Re: [qmailtoaster] Attack?
On Mon, Jun 28, 2010 at 7:52 AM, Rafael Andrade raf...@riosulense.com.brwrote: Thank you for reply. My problems continues... take a look. *[r...@net ~]# qmailctl queue | head* messages in queue: 6182 messages in queue but not yet preprocessed: 0 *[r...@net ~]# qmHandle -m2465807 * -- MESSAGE NUMBER 2465807 -- Received: (qmail 21700 invoked by uid 48); 28 Jun 2010 04:32:52 - Date: 28 Jun 2010 04:32:52 - Message-ID: 20100628043252.21698.qm...@mail.metalservice.ind.br To: bireli...@yahoo.com.br Subject: Atualização do seu aparelho Itoken versão Final sem erros MIME-Version: 1.0 Content-type: text/html; charset=iso-8859-1 From: Itau Informa Todos erros corrigidos comunicacaodigi...@itau-unibanco.com.br mmm, It seems that a process is sending mails. In the headers there is no information about an smtp connection. Maybe a php application with bugs running int the same server? Can you check User ID 48 in your /etc/passwd?
Re: [qmailtoaster] Attack?
[r...@net ~]# cat /etc/passwd | grep -i 48 apache:x:48:48:Apache:/var/www:/sbin/nologin Natalio Gatti escreveu: On Mon, Jun 28, 2010 at 7:52 AM, Rafael Andrade raf...@riosulense.com.br mailto:raf...@riosulense.com.br wrote: Thank you for reply. My problems continues... take a look. *[r...@net ~]# qmailctl queue | head* messages in queue: 6182 messages in queue but not yet preprocessed: 0 *[r...@net ~]# qmHandle -m2465807 * -- MESSAGE NUMBER 2465807 -- Received: (qmail 21700 invoked by uid 48); 28 Jun 2010 04:32:52 - Date: 28 Jun 2010 04:32:52 - Message-ID: 20100628043252.21698.qm...@mail.metalservice.ind.br mailto:20100628043252.21698.qm...@mail.metalservice.ind.br To: bireli...@yahoo.com.br mailto:bireli...@yahoo.com.br Subject: Atualização do seu aparelho Itoken versão Final sem erros MIME-Version: 1.0 Content-type: text/html; charset=iso-8859-1 From: Itau Informa Todos erros corrigidos comunicacaodigi...@itau-unibanco.com.br mailto:comunicacaodigi...@itau-unibanco.com.br mmm, It seems that a process is sending mails. In the headers there is no information about an smtp connection. Maybe a php application with bugs running int the same server? Can you check User ID 48 in your /etc/passwd? - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] Attack?
Most of the time, there will not be any details of the smtp connections in the header if a valid account is compromised or hacked. In my case one of the account was compromised, which might be different from your issue. You can check for an account (valid domain account) in your SMTP logs or SEND logs for repeated logins. Also use netstat -an command to check from which IP the mails are being fired and lookup the same in the SMTP/SEND mail logs. In the logs check for repeated events of this IP and it should also give you some clue of the account that is being used for sending emails. Either disable that login or block that IP. If the mails are sent from your web application, then make sure you use a SMTP authentication, so that you can identify the correct user. I had the same problem and it took a good amount of time for me to arrest this. I was getting 28-30K mails per hour which almost freezed my mail server. I hope the above solution helps. Regards, Atul Paralikar -Original Message- From: Rafael Andrade [mailto:raf...@riosulense.com.br] Sent: Monday, June 28, 2010 6:18 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Attack? [r...@net ~]# cat /etc/passwd | grep -i 48 apache:x:48:48:Apache:/var/www:/sbin/nologin Natalio Gatti escreveu: On Mon, Jun 28, 2010 at 7:52 AM, Rafael Andrade raf...@riosulense.com.br mailto:raf...@riosulense.com.br wrote: Thank you for reply. My problems continues... take a look. *[r...@net ~]# qmailctl queue | head* messages in queue: 6182 messages in queue but not yet preprocessed: 0 *[r...@net ~]# qmHandle -m2465807 * -- MESSAGE NUMBER 2465807 -- Received: (qmail 21700 invoked by uid 48); 28 Jun 2010 04:32:52 - Date: 28 Jun 2010 04:32:52 - Message-ID: 20100628043252.21698.qm...@mail.metalservice.ind.br mailto:20100628043252.21698.qm...@mail.metalservice.ind.br To: bireli...@yahoo.com.br mailto:bireli...@yahoo.com.br Subject: Atualização do seu aparelho Itoken versão Final sem erros MIME-Version: 1.0 Content-type: text/html; charset=iso-8859-1 From: Itau Informa Todos erros corrigidos comunicacaodigi...@itau-unibanco.com.br mailto:comunicacaodigi...@itau-unibanco.com.br mmm, It seems that a process is sending mails. In the headers there is no information about an smtp connection. Maybe a php application with bugs running int the same server? Can you check User ID 48 in your /etc/passwd? - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Attack?
