RE: [qmailtoaster] ClamAV Unofficial Virus
Even normal mails are now getting bounced. Please find below mail error: Your message did not reach some or all of the intended recipients. Subject:RE: [qmailtoaster] ClamAV Unofficial Virus Sent: 3/4/2011 3:49 PM The following recipient(s) cannot be reached: 'qmailtoaster-list@qmailtoaster.com' on 3/4/2011 3:49 PM 554 Your email was rejected because it contains the MBL_144360.UNOFFICIAL virus Amit Dalia Join Us: http://www.facebook.com/IKFPune cid:image001.png@01CBA820.E533FB00 http://in.linkedin.com/in/ikfpune cid:image002.png@01CBA820.E533FB00 http://twitter.com/ikfpune cid:image003.png@01CBA820.E533FB00 http://maps.google.co.in/maps?oe=utf-8client=firefox-aie=UTF8q=ikf+pune; fb=1gl=inhq=ikfhnear=Pune,+Maharashtrahl=enview=mapcid=144792588562531 50229iwloc=Aved=0CBoQpQYsa=Xei=jOwVTe_gJqngyQTAssjeCg cid:image004.png@01CBA820.E533FB00 http://ikf-pune.blogspot.com/ cid:image005.png@01CBA820.E533FB00 From: Pak Ogah [mailto:pako...@pala.bo-tak.info] Sent: Friday, March 04, 2011 3:18 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] ClamAV Unofficial Virus On 04-Mar-11 15:11, Amit wrote: Hi Everyone, Don't know whether anyone got error or not but today suddenly many of the attachment mails started getting bounced with below error: Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 554 554 Your email was rejected because it contains the MBL_144360.UNOFFICIAL virus (state 18). General attachments for which users are getting mail bounce are like .doc, .xls, .dat, .ppt. Mails are getting bounced for both incoming and outgoing mails. Amit Dalia Join Us: http://www.facebook.com/IKFPune cid:image001.png@01CBA820.E533FB00 http://in.linkedin.com/in/ikfpune cid:image002.png@01CBA820.E533FB00 http://twitter.com/ikfpune cid:image003.png@01CBA820.E533FB00 http://maps.google.co.in/maps?oe=utf-8client=firefox-aie=UTF8q=ikf+pune; fb=1gl=inhq=ikfhnear=Pune,+Maharashtrahl=enview=mapcid=144792588562531 50229iwloc=Aved=0CBoQpQYsa=Xei=jOwVTe_gJqngyQTAssjeCg cid:image004.png@01CBA820.E533FB00 http://ikf-pune.blogspot.com/ cid:image005.png@01CBA820.E533FB00 are you adding SaneSecurity unofficial clamav defition ? if so the message could be generated by SaneSecurity definition image001.pngimage002.pngimage003.pngimage004.gifimage005.gif
[qmailtoaster] Re: ClamAV Unofficial Virus
This has been discussed on the sanesecurity list: http://search.gmane.org/?query=MBL_144360.UNOFFICIALauthor=group=gmane.comp.security.virus.clamav.sanesecuritysort=relevanceDEFAULTOP=andxP=mbl_144360xFILTERS=Gcomp.security.virus.clamav.sanesecurity---A This post in particular describe how to disable it: http://article.gmane.org/gmane.comp.security.virus.clamav.sanesecurity/3091/match=mbl_144360+unofficial I expect that Bill Landry (author of the scripts we're using) will be taking measures to fix this automatically, and keep it from happening in the future. Stay tuned. -- -Eric 'shubes' On 03/05/2011 03:21 AM, Amit wrote: Even normal mails are now getting bounced. Please find below mail error: Your message did not reach some or all of the intended recipients. Subject: RE: [qmailtoaster] ClamAV Unofficial Virus Sent: 3/4/2011 3:49 PM The following recipient(s) cannot be reached: 'qmailtoaster-list@qmailtoaster.com' on 3/4/2011 3:49 PM 554 Your email was rejected because it contains the MBL_144360.UNOFFICIAL virus *Amit Dalia** * Join Us: cid:image001.png@01CBA820.E533FB00 http://www.facebook.com/IKFPunecid:image002.png@01CBA820.E533FB00 http://in.linkedin.com/in/ikfpunecid:image003.png@01CBA820.E533FB00 http://twitter.com/ikfpunecid:image004.png@01CBA820.E533FB00 http://maps.google.co.in/maps?oe=utf-8client=firefox-aie=UTF8q=ikf+punefb=1gl=inhq=ikfhnear=Pune,+Maharashtrahl=enview=mapcid=14479258856253150229iwloc=Aved=0CBoQpQYsa=Xei=jOwVTe_gJqngyQTAssjeCgcid:image005.png@01CBA820.E533FB00 http://ikf-pune.blogspot.com/ *From:*Pak Ogah [mailto:pako...