Re: [qmailtoaster] Virus problem
W dniu 29.07.2009 22:01, Natalio Gatti pisze: Maybe I didn'y explain myself. The infected user sends spam using my mail server. Maybe your server is hacked. :( You should check logs, directories with write permission for all. There are many dictionary attacks on ports ssh and pop3. Check ssh daemon (if you're hacked you probably have sshd2), try to find strange directories or binaries. There is possibility that someone has weak password and it was guessed by attacker. OSSEC can help you to protect your server, tripwire is good solution to protect your files. -- Pozdrawiam / Regards, Aleksander Podsiad?y
Re: [qmailtoaster] Virus problem
Natalio Gatti wrote: Hi List. I'm having an intermitten virus problem. From time to time a user gets infected with a virus/worm that send tons of spam through the server. All users are behind a NAT, so I can't know exactly which user/PC is the source of the problem. How can I minimize this problem? Natalio in my case, I am blocking .zip attachment you can add it on your /var/qmail/control/simcontrol :clam=yes,spam=yes,spam_hits=12,attach=.3gp:.zip if my users and other parties want to exchange .zip file they should use online file transfer (megaupload/rapidshare) - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Virus problem
Maybe I didn'y explain myself. The infected user sends spam using my mail server. Maybe your server is hacked. :( You should check logs, directories with write permission for all. There are many dictionary attacks on ports ssh and pop3. Check ssh daemon (if you're hacked you probably have sshd2), try to find strange directories or binaries. There is possibility that someone has weak password and it was guessed by attacker. OSSEC can help you to protect your server, tripwire is good solution to protect your files. It has happened before (in other server), but this is not the case. Ssh is restricted only to a group of IPs. Smtp connections come from the natted IP.
[qmailtoaster] Virus problem
Hi List. I'm having an intermitten virus problem. From time to time a user gets infected with a virus/worm that send tons of spam through the server. All users are behind a NAT, so I can't know exactly which user/PC is the source of the problem. How can I minimize this problem? Natalio
Re: [qmailtoaster] Virus problem
W dniu 29.07.2009 19:46, Natalio Gatti pisze: Hi List. I'm having an intermitten virus problem. From time to time a user gets infected with a virus/worm that send tons of spam through the server. All users are behind a NAT, so I can't know exactly which user/PC is the source of the problem. How can I minimize this problem? Natalio Look at topic ,,how to control infected users'' and my post: http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23261.html -- Pozdrawiam / Regards, Aleksander Podsiad?y
Re: [qmailtoaster] Virus problem
On Wed, Jul 29, 2009 at 3:28 PM, Aleksander Podsiadly a...@westside.kielce.pl wrote: W dniu 29.07.2009 19:46, Natalio Gatti pisze: Hi List. I'm having an intermitten virus problem. From time to time a user gets infected with a virus/worm that send tons of spam through the server. All users are behind a NAT, so I can't know exactly which user/PC is the source of the problem. How can I minimize this problem? Natalio Look at topic ,,how to control infected users'' and my post: http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23261.html -- Pozdrawiam / Regards, Aleksander Podsiadły I saw your post, but using a proxy does not seem to be a solution for me. I already scan mails with clamav and spamassassin. I don't see which other benefits brings up to use that proxy. The spam sent by the infected machine does not contains virus.
Re: [qmailtoaster] Virus problem
Block and log with iptables. Ricardo Barros Manaus - AM - Brazil 2009/7/29 Aleksander Podsiadly a...@westside.kielce.pl W dniu 29.07.2009 19:46, Natalio Gatti pisze: Hi List. I'm having an intermitten virus problem. From time to time a user gets infected with a virus/worm that send tons of spam through the server. All users are behind a NAT, so I can't know exactly which user/PC is the source of the problem. How can I minimize this problem? Natalio Look at topic ,,how to control infected users'' and my post: http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23261.html -- Pozdrawiam / Regards, Aleksander Podsiadły
RE: [qmailtoaster] Virus problem
Requires authentication for your clients to send message and apply spam protection to message coming from inside your network as if there were coming from the internet. Your spam protection will not filter your authenticated sessions but will filter the message sent by the virus (if the virus does not have access to the credentials to authenticate.) VD From: Natalio Gatti [mailto:nga...@gmail.com] Sent: Wednesday, July 29, 2009 1:46 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Virus problem Hi List. I'm having an intermitten virus problem. From time to time a user gets infected with a virus/worm that send tons of spam through the server. All users are behind a NAT, so I can't know exactly which user/PC is the source of the problem. How can I minimize this problem? Natalio
Re: [qmailtoaster] Virus problem
2009/7/29 RICARDO BARROS ricardo.barros...@gmail.com Block and log with iptables. From my server point of view, I see a single IP address (rememeber that the clients are behind NAT), so I can not control number of simultaneous connectios.