On Mon, Jun 28, 2010 at 9:48 AM, Rafael Andrade raf...@riosulense.com.brwrote: [r...@net ~]# cat /etc/passwd | grep -i 48 apache:x:48:48:Apache:/var/www:/sbin/nologin The UserID indicates that apache is sending those mails. Check your php applications. Natalio Gatti escreveu: On Mon, Jun 28, 2010 at 7:52 AM, Rafael Andrade raf...@riosulense.com.brmailto: raf...@riosulense.com.br wrote: Thank you for reply. My problems continues... take a look. *[r...@net ~]# qmailctl queue | head* messages in queue: 6182 messages in queue but not yet preprocessed: 0 *[r...@net ~]# qmHandle -m2465807 * -- MESSAGE NUMBER 2465807 -- Received: (qmail 21700 invoked by uid 48); 28 Jun 2010 04:32:52 - Date: 28 Jun 2010 04:32:52 - Message-ID: 20100628043252.21698.qm...@mail.metalservice.ind.br mailto:20100628043252.21698.qm...@mail.metalservice.ind.br To: bireli...@yahoo.com.br mailto:bireli...@yahoo.com.br Subject: Atualização do seu aparelho Itoken versão Final sem erros MIME-Version: 1.0 Content-type: text/html; charset=iso-8859-1 From: Itau Informa Todos erros corrigidos comunicacaodigi...@itau-unibanco.com.br mailto:comunicacaodigi...@itau-unibanco.com.br mmm, It seems that a process is sending mails. In the headers there is no information about an smtp connection. Maybe a php application with bugs running int the same server? Can you check User ID 48 in your /etc/passwd? - Qmailtoaster is sponsored by Vickers Consulting Group ( www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Attack?
Dear Rafael, If your queue are still having this kind of mails, you can check the mail header in Queue. That is in /var/qmail/queue there are respective folder to keep incoming and outgoing mails. You have to check some files in mess folder. Before delivering mails are kept in respective folders. you can use cat cmd to see the header of that mails. but you should not delete that files there. I hope you will get header as well as, which mail id used by spammer to send mails outside. kindly correct me if i am wrong. Regards, Ganesh payelkar On Tue, Jun 22, 2010 at 4:29 PM, Rafael Andrade raf...@riosulense.com.brwrote: Hello list, I have a production server with qmailtoaster on centos running 2 years perfectly, recently the server stuck, with many messages in queue, i need to stop qmail, clean the queue and running qmail again, but i need a solution to fix this problem, any knows or can help? Thanks so much Examples in queue: Client = Hide Client Domain [r...@net ~]# qmailctl queue | head messages in queue: 14691 messages in queue but not yet preprocessed: 2 21 Jun 2010 22:45:02 GMT #3087267 1435 anonym...@client.ind.br remote prittyg...@yahoo.com.br 21 Jun 2010 22:34:44 GMT #3069258 1430 anonym...@client.ind.br remote prisci...@terra.com.br 21 Jun 2010 22:44:39 GMT #3079585 1439 anonym...@client.ind.br remote priscillame...@yahoo.com.br 22 Jun 2010 00:02:57 GMT #2443198 1438 anonym...@client.ind.br remote qeezajtze...@stargate5.com Thanks so much - Qmailtoaster is sponsored by Vickers Consulting Group ( www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Attack?
