[qmailtoaster] How to restrict mail sending limit to perticular user
Hi, Please refer my subject line and guide me. Regards, Vivek Patil system admin
Re: [qmailtoaster] How to restrict mail sending limit to perticular user
Assuming you require SMTP AUTH to send, you could use vmoduser -s According to documentation, this disables SMTP AUTH -- which, if that is the only way to send, would disable sending. NOTE: in a stock QMT install, this would NOT block sending with the WEB interfaces, as they use SMTP directly, but are allowed by tcprules. Dan McAllister On 4/3/2014 2:45 AM, Linux wrote: Hi, Please refer my subject line and guide me. Regards, Vivek Patil system admin -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
[qmailtoaster] fail2ban - now more than ever
If you haven't implemented fail2ban on your qmail toasters, think seriously about doing so. There are at least two botnet-based password-guessing campaigns currently ongoing. One is trying SMTP authentication against role accounts (e.g. 'admin@', 'info@') at known domains. It was this one that prompted initial recent discussion of fail2ban on this list. The other, which I think just started today, is trying to do POP3 authentication, using email addresses taken from mailing lists used by spammers. Because these lists are mostly nonsense, this will result in hundreds or thousands of attempts to authenticate against non-existent users, but I suppose they might eventually start hitting some existing addresses. Because of the stupidity of these attempts, I would think that they're very unlikely to succeed at most hosts. However, if left to run unchecked they will probably start to soak up noticeable amounts of resources. The spammers appear to be deploying increasingly large botnets, and each host will keep trying until banned. The instructions at: http://wiki.qmailtoaster.com/index.php/Fail2Ban for setting up fail2ban seem pretty good. This has been a public service announcement. Angus
[qmailtoaster] Help, I'm an open relay!!
I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 @4000533d5214285cb1ec CHKUSER relaying rcpt: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt pavel_ma...@tut.by : client allowed to relay @4000533d5214285cb9bc policy_check: local bi...@vipercrazy.com - remote pavel_ma...@tut.by (AUTHENTICATED SENDER) @4000533d5214285cbda4 policy_check: policy allows transmission @4000533d5214317e9204 tcpserver: end 13764 status 0 @4000533d5214317e95ec tcpserver: status: 1/100 @4000533d521513228964 tcpserver: status: 2/100 @4000533d521513228d4c tcpserver: pid 13811 from 91.235.7.37 @4000533d521513229134 tcpserver: ok 13811 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::65030 @4000533d52152188a204 simscan:[13767]:RELAYCLIENT:0.5571s:-:91.235.7.37:o...@7-design.ru:pavel_ma...@tut.by @4000533d5215223220a4 spamdyke[13766]: ALLOWED from: o...@7-design.ru to: pavel_ma...@tut.by origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527627_qp_13803 @4000533d52152ef946b4 tcpserver: end 13766 status 0
Re: [qmailtoaster] Help, I'm an open relay!!
Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 @4000533d5214285cb1ec CHKUSER relaying rcpt: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt pavel_ma...@tut.by : client allowed to relay @4000533d5214285cb9bc policy_check: local bi...@vipercrazy.com - remote pavel_ma...@tut.by (AUTHENTICATED SENDER) @4000533d5214285cbda4 policy_check: policy allows transmission @4000533d5214317e9204 tcpserver: end 13764 status 0 @4000533d5214317e95ec tcpserver: status: 1/100 @4000533d521513228964 tcpserver: status: 2/100 @4000533d521513228d4c tcpserver: pid 13811 from 91.235.7.37 @4000533d521513229134 tcpserver: ok 13811 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::65030 @4000533d52152188a204
RE: [qmailtoaster] Help, I'm an open relay!!