Re: [qmailtoaster] Virus problem
On Wed, Jul 29, 2009 at 4:16 PM, Vincent Deschênes vdesche...@stelvio.comwrote: Requires authentication for your clients to send message and apply spam protection to message coming from inside your network as if there were coming from the internet. Your spam protection will not filter your authenticated sessions but will filter the message sent by the virus (if the virus does not have access to the credentials to authenticate.) Mmm, that's a nice idea. I hope that the virus does not use authentication to send the spam. VD *From:* Natalio Gatti [mailto:nga...@gmail.com] *Sent:* Wednesday, July 29, 2009 1:46 PM *To:* qmailtoaster-list@qmailtoaster.com *Subject:* [qmailtoaster] Virus problem Hi List. I'm having an intermitten virus problem. From time to time a user gets infected with a virus/worm that send tons of spam through the server. All users are behind a NAT, so I can't know exactly which user/PC is the source of the problem. How can I minimize this problem? Natalio
Re: [qmailtoaster] Virus problem
W dniu 29.07.2009 20:39, Natalio Gatti pisze: I saw your post, but using a proxy does not seem to be a solution for me. I already scan mails with clamav and spamassassin. I don't see which other benefits brings up to use that proxy. The spam sent by the infected machine does not contains virus. You scan only emails sent via you mail server. You don't scan emails sent directly to random IP's or via external mail servers, and that is the problem. SMTP-proxy and proper port 25 redirection can help you. For example: iptables -t nat -A PREROUTING -i $I_DEV -p tcp --dport 25 -s $MY_INTRANET --dst ! $E_IP -j DNAT --to $I_IP:9199 I_DEV - intranet eth device E_IP - external server IP I_IP - internal (intranet) server IP MY_INTRANET - IP/mask of intranet -- Pozdrawiam / Regards, Aleksander Podsiadły mail: a...@westside.kielce.pl jid: a...@jabber.westside.kielce.pl ICQ: 201121279 gg: 9150578
Re: [qmailtoaster] Virus problem
On Wed, Jul 29, 2009 at 4:50 PM, Aleksander Podsiadly a...@westside.kielce.pl wrote: W dniu 29.07.2009 20:39, Natalio Gatti pisze: I saw your post, but using a proxy does not seem to be a solution for me. I already scan mails with clamav and spamassassin. I don't see which other benefits brings up to use that proxy. The spam sent by the infected machine does not contains virus. You scan only emails sent via you mail server. You don't scan emails sent directly to random IP's or via external mail servers, and that is the problem. SMTP-proxy and proper port 25 redirection can help you. For example: iptables -t nat -A PREROUTING -i $I_DEV -p tcp --dport 25 -s $MY_INTRANET --dst ! $E_IP -j DNAT --to $I_IP:9199 I_DEV - intranet eth device E_IP - external server IP I_IP - internal (intranet) server IP MY_INTRANET - IP/mask of intranet Maybe I didn'y explain myself. The infected user sends spam using my mail server.
Re: [qmailtoaster] Virus problem
I highly recommend to force the users to use Submission-Port 587 instead of SMTP, which forces senders to authenticate against the server. Most spam-senders do not have credentials for sending. In case they have, you can simply locate the spam originators (and block them) Johannes Am 29.07.2009 22:01, schrieb Natalio Gatti: On Wed, Jul 29, 2009 at 4:50 PM, Aleksander Podsiadly a...@westside.kielce.pl mailto:a...@westside.kielce.pl wrote: W dniu 29.07.2009 20:39, Natalio Gatti pisze: I saw your post, but using a proxy does not seem to be a solution for me. I already scan mails with clamav and spamassassin. I don't see which other benefits brings up to use that proxy. The spam sent by the infected machine does not contains virus. You scan only emails sent via you mail server. You don't scan emails sent directly to random IP's or via external mail servers, and that is the problem. SMTP-proxy and proper port 25 redirection can help you. For example: iptables -t nat -A PREROUTING -i $I_DEV -p tcp --dport 25 -s $MY_INTRANET --dst ! $E_IP -j DNAT --to $I_IP:9199 I_DEV - intranet eth device E_IP - external server IP I_IP - internal (intranet) server IP MY_INTRANET - IP/mask of intranet Maybe I didn'y explain myself. The infected user sends spam using my mail server. -- |- | weberhofer GmbH | Johannes Weberhofer | information technologies | Austria, 1080 Wien, Blindengasse 52/3 |--- - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com