Seems some one is spamming. Any one of your mail account might be compromised. The server is using port 587 to accept mails from local users? . /var/log/qmail/submission or /var/log/qmail/smtp will tell the truth. say for example, search for qeezajtze...@stargate5.com in above mentioned logs. So that we can get the origination of this mail. If it is using a local mail id for authentication, reset the password of the mail. Also remove the mails in queue using qmail-remove. --Senthilvel. On Tue, Jun 22, 2010 at 4:29 PM, Rafael Andrade raf...@riosulense.com.brwrote: Hello list, I have a production server with qmailtoaster on centos running 2 years perfectly, recently the server stuck, with many messages in queue, i need to stop qmail, clean the queue and running qmail again, but i need a solution to fix this problem, any knows or can help? Thanks so much Examples in queue: Client = Hide Client Domain [r...@net ~]# qmailctl queue | head messages in queue: 14691 messages in queue but not yet preprocessed: 2 21 Jun 2010 22:45:02 GMT #3087267 1435 anonym...@client.ind.br remote prittyg...@yahoo.com.br 21 Jun 2010 22:34:44 GMT #3069258 1430 anonym...@client.ind.br remote prisci...@terra.com.br 21 Jun 2010 22:44:39 GMT #3079585 1439 anonym...@client.ind.br remote priscillame...@yahoo.com.br 22 Jun 2010 00:02:57 GMT #2443198 1438 anonym...@client.ind.br remote qeezajtze...@stargate5.com Thanks so much - Qmailtoaster is sponsored by Vickers Consulting Group ( www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] Attack?
This could happen if the client machine of a valid user is infected with some virus or Trojan which send mail using outlook settings. From: senthil vel [mailto:senthilv...@gmail.com] Sent: 22 June 2010 17:07 To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Attack? Seems some one is spamming. Any one of your mail account might be compromised. The server is using port 587 to accept mails from local users? . /var/log/qmail/submission or /var/log/qmail/smtp will tell the truth. say for example, search for qeezajtze...@stargate5.com in above mentioned logs. So that we can get the origination of this mail. If it is using a local mail id for authentication, reset the password of the mail. Also remove the mails in queue using qmail-remove. --Senthilvel. On Tue, Jun 22, 2010 at 4:29 PM, Rafael Andrade raf...@riosulense.com.br wrote: Hello list, I have a production server with qmailtoaster on centos running 2 years perfectly, recently the server stuck, with many messages in queue, i need to stop qmail, clean the queue and running qmail again, but i need a solution to fix this problem, any knows or can help? Thanks so much Examples in queue: Client = Hide Client Domain [r...@net ~]# qmailctl queue | head messages in queue: 14691 messages in queue but not yet preprocessed: 2 21 Jun 2010 22:45:02 GMT #3087267 1435 anonym...@client.ind.br remote prittyg...@yahoo.com.br 21 Jun 2010 22:34:44 GMT #3069258 1430 anonym...@client.ind.br remote prisci...@terra.com.br 21 Jun 2010 22:44:39 GMT #3079585 1439 anonym...@client.ind.br remote priscillame...@yahoo.com.br 22 Jun 2010 00:02:57 GMT #2443198 1438 anonym...@client.ind.br remote qeezajtze...@stargate5.com Thanks so much - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Attack?
Look in /var/log/maillog Jun 22 09:02:10 net spamdyke[5028]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 189.2.134.108 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:11 net spamdyke[5024]: DENIED_RDNS_MISSING from: affectionatevb...@semagroup.sema.se to: r...@metalservice.ind.br origin_ip: 79.189.227.34 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:14 net spamdyke[5025]: DENIED_RDNS_MISSING from: il...@neofiber.com.br to: il...@client.com.br origin_ip: 80.184.67.122 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:14 net spamdyke[5026]: DENIED_RDNS_RESOLVE from: (unknown) to: anonym...@client.ind.br origin_ip: 209.113.141.35 origin_rdns: mlsvr01.mindleaf.com auth: (unknown) Jun 22 09:02:44 net spamdyke[5033]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 200.143.203.70 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:50 net spamdyke[5032]: DENIED_OTHER from: rgper...@fibria.com.br to: anonym...@client.ind.br origin_ip: 200.185.80.78 origin_rdns: smtp4.votorantim.com.br auth: (unknown) Jun 22 09:03:09 net spamdyke[5043]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 202.181.238.101 origin_rdns: (unknown) auth: (unknown) Jun 22 09:03:26 net spamdyke[5046]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 200.14.68.55 origin_rdns: (unknown) auth: (unknown) Jun 22 09:03:30 net spamdyke[5050]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 200.228.168.2 origin_rdns: (unknown) auth: (unknown) Jun 22 09:03:42 net spamdyke[5106]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 200.228.168.2 origin_rdns: (unknown) auth: (unknown) Jun 22 09:03:53 net spamdyke[5108]: DENIED_RBL_MATCH from: (unknown) to: anonym...