I would shut down bi...@vipercrazy.com for now and see if the relaying stops. Do you know if that was an easily hacked password? From: Sebastian Grewe [mailto:sebast...@grewe.ca] Sent: Thursday, April 03, 2014 8:42 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Help, I'm an open relay!! Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 @4000533d5214285cb1ec CHKUSER relaying rcpt: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt pavel_ma...@tut.by : client allowed to relay @4000533d5214285cb9bc policy_check: local bi...@vipercrazy.com - remote pavel_ma...@tut.by (AUTHENTICATED SENDER) @4000533d5214285cbda4 policy_check: policy allows transmission @4000533d5214317e9204 tcpserver: end 13764 status 0 @4000533d5214317e95ec tcpserver: status: 1/100 @4000533d521513228964
[qmailtoaster] Re: fail2ban - now more than ever
On 04/03/2014 08:18 AM, Angus McIntyre wrote: If you haven't implemented fail2ban on your qmail toasters, think seriously about doing so. There are at least two botnet-based password-guessing campaigns currently ongoing. One is trying SMTP authentication against role accounts (e.g. 'admin@', 'info@') at known domains. It was this one that prompted initial recent discussion of fail2ban on this list. The other, which I think just started today, is trying to do POP3 authentication, using email addresses taken from mailing lists used by spammers. Because these lists are mostly nonsense, this will result in hundreds or thousands of attempts to authenticate against non-existent users, but I suppose they might eventually start hitting some existing addresses. Because of the stupidity of these attempts, I would think that they're very unlikely to succeed at most hosts. However, if left to run unchecked they will probably start to soak up noticeable amounts of resources. The spammers appear to be deploying increasingly large botnets, and each host will keep trying until banned. The instructions at: http://wiki.qmailtoaster.com/index.php/Fail2Ban for setting up fail2ban seem pretty good. This has been a public service announcement. Angus Indeed. :) I hope to incorporate f2b in the stock QMT at some point, probably sooner than later. The qt-firewall script needs a little work, and I may tackle them both together. The only drawback to doing f2b sooner is that logging is also going to change soon in a major way, so f2b will need to be tweaked a bit at that time. There probably won't be much to it. We'll see. Thanks Angus, and those who worked on the wiki page. It's very helpful. -- -Eric 'shubes' - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Help, I'm an open relay!!
Auth line is: kcob...@vipercrazy.com I'd guess that's the account? Cheers, Sebastian On 03.04.2014, at 18:46, Helmut Fritz hel...@fritz.us.com wrote: I would shut down bi...@vipercrazy.com for now and see if the relaying stops. Do you know if that was an easily hacked password? From: Sebastian Grewe [mailto:sebast...@grewe.ca] Sent: Thursday, April 03, 2014 8:42 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Help, I'm an open relay!! Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 @4000533d5214285cb1ec CHKUSER relaying rcpt: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt pavel_ma...@tut.by : client allowed to relay @4000533d5214285cb9bc policy_check: local bi...@vipercrazy.com - remote
[qmailtoaster] Re: Help, I'm an open relay!!
I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 @4000533d5214285cb1ec CHKUSER relaying rcpt: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt pavel_ma...@tut.by : client allowed to relay @4000533d5214285cb9bc policy_check: local bi...@vipercrazy.com - remote pavel_ma...@tut.by (AUTHENTICATED SENDER) @4000533d5214285cbda4 policy_check: policy allows transmission @4000533d5214317e9204 tcpserver: end 13764 status 0 @4000533d5214317e95ec tcpserver: status: 1/100 @4000533d521513228964 tcpserver: status: 2/100 @4000533d521513228d4c tcpserver: pid 13811 from 91.235.7.37 @4000533d521513229134 tcpserver: ok 13811 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::65030 @4000533d52152188a204 simscan:[13767]:RELAYCLIENT:0.5571s:-:91.235.7.37:o...@7-design.ru:pavel_ma...@tut.by @4000533d5215223220a4 spamdyke[13766]: ALLOWED from: o...@7-design.ru to: pavel_ma...@tut.by origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527627_qp_13803 @4000533d52152ef946b4 tcpserver: end 13766 status 0
Re: [qmailtoaster] Re: fail2ban - now more than ever
