEASE Apache/1.3.27 (Unix) mod_perl/1.26 mod_throttle/3.1.2 PHP/4.2.2 FrontPage/4.0.4.3 mod_ssl/2.8.11 OpenSSL/0.9.6f Start Here to Find It Fast!© - http://www.US-Webmasters.com/best-start-page/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message Start Here to Find It Fast!© - http://www.US-Webmasters.com/best-start-page/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: How to stop SPAMMER??!
At 20:04 11/9/2002, Gustaf Sjoberg, wrote: On Sat, 09 Nov 2002 15:13:09 -0600 W. D. [EMAIL PROTECTED] wrote: either block incomming port 25 connections or set the smtp server to require authentication. How to do this? ipfw entry could look something like: add rule# deny log tcp from any to yourip 25 in recv interface Hi folks, I've got some bozo from: SpaWeb1.spaelegance.com..auth doing all kinds of SMTP activity on my FreeBSD server. Does anyone know how to stop this? What kind of entry would I add to ipfw? Does anyone know what vulnerability this might be? How to stop permanently? Here's what I am running: FreeBSD 4.4-RELEASE Apache/1.3.27 (Unix) mod_perl/1.26 mod_throttle/3.1.2 PHP/4.2.2 FrontPage/4.0.4.3 mod_ssl/2.8.11 OpenSSL/0.9.6f Start Here to Find It Fast!© - http://www.US-Webmasters.com/best-start-page/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message Start Here to Find It Fast!© - http://www.US-Webmasters.com/best-start-page/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