@client.ind.br origin_ip: 201.76.223.15 origin_rdns: send.wnetrj.com.br auth: (unknown) The ips are spoofing? Actually im not using 587 port Im using vpopmail to auth my users. Thanks so much!! senthil vel escreveu: Seems some one is spamming. Any one of your mail account might be compromised. The server is using port 587 to accept mails from local users? . /var/log/qmail/submission or /var/log/qmail/smtp will tell the truth. say for example, search for qeezajtze...@stargate5.com mailto:qeezajtze...@stargate5.com in above mentioned logs. So that we can get the origination of this mail. If it is using a local mail id for authentication, reset the password of the mail. Also remove the mails in queue using qmail-remove. --Senthilvel. On Tue, Jun 22, 2010 at 4:29 PM, Rafael Andrade raf...@riosulense.com.br mailto:raf...@riosulense.com.br wrote: Hello list, I have a production server with qmailtoaster on centos running 2 years perfectly, recently the server stuck, with many messages in queue, i need to stop qmail, clean the queue and running qmail again, but i need a solution to fix this problem, any knows or can help? Thanks so much Examples in queue: Client = Hide Client Domain [r...@net ~]# qmailctl queue | head messages in queue: 14691 messages in queue but not yet preprocessed: 2 21 Jun 2010 22:45:02 GMT #3087267 1435 anonym...@client.ind.br mailto:anonym...@client.ind.br remote prittyg...@yahoo.com.br mailto:prittyg...@yahoo.com.br 21 Jun 2010 22:34:44 GMT #3069258 1430 anonym...@client.ind.br mailto:anonym...@client.ind.br remote prisci...@terra.com.br mailto:prisci...@terra.com.br 21 Jun 2010 22:44:39 GMT #3079585 1439 anonym...@client.ind.br mailto:anonym...@client.ind.br remote priscillame...@yahoo.com.br mailto:priscillame...@yahoo.com.br 22 Jun 2010 00:02:57 GMT #2443198 1438 anonym...@client.ind.br mailto:anonym...@client.ind.br remote qeezajtze...@stargate5.com mailto:qeezajtze...@stargate5.com Thanks so much - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com http://www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com http://qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com mailto:qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers
Re: [qmailtoaster] Attack?
Honestly, I am not using, spamdyke. Does spamtyke appends all the log to /var/log/maillog? also seems spamdyke is rejecting these mails. Is this current log? if so somebody still sending mails. Can't you get any information from /var/log/qmail/smtp/current regarding this? On Tue, Jun 22, 2010 at 5:43 PM, Rafael Andrade raf...@riosulense.com.brwrote: Look in /var/log/maillog Jun 22 09:02:10 net spamdyke[5028]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 189.2.134.108 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:11 net spamdyke[5024]: DENIED_RDNS_MISSING from: affectionatevb...@semagroup.sema.se to: r...@metalservice.ind.br origin_ip: 79.189.227.34 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:14 net spamdyke[5025]: DENIED_RDNS_MISSING from: il...@neofiber.com.br to: il...@client.com.br origin_ip: 80.184.67.122 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:14 net spamdyke[5026]: DENIED_RDNS_RESOLVE from: (unknown) to: anonym...@client.ind.br origin_ip: 209.113.141.35 origin_rdns: mlsvr01.mindleaf.com auth: (unknown) Jun 22 09:02:44 net spamdyke[5033]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 200.143.203.70 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:50 net spamdyke[5032]: DENIED_OTHER from: rgper...@fibria.com.br to: anonym...@client.ind.br origin_ip: 200.185.80.78 origin_rdns: smtp4.votorantim.com.br auth: (unknown) Jun 22 09:03:09 net spamdyke[5043]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 202.181.238.101 origin_rdns: (unknown) auth: (unknown) Jun 22 09:03:26 net spamdyke[5046]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 200.14.68.55 origin_rdns: (unknown) auth: (unknown) Jun 22 09:03:30 net spamdyke[5050]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 200.228.168.2 origin_rdns: (unknown) auth: (unknown) Jun 22 09:03:42 net spamdyke[5106]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 200.228.168.2 origin_rdns: (unknown) auth: (unknown) Jun 22 09:03:53 net spamdyke[5108]: DENIED_RBL_MATCH from: (unknown) to: anonym...