Hi Eric. FYI - latest fail2ban release 0.9 is slightly different from the previous releases - the way it is setup has changed. Regards, Finn Den 03-04-2014 19:03, Eric Shubert skrev: On 04/03/2014 08:18 AM, Angus McIntyre wrote: If you haven't implemented fail2ban on your qmail toasters, think seriously about doing so. There are at least two botnet-based password-guessing campaigns currently ongoing. One is trying SMTP authentication against role accounts (e.g. 'admin@', 'info@') at known domains. It was this one that prompted initial recent discussion of fail2ban on this list. The other, which I think just started today, is trying to do POP3 authentication, using email addresses taken from mailing lists used by spammers. Because these lists are mostly nonsense, this will result in hundreds or thousands of attempts to authenticate against non-existent users, but I suppose they might eventually start hitting some existing addresses. Because of the stupidity of these attempts, I would think that they're very unlikely to succeed at most hosts. However, if left to run unchecked they will probably start to soak up noticeable amounts of resources. The spammers appear to be deploying increasingly large botnets, and each host will keep trying until banned. The instructions at: http://wiki.qmailtoaster.com/index.php/Fail2Ban for setting up fail2ban seem pretty good. This has been a public service announcement. Angus Indeed. :) I hope to incorporate f2b in the stock QMT at some point, probably sooner than later. The qt-firewall script needs a little work, and I may tackle them both together. The only drawback to doing f2b sooner is that logging is also going to change soon in a major way, so f2b will need to be tweaked a bit at that time. There probably won't be much to it. We'll see. Thanks Angus, and those who worked on the wiki page. It's very helpful. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: How to restrict mail sending limit to perticular user
Vivek, You need to describe the manner in which you'd like to limit sending. eMPF might suit your purpose as well. http://www.qmailwiki.org/index.php/EMPF eMPF is built into QMT, so you simply need to create your policy file. -- -Eric 'shubes' On 04/03/2014 07:21 AM, Dan McAllister wrote: Assuming you require SMTP AUTH to send, you could use vmoduser -s According to documentation, this disables SMTP AUTH -- which, if that is the only way to send, would disable sending. NOTE: in a stock QMT install, this would NOT block sending with the WEB interfaces, as they use SMTP directly, but are allowed by tcprules. Dan McAllister On 4/3/2014 2:45 AM, Linux wrote: Hi, Please refer my subject line and guide me. Regards, Vivek Patil system admin -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Help, I'm an open relay!!
Looks to me like both accounts are being used, from the same IP address. You could also add the IP address to the /etc/spamdyke/blacklist_ip file (provided you've installed spamdyke, which you should do if you haven't). On 04/03/2014 10:09 AM, Sebastian Grewe wrote: Auth line is: kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com I'd guess that's the account? Cheers, Sebastian On 03.04.2014, at 18:46, Helmut Fritz hel...@fritz.us.com mailto:hel...@fritz.us.com wrote: I would shut down bi...@vipercrazy.com mailto:bi...@vipercrazy.com for now and see if the relaying stops. Do you know if that was an easily hacked password? *From:*Sebastian Grewe [mailto:sebast...@grewe.ca] *Sent:* Thursday, April 03, 2014 8:42 AM *To:* qmailtoaster-list@qmailtoaster.com mailto:qmailtoaster-list@qmailtoaster.com *Subject:* Re: [qmailtoaster] Help, I'm an open relay!! Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com http://vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com mailto:e...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com mailto:e...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru mailto:inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com mailto:bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru mailto:inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru mailto:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru mailto:fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru http://dvugadn.kht.ru @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru mailto:i...@3vlodke.ru to: inf...@dvugadn.kht.ru mailto:inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com mailto:bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com http://www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com http://www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com http://vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from
[qmailtoaster] Re: fail2ban - now more than ever