@pala.bo-tak.info] *Sent:* Friday, March 04, 2011 3:18 PM *To:* qmailtoaster-list@qmailtoaster.com *Subject:* Re: [qmailtoaster] ClamAV Unofficial Virus On 04-Mar-11 15:11, Amit wrote: Hi Everyone, Don’t know whether anyone got error or not but today suddenly many of the attachment mails started getting bounced with below error: Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 554 554 Your email was rejected because it contains *the MBL_144360.UNOFFICIAL virus* (state 18). General attachments for which users are getting mail bounce are like .doc, .xls, .dat, .ppt. Mails are getting bounced for both incoming and outgoing mails. *Amit Dalia** * Join Us: cid:image001.png@01CBA820.E533FB00 http://www.facebook.com/IKFPune cid:image002.png@01CBA820.E533FB00 http://in.linkedin.com/in/ikfpune cid:image003.png@01CBA820.E533FB00 http://twitter.com/ikfpune cid:image004.png@01CBA820.E533FB00 http://maps.google.co.in/maps?oe=utf-8client=firefox-aie=UTF8q=ikf+punefb=1gl=inhq=ikfhnear=Pune,+Maharashtrahl=enview=mapcid=14479258856253150229iwloc=Aved=0CBoQpQYsa=Xei=jOwVTe_gJqngyQTAssjeCg cid:image005.png@01CBA820.E533FB00 http://ikf-pune.blogspot.com/ are you adding SaneSecurity unofficial clamav defition ? if so the message could be generated by SaneSecurity definition - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
Eric Shubert escribi: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=""> Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). Hey guys, I created a basic article, but have trouble with formatting. Can anyone take a look at it? this is how I meant it to look ;-) == '''Basic fail2ban installation and setup''' == fail2ban homepage: http://www.fail2ban.org. Please check [0] and [1] for more details. == 1. Installation. == Enable the EPEL repos [1] and then 'yum install fail2ban' == 2. Setup: == To work with Qmail/vpopmail, a filter and jail should be defined. '''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = '''b.''' # mcedit /etc/fail2ban/jail.conf (add this) [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 1 bantime = 604800 findtime = 3600 '''c. Test the filter file:''' # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf Returns something like this, with n matches for the regex or 0 if no matches: Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST | `- Number of matches: [1] 123 match(es) '''d. Reload config:''' # fail2ban-client stop/start '''e. Check the status of a jail:''' # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list: /var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 '''NOTE:''' Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So... what to do? - Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules; - Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3]. == 3.A little basic admin stuff == '''a. Check banned IPs:''' - by fail2ban:# fail2ban-client status vpopmail-fail - current iptables rules: # iptables -L -nv - To see IPs that fail2ban is saving for the next reload: # cat /etc/fail2ban/ip.deny '''b. How to unblock an IP:''' 1) Delete it from the current iptables rules: # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP 2) remove it from /etc/fail2ban/ip.deny (maybe listed several times). 3) remove it from /etc/sysconfig/iptables (maybe listed several times). == 4. References: == [0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html [1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html [2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse [3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] spam
I have set Spamd=no I /var/qmail/control/simscan Or if it whas spam=no But I still see spamd up when I do Qmailctl stat http://mjw.se - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: spam
On 03/05/2011 03:34 PM, mattias wrote: I have set Spamd=no I /var/qmail/control/simscan Or if it whas spam=no But I still see spamd up when I do Qmailctl stat - # qmailctl cdb # touch /var/qmail/supervise/spamd/down # qmail-spam stop -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] Re: spam
O thanks! Qmail-spam stop do it! -Original Message- From: Eric Shubert [mailto:e...@shubes.net] Sent: Saturday, March 05, 2011 11:52 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: spam On 03/05/2011 03:34 PM, mattias wrote: I have set Spamd=no I /var/qmail/control/simscan Or if it whas spam=no But I still see spamd up when I do Qmailctl stat -- --- # qmailctl cdb # touch /var/qmail/supervise/spamd/down # qmail-spam stop -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com