Re: qmail security or email virus?

[Henning Brauer]

On Tue, Jul 31, 2001 at 01:39:15PM -0700, s. ryu wrote:
> i had my reasons why i had to delete the file as described on the previous
> message, if you read it. i think, you should read the message posted more
> carefully before responding.

You should simply read the f*** docs before polluting the internet with just
one more misconfigured open relay.


-- 
* Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de *
* Roedingsmarkt 14, 20459 Hamburg, Germany   *
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: qmail security or email virus?

[Ahmad Ridha]

s. ryu writes: 

> That is not true. i would not say i had no idea. i had some idea. 
> yes! i was confused about the intend of that file. by the way, i am NOT HE! 
> i had my reasons why i had to delete the file as described on the previous
> message, if you read it. i think, you should read the message posted more
> carefully before responding. 
> 

Sorry to say this but you previous post did show that you didn't have the 
right idea about what rcpthosts are for. You only need to add domains that 
your machine serves to rcpthosts. 

> i feel that this message board group is a bit hostile. ok. we need to read
> the documentation to install it correctly.  
> 

Please read Life With qmail (LWQ) . It really 
helps even for newbies like myself. This list may look a bit 'scary' but 
there's a lot of help here as long we have given enough effort to 'help 
ourselves' and provided sufficeient information on the problem. Searching 
the archives before posting is also highly expected. 

Now onto you problem. Here I use examples from our server. 

1. Add your domain(s) to rcpthosts
2. Create /etc/tcp.smtp containing the host(s) that you want to allow 
relaying through the server, e.g: 

127.:allow,RELAYCLIENT=""
192.168.3.:allow,RELAYCLIENT="" 

3. 'Compile the file' 

tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
chmod 644 /etc/tcp.smtp.cdb 

4. Add -x option to tcpserver in your run script (use of inetd or xinetd is 
unfamiliar in this list since tcpserver is preferred) 

exec /usr/local/bin/softlimit -m 200 \
/usr/local/bin/tcpserver -R -H -l student -v -p -x /etc/tcp.smtp.cdb \
 -c 20 -u 502 -g 501 0 smtp /var/qmail/bin/qmail-smtpd 2>&1 

The above steps are well explained in the mentionend LWQ. 

Hope it helps. 

Regards, 

Ahmad Ridha 

Re: qmail security or email virus?

[s. ryu]

--- Henning Brauer <[EMAIL PROTECTED]> wrote:
> On Tue, Jul 31, 2001 at 01:37:29PM -0600, Stephen Bosch wrote:
> > Henning Brauer wrote:
> > > On Tue, Jul 31, 2001 at 10:30:45AM -0700, s. ryu wrote:
> > > > rcpthosts: (Default.) SMTP clients may send messages to any recipient.
> > > You really want to read some documentation. You are an open relay. Start
> > > with http://www.lifewithqmail.org/.
> > qmail doesn't relay by default.
> 
> Never said that.
> The original poster has no idea about the file rcpthosts as he said himself.
> That proves his need to read docs.
> 
That is not true. i would not say i had no idea. i had some idea. 
yes! i was confused about the intend of that file. by the way, i am NOT HE! 

i had my reasons why i had to delete the file as described on the previous
message, if you read it. i think, you should read the message posted more
carefully before responding.

i feel that this message board group is a bit hostile. ok. we need to read
the documentation to install it correctly. i installed the system more than
one year ago and recently reinstalled due to the os upgrade couple of months ago.
 since the system
was working ok without any problem till now. i asked for
help. 

i am greatful for people trying to help me. i know most of problems people
have can be solved by reading through the documents. if it is not, then 
we don't have good documentation. 

> > Henning, sei nicht so deutsch =)
> 
> Denke nicht dass ich das bin.
> 
> -- 
> * Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de *
> * Roedingsmarkt 14, 20459 Hamburg, Germany   *
> Unix is very simple, but it takes a genius to understand the simplicity.
> (Dennis Ritchie)


__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Re: qmail security or email virus?

[Henning Brauer]

On Tue, Jul 31, 2001 at 01:37:29PM -0600, Stephen Bosch wrote:
> Henning Brauer wrote:
> > On Tue, Jul 31, 2001 at 10:30:45AM -0700, s. ryu wrote:
> > > rcpthosts: (Default.) SMTP clients may send messages to any recipient.
> > You really want to read some documentation. You are an open relay. Start
> > with http://www.lifewithqmail.org/.
> qmail doesn't relay by default.