Thanks for the heads up, Finn. 0.8.7.1 appears to be the latest version for COS6 in epel repo. I'd be inclined to stick with that for the time being, or at least wait for 0.9.1. ;) Anything new that's cool in 0.9? -- -Eric 'shubes' On 04/03/2014 10:29 AM, Finn Buhelt wrote: Hi Eric. FYI - latest fail2ban release 0.9 is slightly different from the previous releases - the way it is setup has changed. Regards, Finn Den 03-04-2014 19:03, Eric Shubert skrev: On 04/03/2014 08:18 AM, Angus McIntyre wrote: If you haven't implemented fail2ban on your qmail toasters, think seriously about doing so. There are at least two botnet-based password-guessing campaigns currently ongoing. One is trying SMTP authentication against role accounts (e.g. 'admin@', 'info@') at known domains. It was this one that prompted initial recent discussion of fail2ban on this list. The other, which I think just started today, is trying to do POP3 authentication, using email addresses taken from mailing lists used by spammers. Because these lists are mostly nonsense, this will result in hundreds or thousands of attempts to authenticate against non-existent users, but I suppose they might eventually start hitting some existing addresses. Because of the stupidity of these attempts, I would think that they're very unlikely to succeed at most hosts. However, if left to run unchecked they will probably start to soak up noticeable amounts of resources. The spammers appear to be deploying increasingly large botnets, and each host will keep trying until banned. The instructions at: http://wiki.qmailtoaster.com/index.php/Fail2Ban for setting up fail2ban seem pretty good. This has been a public service announcement. Angus Indeed. :) I hope to incorporate f2b in the stock QMT at some point, probably sooner than later. The qt-firewall script needs a little work, and I may tackle them both together. The only drawback to doing f2b sooner is that logging is also going to change soon in a major way, so f2b will need to be tweaked a bit at that time. There probably won't be much to it. We'll see. Thanks Angus, and those who worked on the wiki page. It's very helpful. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: fail2ban - now more than ever
Haven't had the time to test it yet - but it is changed that much I think You'd better wait for rel. 0.9.x before including in stock QMT;-) (I know that may very well be the target keeping in mind all the other things You're tied up with. Cheers Finn Den 03-04-2014 19:39, Eric Shubert skrev: Thanks for the heads up, Finn. 0.8.7.1 appears to be the latest version for COS6 in epel repo. I'd be inclined to stick with that for the time being, or at least wait for 0.9.1. ;) Anything new that's cool in 0.9? - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] fail2ban - now more than ever
On 4/3/2014 9:18 AM, Angus McIntyre wrote: If you haven't implemented fail2ban on your qmail toasters, think seriously about doing so. There are at least two botnet-based password-guessing campaigns currently ongoing. One is trying SMTP authentication against role accounts (e.g. 'admin@', 'info@') at known domains. It was this one that prompted initial recent discussion of fail2ban on this list. The other, which I think just started today, is trying to do POP3 authentication, using email addresses taken from mailing lists used by spammers. Because these lists are mostly nonsense, this will result in hundreds or thousands of attempts to authenticate against non-existent users, but I suppose they might eventually start hitting some existing addresses. Because of the stupidity of these attempts, I would think that they're very unlikely to succeed at most hosts. However, if left to run unchecked they will probably start to soak up noticeable amounts of resources. The spammers appear to be deploying increasingly large botnets, and each host will keep trying until banned. The instructions at: http://wiki.qmailtoaster.com/index.php/Fail2Ban for setting up fail2ban seem pretty good. This has been a public service announcement. Angus Angus, I've installed f2b on my home and a clients email server. One problem that manifested itself was the inability to use FTP, from anywhere outside my network firewall. Before turning on f2b and the QTP firewall script (firewall.sh) those 'outside' could access my ftp site. After iptables is turned on, no such luck. I think the problem is with iptables and not f2b. I worked for about 6 hours on this to get it resolved after one from the QTP community could not download my DSPAM project. Finally, I simply turned of iptables and everything works. I'd sure like to get f2b with iptables working again. (Stumped in the west) EricB
Re: [qmailtoaster] Help, I'm an open relay!!
Hey Sebastian, I thought leaked password as well at first, but there are at least two accounts I see under auth: mine and one other. I suppose it's possible that they were guessed/leaked, but it's awfully coincidental that it's two accounts in the same domain on a server running at least 6 domains. I only saw two IP addresses doing all this spamming, so I put those in iptables and things seem quiet for now. I'll change the passwords on those two accounts as well. I'm really glad spamcop has an easy way to delist a server once an issue is fixed. Thanks. Kelly On 04/03/2014 11:42, Sebastian Grewe wrote: Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru [2] @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 @4000533d5214285cb1ec CHKUSER relaying rcpt: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt pavel_ma...@tut.by : client allowed to relay
Re: [qmailtoaster] Help, I'm an open relay!!
Ok, I'm gonna ask a real dumb question. When I ran squirrel mail and the old QmailRocks distro (yep, LONG time ago), I had a squirrelmail plugin to allow people to change passwords via the squirrel. Now I'm running QTP and Roundcube. I still have squirrelmail running, bu the password change results in a connection refused error. How the heck do users change their passwords in QTP? Do I have to do it for them using qmailadmin? Thanks. Kelly On 04/03/2014 11:42, Sebastian Grewe wrote: Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru [2] @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 @4000533d5214285cb1ec CHKUSER relaying rcpt: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt pavel_ma...@tut.by : client allowed to relay @4000533d5214285cb9bc policy_check: local bi...@vipercrazy.com - remote pavel_ma...@tut.by (AUTHENTICATED SENDER)
[qmailtoaster] Re: fail2ban - now more than ever
10-4. If someone would let me know when 0.9.x is available on epel that'd be appreciated. In the meantime, I can keep 0.9 in mind as I get into logging (which will entail Logstash, ElasticSearch and Kibana, in case anyone's interested and wants in on the fun!). Thanks Finn. On 04/03/2014 11:27 AM, Finn Buhelt wrote: Haven't had the time to test it yet - but it is changed that much I think You'd better wait for rel. 0.9.x before including in stock QMT;-) (I know that may very well be the target keeping in mind all the other things You're tied up with. Cheers Finn Den 03-04-2014 19:39, Eric Shubert skrev: Thanks for the heads up, Finn. 0.8.7.1 appears to be the latest version for COS6 in epel repo. I'd be inclined to stick with that for the time being, or at least wait for 0.9.1. ;) Anything new that's cool in 0.9? - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- -Eric 'shubes' - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] Help, I'm an open relay!!
Yes, very easily hacked. I'm glad vqadmin will show clear text passwords. I've changed the password and notified the user. Thanks. Kelly On 04/03/2014 12:46, Helmut Fritz wrote: I would shut down bi...@vipercrazy.com for now and see if the relaying stops. Do you know if that was an easily hacked password? FROM: Sebastian Grewe [mailto:sebast...@grewe.ca] SENT: Thursday, April 03, 2014 8:42 AM TO: qmailtoaster-list@qmailtoaster.com SUBJECT: Re: [qmailtoaster] Help, I'm an open relay!! Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru [2] @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527626_qp_13785 @4000533d5214285cb1ec CHKUSER relaying rcpt: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt pavel_ma...@tut.by : client allowed to relay @4000533d5214285cb9bc policy_check: local bi...@vipercrazy.com - remote pavel_ma...@tut.by (AUTHENTICATED
[qmailtoaster] Re: fail2ban - now more than ever
ftp uses a variety of ports in pasv mode. What works for me is to limit the ports used for data in the ftp configuration, and open those ports in the firewall. If you use vsftpd, the pasv_min_port and pasv_max_port lets you define this range of ports. If you only have one user, you can use the same port for min and max. You probably should also change the listen_port so you're not using standard ports at all. Same rationale as not using ssh on port 22. I generally don't believe in security by obscurity, but at least it keeps the script kiddies at bay. (Wild in the West) -- -Eric 'shubes' On 04/03/2014 11:43 AM, Eric Broch wrote: On 4/3/2014 9:18 AM, Angus McIntyre wrote: If you haven't implemented fail2ban on your qmail toasters, think seriously about doing so. There are at least two botnet-based password-guessing campaigns currently ongoing. One is trying SMTP authentication against role accounts (e.g. 'admin@', 'info@') at known domains. It was this one that prompted initial recent discussion of fail2ban on this list. The other, which I think just started today, is trying to do POP3 authentication, using email addresses taken from mailing lists used by spammers. Because these lists are mostly nonsense, this will result in hundreds or thousands of attempts to authenticate against non-existent users, but I suppose they might eventually start hitting some existing addresses. Because of the stupidity of these attempts, I would think that they're very unlikely to succeed at most hosts. However, if left to run unchecked they will probably start to soak up noticeable amounts of resources. The spammers appear to be deploying increasingly large botnets, and each host will keep trying until banned. The instructions at: http://wiki.qmailtoaster.com/index.php/Fail2Ban for setting up fail2ban seem pretty good. This has been a public service announcement. Angus Angus, I've installed f2b on my home and a clients email server. One problem that manifested itself was the inability to use FTP, from anywhere outside my network firewall. Before turning on f2b and the QTP firewall script (firewall.sh) those 'outside' could access my ftp site. After iptables is turned on, no such luck. I think the problem is with iptables and not f2b. I worked for about 6 hours on this to get it resolved after one from the QTP community could not download my DSPAM project. Finally, I simply turned of iptables and everything works. I'd sure like to get f2b with iptables working again. (Stumped in the west) EricB - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Help, I'm an open relay!!