Never said that.
The original poster has no idea about the file rcpthosts as he said himself.
That proves his need to read docs.

> Henning, sei nicht so deutsch =)

Denke nicht dass ich das bin.

-- 
* Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de *
* Roedingsmarkt 14, 20459 Hamburg, Germany   *
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: qmail security or email virus?

[Stephen Bosch]

Henning Brauer wrote:
> 
> On Tue, Jul 31, 2001 at 10:30:45AM -0700, s. ryu wrote:
> > rcpthosts: (Default.) SMTP clients may send messages to any recipient.
> 
> You really want to read some documentation. You are an open relay. Start
> with http://www.lifewithqmail.org/.

qmail doesn't relay by default.

Henning, sei nicht so deutsch =)

-Stephen-

Re: qmail security or email virus?

[Charles Cazabon]

s. ryu <[EMAIL PROTECTED]> wrote:

> rcpthosts: (Default.) SMTP clients may send messages to any recipient.

You're an open relay.  Shut down qmail-smtpd and re-read all the
documentation.  Then fix the problem before starting qmail-smtpd again.

Charles
-- 
---
Charles Cazabon<[EMAIL PROTECTED]>
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
---

Re: qmail security or email virus?

[s. ryu]

Thanks for replying.
I just installed the tcpserver. since our server does not use
the inetd.conf file anymore instead it is using xinetd.d files.
i converted the inetd.conf file ( with the
tcpserver -v -u 502 -g 500 0 smtp /var/qmail/bin/qmail-smtpd \
 2>&1 | /var/qmail/bin/splogger smtpd 3 &
) 
 for the tcpserver, but i don't think it converted the file correctly. 
the converted file for tcpserver is as follows:

 Converted by inetdconvert
service tcpserver
{
socket_type = -v
protocol= -u
wait= yes
user= -g
server  = 500
server_args = 0 smtp /var/qmail/bin/qmail-smtpd \
disable = no
}

the above does not seem right.

shouldn't it be:
service tcpserver
{
socket_type = stream
protocol= tcp
wait= no
user= qmaild
server  = tcpserver
server_args = -v -u 502 -g 500 0 smtp /var/qmail/bin/qmail-smtpd \
   2>&1 | /var/qmail/bin/splogger smtpd 3 &
disable = no
}
i am not sure, if i have the server info correct.

--- Jeff Palmer <[EMAIL PROTECTED]> wrote:
> >
> > rcpthosts: (Default.) SMTP clients may send messages to any recipient.
> >
> 
> 

> If you read some of the documentation,  you'll probably find you are
> missing a /var/qmail/control/rcpthosts file  (change the path, flavor to
> taste)
> 
> This file tells qmail what domains it acts as relay for.
> 
> At the minimum,  you'll want to create an empty rcpthosts file.
> 
> 
as far as this file is concerned, when i use this, i could not send emails to any
domain that were not included in this file. if this file was used to allow the
users from that domains to send email, it is ok. i just tried the empty file,
it is the same. yes! the rcpthost file came with the default installation, i
deleted because i could not add new host name whenever i need to send an email
to new domain host. rcpthost file does not seem to solve any security issue, since it
will still allow someone to send emails to those in that domain. is this because
i did not configure the qmail correctly? i think, i am not sure what the
rcpthosts is for. is the file(rcpthosts) used to allows only the users from 
the domains listed in
rcpthosts to send out email or qmail users are allowed to send out email to
only those listed in the rcpthosts file? my qmail works like the latter case.

> 
> Regards,
> 
> Jeff Palmer
> [EMAIL PROTECTED]
> 
> 
thanks!

sue ryu

__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Re: qmail security or email virus?

[Chris Johnson]

On Tue, Jul 31, 2001 at 02:04:24PM -0400, Jeff Palmer wrote:
> Or make relaying DENIED by default?

It is denied by default, if you follow the installation instructions. You have
to delete the rcpthosts file intentionally to make your server an open relay.

Chris

 PGP signature

Re: qmail security or email virus?

[Jeff Palmer]

>
> rcpthosts: (Default.) SMTP clients may send messages to any recipient.
>


If you read some of the documentation,  you'll probably find you are
missing a /var/qmail/control/rcpthosts file  (change the path, flavor to
taste)

This file tells qmail what domains it acts as relay for.

At the minimum,  you'll want to create an empty rcpthosts file.



Regards,

Jeff Palmer
[EMAIL PROTECTED]

Re: qmail security or email virus?

[Jeff Palmer]

Or make relaying DENIED by default?

Jeff Palmer
[EMAIL PROTECTED]



> Dan, if you ever will release qmail 1.04: please change the above line to:
>
> rcpthosts: (Default.) YOU ARE AN OPEN RELAY!

Re: qmail security or email virus?

[Henning Brauer]

On Tue, Jul 31, 2001 at 10:30:45AM -0700, s. ryu wrote:
> rcpthosts: (Default.) SMTP clients may send messages to any recipient.

You really want to read some documentation. You are an open relay. Start
with http://www.lifewithqmail.org/.

Dan, if you ever will release qmail 1.04: please change the above line to:

rcpthosts: (Default.) YOU ARE AN OPEN RELAY!



-- 
* Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de *
* Roedingsmarkt 14, 20459 Hamburg, Germany   *
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: qmail security or email virus?

[s. ryu]

> The security problem is in your setup, not in qmail (just to be clear).
> It's not the result of an email virus.
>  
I thought so.

> Sounds like you've made your system an open relay, or one of the users
> which is "trusted" to relay through your system has abused your trust.
> 
Where do I set this up? I am running the qmail-1.3 using RedHat 7.x which 
is running linux 2.2.16-22

> Show us the output of qmail-showctl (unedited), any tcpcontrol files
> (/etc/tcp.smtp, etc) which you are using, the script you use to start
> qmail-smtpd (through tcpserver), and a snippet of the qmail-send log
> showing the spam message being injected into your system.
> 
The output of qmail-showctl is as follows:

me: My name is igoods.com.

percenthack: (Default.) The percent hack is not allowed.

plusdomain: Plus domain name is cnc.net.

qmqpservers: (Default.) No QMQP servers.

queuelifetime: (Default.) Message lifetime in the queue is 604800 seconds.

rcpthosts: (Default.) SMTP clients may send messages to any recipient.

morercpthosts: (Default.) No rcpthosts; morercpthosts is irrelevant.

morercpthosts.cdb: (Default.) No effect.

smtpgreeting: (Default.) SMTP greeting: 220 igoods.com.

smtproutes: (Default.) No artificial SMTP routes.

timeoutconnect: (Default.) SMTP client connection timeout is 60 seconds.

timeoutremote: (Default.) SMTP client data timeout is 1200 seconds.

timeoutsmtpd: (Default.) SMTP server data timeout is 1200 seconds.

virtualdomains: (Default.) No virtual domains.

bkup: I have no idea what this file does.

--- end of the output 


as for the tcp control files are concerned, i don't find the file starting
tcp* in the /etc directory. i have to convert /etc/inetd.conf file for the
current linux os - RedHat 7.x. the smtp control file is under xinetd.d directory.
and they are as follows:

the content of /etc/xinetd.d/pop-3 
# Converted by inetdconvert
service pop-3
{
socket_type = stream
protocol= tcp
wait= no
user= root
server  = /var/qmail/bin/qmail-popup
server_args = redolive.com /bin/checkpassword
/var/qmail/bin/qmail-pop3d Maildir 
disable = no
}

the content of  /etc/xinetd.d/smtp
# Converted by inetdconvert
service smtp
{
socket_type = stream
protocol= tcp
wait= no
user= qmaild
server  = /var/qmail/bin/qmail-smtpd
disable = no
}

> > > how can i clean up the queue directories since there are more
> > > messages waiting to send out? should i just remove the files from
> > > todo directory?
> 
> If qmail is stopped, you could do this.  It won't help with messages
> that are already preprocessed.
> 
That is fine. do i just remove the files under the todo to stop the further 
deliveries.
> > > we have reported the issue to [EMAIL PROTECTED], since our mail server was
> > > hacked.
> 
> What do you mean by this?  Someone obtained an illegitimate shell
> account on your mailserver?  If so, they can send as much mail as they
> like; no MTA will protect you against that.
> 
I do not think anybody got our shell account. but, somebody used our mail server
to send out bogus bulk emails to more than 1000 people. 
i had to send the email to them, since someone accused us sending out
spam emails.