qmailadmin allows users to change minimal settings for their account, such as password and vacation messages. Not a dumb question. It was a few years before I realized that accounts other than postmaster could use qmailadmin. (Ok, so maybe it's still dumb ;) ) -- -Eric 'shubes' On 04/03/2014 09:47 AM, Kelly Cobean wrote: Ok, I'm gonna ask a real dumb question. When I ran squirrel mail and the old QmailRocks distro (yep, LONG time ago), I had a squirrelmail plugin to allow people to change passwords via the squirrel. Now I'm running QTP and Roundcube. I still have squirrelmail running, bu the password change results in a connection refused error. How the heck do users change their passwords in QTP? Do I have to do it for them using qmailadmin? Thanks. Kelly On 04/03/2014 11:42, Sebastian Grewe wrote: Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com http://vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com mailto:e...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com mailto:e...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru mailto:inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com mailto:bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru mailto:inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru mailto:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru mailto:fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru http://dvugadn.kht.ru @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru mailto:i...@3vlodke.ru to: inf...@dvugadn.kht.ru mailto:inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com mailto:bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com http://www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com http://www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com http://vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com http://vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru mailto:4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com - remote
Re: [qmailtoaster] Help, I'm an open relay!!
Hi Kelly. Are You using the password plugin in Roundcube that allows users to change password ? Regards, Finn Den 03-04-2014 18:47, Kelly Cobean skrev: Ok, I'm gonna ask a real dumb question. When I ran squirrel mail and the old QmailRocks distro (yep, LONG time ago), I had a squirrelmail plugin to allow people to change passwords via the squirrel. Now I'm running QTP and Roundcube. I still have squirrelmail running, bu the password change results in a connection refused error. How the heck do users change their passwords in QTP? Do I have to do it for them using qmailadmin? Thanks. Kelly On 04/03/2014 11:42, Sebastian Grewe wrote: Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com http://vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com mailto:e...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com mailto:e...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru mailto:inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com mailto:bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru mailto:inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru mailto:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru mailto:fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru mailto:1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru http://dvugadn.kht.ru @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru mailto:i...@3vlodke.ru to: inf...@dvugadn.kht.ru mailto:inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com mailto:bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com http://www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com http://www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com http://vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com http://vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru mailto:4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com mailto:kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru mailto:4-1696808-19797-20060901154637-v...@subscribe.ru
Re: [qmailtoaster] fail2ban - now more than ever
Eric Broch wrote: I've installed f2b on my home and a clients email server. One problem that manifested itself was the inability to use FTP, from anywhere outside my network firewall. Before turning on f2b and the QTP firewall script (firewall.sh) those 'outside' could access my ftp site. After iptables is turned on, no such luck. I think the problem is with iptables and not f2b. I worked for about 6 hours on this to get it resolved after one from the QTP community could not download my DSPAM project. Finally, I simply turned of iptables and everything works. I'd sure like to get f2b with iptables working again. Odd. fail2ban would only affect your FTP if you have a jail set up to deny failed FTP connections. It looks to me as if the only jail for FTP in the default configuration is disabled by default. FTP could be affected if your iptables configuration doesn't allow routing to the ports used by FTP. I periodically have issues when I set up a new web server on some non-standard port and wonder why I can't connect to it, then remember that I have to do something like: /sbin/iptables -I INPUT -p tcp --dport 8080 -j ACCEPT to make it work. FTP uses port 20 and 21, but it quickly gets weird, because it also uses randomly-chosen high-numbered ports for data transfer. This article: http://www.techrepublic.com/article/how-ftp-port-requests-challenge-firewall-security/ discusses the implications. If you Google 'iptables ftp ports' there are quite a few articles that claim to tell you how to do it, but you may already have tried everything they suggest. In your position, I might choose to enable iptables again and just serve my projects to the world over HTTP rather than FTP. If you don't want the overhead of Apache running on your box, something like nginx or lighttpd might give you everything you need with a much smaller footprint. Angus - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Help, I'm an open relay!!