Thanks for your help.
> -- 
> ---
> Charles Cazabon<[EMAIL PROTECTED]>
> GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
> ---


__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Re: qmail security or email virus?

[Charles Cazabon]

s. ryu <[EMAIL PROTECTED]> wrote:
> 
> > We need your help to track down possible security problem with qmail
> > system. It maybe an email virus. But, I am not sure.

The security problem is in your setup, not in qmail (just to be clear).
It's not the result of an email virus.
 
> > The problem: our qmail server was sending out emails to people. the
> > email was not orginated from our servers within our network.  the
> > mail was a spam email with the title - We owe you ... and the
> > content of the email seems to be related to the health issue.
> > 
> > I got an email from John B last Friday saying that we are sending
> > out spam emails. So, we looked into our system and our file system
> > which holds the mail log was full. so, i looked at the mail server,
> > it was sending out emails to the whole list of people.  i stopped
> > the qmail servers and it still has more emails to send out.

Sounds like you've made your system an open relay, or one of the users
which is "trusted" to relay through your system has abused your trust.

> > Help Request: what should i look at to track down the problem? 

Show us the output of qmail-showctl (unedited), any tcpcontrol files
(/etc/tcp.smtp, etc) which you are using, the script you use to start
qmail-smtpd (through tcpserver), and a snippet of the qmail-send log
showing the spam message being injected into your system.

> > how can i clean up the queue directories since there are more
> > messages waiting to send out? should i just remove the files from
> > todo directory?

If qmail is stopped, you could do this.  It won't help with messages
that are already preprocessed.

> > is this part of relay problem? if that is the case, what should i do
> > to secure our mail server?

We can't tell you this without more information.
 
> > we have reported the issue to [EMAIL PROTECTED], since our mail server was
> > hacked.

What do you mean by this?  Someone obtained an illegitimate shell
account on your mailserver?  If so, they can send as much mail as they
like; no MTA will protect you against that.

Charles
-- 
---
Charles Cazabon<[EMAIL PROTECTED]>
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
---

qmail security or email virus?

[s. ryu]

> 
> Dear Qmail community,
> 
> We need your help to track down possible security problem with qmail
> system. It maybe an email virus. But, I am not sure.
> 
> The problem: our qmail server was sending out emails to people. the email
>  was not orginated from our servers within our network.
>  the mail was a spam email with the title - We owe you ... and
>  the content of the email seems to be related to the health issue.
> 
> I got an email from John B last Friday saying that we are sending out spam 
> emails. So, we looked into our system and our file system which holds the
> mail log was full. so, i looked at the mail server, it was sending out emails to
> the whole list of people. 
> i stopped the qmail servers and it still has more emails to send out.
> 
> Help Request: what should i look at to track down the problem? 
>   I saved the maillog and /var/qmail/queue directory to track 
>   down the problem. 
>   I have some guess. I think I narrowed it to
>   someone named [EMAIL PROTECTED] but, i am not 100% sure.
> 
>   how can i clean up the queue directories since there are more 
>   messages waiting to send out? should i just remove the files from
>   todo directory?
> 
>   is this part of relay problem? if that is the case, what should
>   i do to secure our mail server?
> 
>   we have qmail-1.3, fastforward, checkpasswd installed. we also
>   used the pop3 server.
> 
> once, i clean up the qmail, can i restarted the qmail server?
> 
>   how can we prevent this happening again?
> 
>   has anyone experienced the similar problem?
> 
> we have reported the issue to [EMAIL PROTECTED], since our mail server was
>   hacked. is there any other authority we should report to?
> 
> Your help will be greatly appreciated.
> 
> Sue Ryu
> www.RedOlive.com
> 
> 
> __
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo! Messenger
> http://phonecard.yahoo.com/
> 


__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/