Make sure you clear your qmail cue after you shut the account(s) down. Been bitten by that one more than once. From: Kelly Cobean kcob...@vipercrazy.com To: qmailtoaster-list@qmailtoaster.com Sent: Thursday, April 3, 2014 11:13 AM Subject: Re: [qmailtoaster] Help, I'm an open relay!! Hey Sebastian, I thought leaked password as well at first, but there are at least two accounts I see under auth: mine and one other. I suppose it's possible that they were guessed/leaked, but it's awfully coincidental that it's two accounts in the same domain on a server running at least 6 domains. I only saw two IP addresses doing all this spamming, so I put those in iptables and things seem quiet for now. I'll change the passwords on those two accounts as well. I'm really glad spamcop has an easy way to delist a server once an issue is fixed. Thanks. Kelly On 04/03/2014 11:42, Sebastian Grewe wrote: Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru @4000533d521424f524bc spamdyke[13764]: ALLOWED from: pa...@143904.ru to: 4-1696808-19797-20060901154637-v...@subscribe.ru origin_ip:
Re: [qmailtoaster] Re: fail2ban - now more than ever
Eric Shubert wrote: You probably should also change the listen_port so you're not using standard ports at all. Same rationale as not using ssh on port 22. I generally don't believe in security by obscurity, but at least it keeps the script kiddies at bay. Sadly, not for long. I get periodic attempts to ssh into my box on the alternative port I chose for it. Of course, for every one I see on [otherport], there are probably a million script kiddies failing to connect on 22 and going away. One of the reasons I like fail2ban is that it implements security by obscenity -- they try something and it tells them to f*ck off. ;-) Angus - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Help, I'm an open relay!!
Wow...good call! That sucker was FULL. Thanks! Kelly On 04/03/2014 15:10, LHTek wrote: Make sure you clear your qmail cue after you shut the account(s) down. Been bitten by that one more than once. - FROM: Kelly Cobean kcob...@vipercrazy.com TO: qmailtoaster-list@qmailtoaster.com SENT: Thursday, April 3, 2014 11:13 AM SUBJECT: Re: [qmailtoaster] Help, I'm an open relay!! Hey Sebastian, I thought leaked password as well at first, but there are at least two accounts I see under auth: mine and one other. I suppose it's possible that they were guessed/leaked, but it's awfully coincidental that it's two accounts in the same domain on a server running at least 6 domains. I only saw two IP addresses doing all this spamming, so I put those in iptables and things seem quiet for now. I'll change the passwords on those two accounts as well. I'm really glad spamcop has an easy way to delist a server once an issue is fixed. Thanks. Kelly On 04/03/2014 11:42, Sebastian Grewe wrote: Have you checked for hijacked accounts? Looks like all mails are sent from a single account and IP. Most likely a guessed/leaked password. Cheers, Sebastian On 03.04.2014, at 14:30, Kelly Cobean kcob...@vipercrazy.com wrote: I don't understand what's going on here, but somehow all of a sudden I am on the spamcop RBL. If I tail /var/log/qmail/smtp/current, I'm seeing a TON of emails getting relayed that are all .ru hosts and addresses. I've run every open relay test I could find and all of them say I'm good to go, but spamdyke says I'm accepting over 75000 emails a day and they're not hitting any of my inboxes. Can y'all help me diagnose and solve this? Here's a snippet of the current file: @4000533d52101655376c CHKUSER relaying rcpt: from fe...@782782.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 1dawmydgeaa...@prosoft-m.ru : client allowed to relay @4000533d521016554324 policy_check: local kcob...@vipercrazy.com - remote 1dawmydgeaa...@prosoft-m.ru (AUTHENTICATED SENDER) @4000533d52101655470c policy_check: policy allows transmission @4000533d52101703edfc CHKUSER accepted sender: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d521108b8a88c CHKUSER relaying rcpt: from i...@3vlodke.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt inf...@dvugadn.kht.ru : client allowed to relay @4000533d521108b8b444 policy_check: local bi...@vipercrazy.com - remote inf...@dvugadn.kht.ru (AUTHENTICATED SENDER) @4000533d521108b8b444 policy_check: policy allows transmission @4000533d52112c20499c simscan:[13710]:RELAYCLIENT:1.1458s:-:91.235.7.37:fe...@782782.ru:1dawmydgeaa...@prosoft-m.ru @4000533d52112cba283c spamdyke[13709]: ALLOWED from: fe...@782782.ru to: 1dawmydgeaa...@prosoft-m.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: kcob...@vipercrazy.com encryption: (none) reason: 250_ok_1396527623_qp_13732 @4000533d521139ada1f4 tcpserver: end 13709 status 0 @4000533d521139ada5dc tcpserver: status: 1/100 @4000533d5212129d193c simscan:[13718]:RELAYCLIENT:0.9592s:-:91.235.7.37:i...@3vlodke.ru:inf...@dvugadn.kht.ru [2] @4000533d52121316601c spamdyke[13717]: ALLOWED from: i...@3vlodke.ru to: inf...@dvugadn.kht.ru origin_ip: 91.235.7.37 origin_rdns: (unknown) auth: bi...@vipercrazy.com encryption: (none) reason: 250_ok_1396527624_qp_13752 @4000533d52121a62824c tcpserver: status: 2/100 @4000533d52121a628634 tcpserver: pid 13764 from 91.235.7.37 @4000533d52121a628634 tcpserver: ok 13764 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64980 @4000533d5212201bdb34 tcpserver: end 13717 status 0 @4000533d5212201bdf1c tcpserver: status: 1/100 @4000533d521302016b8c tcpserver: status: 2/100 @4000533d521302017744 tcpserver: pid 13766 from 91.235.7.37 @4000533d521302017744 tcpserver: ok 13766 www.novagunrunners.com [3]:66.151.32.133:25 :91.235.7.37::64990 @4000533d52132c0ba474 CHKUSER accepted sender: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52133ae2b6f4 CHKUSER relaying rcpt: from pa...@143904.ru:kcob...@vipercrazy.com [1]: remote 91.235.7.37:unknown:91.235.7.37 rcpt 4-1696808-19797-20060901154637-v...@subscribe.ru : client allowed to relay @4000533d52133ae2c2ac policy_check: local kcob...@vipercrazy.com - remote 4-1696808-19797-20060901154637-v...@subscribe.ru (AUTHENTICATED SENDER) @4000533d52133ae2ca7c policy_check: policy allows transmission @4000533d521413dbfdf4 CHKUSER accepted sender: from o...@7-design.ru:bi...@vipercrazy.com: remote 91.235.7.37:unknown:91.235.7.37 rcpt : sender accepted @4000533d52142423c32c simscan:[13765]:RELAYCLIENT:0.4157s:-:91.235.7.37:pa...@143904.ru:4-1696808-19797-20060901154637-v...@subscribe.ru
[qmailtoaster] Re: fail2ban - now more than ever
On 04/03/2014 12:09 PM, Angus McIntyre wrote: If you don't want the overhead of Apache running on your box, something like nginx or lighttpd might give you everything you need with a much smaller footprint. Speaking of which, I intend to replace apache2 with nginx on QMT at some point. Just FYI. If anyone objects, we can discuss (on the devel list, please). -- -Eric 'shubes' - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] Re: How to restrict mail sending limit to perticular user
I want to restrict mail sending to x...@example.com. xyz can send only 10 mails daily. -Original Message- From: Eric Shubert [mailto:e...@shubes.net] Sent: Thursday, April 03, 2014 11:01 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: How to restrict mail sending limit to perticular user Vivek, You need to describe the manner in which you'd like to limit sending. eMPF might suit your purpose as well. http://www.qmailwiki.org/index.php/EMPF eMPF is built into QMT, so you simply need to create your policy file. -- -Eric 'shubes' On 04/03/2014 07:21 AM, Dan McAllister wrote: Assuming you require SMTP AUTH to send, you could use vmoduser -s According to documentation, this disables SMTP AUTH -- which, if that is the only way to send, would disable sending. NOTE: in a stock QMT install, this would NOT block sending with the WEB interfaces, as they use SMTP directly, but are allowed by tcprules. Dan McAllister On 4/3/2014 2:45 AM, Linux wrote: Hi, Please refer my subject line and guide me. Regards, Vivek Patil system admin -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com