@client.ind.br origin_ip: 201.76.223.15 origin_rdns: send.wnetrj.com.br auth: (unknown) The ips are spoofing? Actually im not using 587 port Im using vpopmail to auth my users. Thanks so much!! senthil vel escreveu: Seems some one is spamming. Any one of your mail account might be compromised. The server is using port 587 to accept mails from local users? . /var/log/qmail/submission or /var/log/qmail/smtp will tell the truth. say for example, search for qeezajtze...@stargate5.com mailto: qeezajtze...@stargate5.com in above mentioned logs. So that we can get the origination of this mail. If it is using a local mail id for authentication, reset the password of the mail. Also remove the mails in queue using qmail-remove. --Senthilvel. On Tue, Jun 22, 2010 at 4:29 PM, Rafael Andrade raf...@riosulense.com.brmailto: raf...@riosulense.com.br wrote: Hello list, I have a production server with qmailtoaster on centos running 2 years perfectly, recently the server stuck, with many messages in queue, i need to stop qmail, clean the queue and running qmail again, but i need a solution to fix this problem, any knows or can help? Thanks so much Examples in queue: Client = Hide Client Domain [r...@net ~]# qmailctl queue | head messages in queue: 14691 messages in queue but not yet preprocessed: 2 21 Jun 2010 22:45:02 GMT #3087267 1435 anonym...@client.ind.br mailto:anonym...@client.ind.br remote prittyg...@yahoo.com.br mailto:prittyg...@yahoo.com.br 21 Jun 2010 22:34:44 GMT #3069258 1430 anonym...@client.ind.br mailto:anonym...@client.ind.br remote prisci...@terra.com.br mailto:prisci...@terra.com.br 21 Jun 2010 22:44:39 GMT #3079585 1439 anonym...@client.ind.br mailto:anonym...@client.ind.br remote priscillame...@yahoo.com.br mailto:priscillame...@yahoo.com.br 22 Jun 2010 00:02:57 GMT #2443198 1438 anonym...@client.ind.br mailto:anonym...@client.ind.br remote qeezajtze...@stargate5.com mailto:qeezajtze...@stargate5.com Thanks so much - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com http://www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com http://qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail:
Re: [qmailtoaster] Attack?
Same time in /var/log/qmail/smtp/current show this log: @40004c20ae8b0e33b054 CHKUSER accepted null sender: from :: remote eslovenia.intralesc.sc.gov.br:unknown:200.192.66.25 rcpt : accepted null sender always @40004c20ae8c09af4944 tcpserver: status: 14/100 @40004c20ae8c09af5114 tcpserver: pid 8948 from 123.127.247.104 @40004c20ae8c09af54fc tcpserver: ok 8948 net:10.1.1.254:25 :123.127.247.104::55903 @40004c20ae90008f12f4 CHKUSER accepted null sender: from :: remote exchange.lvcgroup.com:unknown:123.127.247.104 rcpt : accepted null sender always @40004c20ae920602eae4 tcpserver: status: 15/100 @40004c20ae920602f2b4 tcpserver: pid 8950 from 200.228.168.2 @40004c20ae920602f69c tcpserver: ok 8950 net:10.1.1.254:25 :200.228.168.2::52084 @40004c20ae92225def7c tcpserver: end 8948 status 0 @40004c20ae92225df74c tcpserver: status: 14/100 @40004c20ae931ac30d24 CHKUSER accepted null sender: from :: remote server.aceam.unb.org.br:unknown:200.228.168.2 rcpt : accepted null sender always in /var/log/maillog Jun 22 09:37:27 net spamdyke[8948]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 123.127.247.104 origin_rdns: (unknown) auth: (unknown) Jun 22 09:37:29 net spamdyke[8950]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 200.228.168.2 origin_rdns: (unknown) auth: (unknown) Jun 22 09:37:44 net spamdyke[8952]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 200.228.168.2 origin_rdns: (unknown) auth: (unknown) Jun 22 09:38:03 net spamdyke[8954]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 195.235.66.91 origin_rdns: (unknown) auth: (unknown) Rafael Andrade http://www.riosulense.com.br ...Administrador de Sistemas . 47 3531-4152 Antes de imprimir, pense em sua responsabilidade e compromisso com o Meio Ambiente! senthil vel escreveu: Honestly, I am not using, spamdyke. Does spamtyke appends all the log to /var/log/maillog? also seems spamdyke is rejecting these mails. Is this current log? if so somebody still sending mails. Can't you get any information from /var/log/qmail/smtp/current regarding this? On Tue, Jun 22, 2010 at 5:43 PM, Rafael Andrade raf...@riosulense.com.br mailto:raf...@riosulense.com.br wrote: Look in /var/log/maillog Jun 22 09:02:10 net spamdyke[5028]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br mailto:anonym...@client.ind.br origin_ip: 189.2.134.108 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:11 net spamdyke[5024]: DENIED_RDNS_MISSING from: affectionatevb...@semagroup.sema.se mailto:affectionatevb...@semagroup.sema.se to: r...@metalservice.ind.br mailto:r...@metalservice.ind.br origin_ip: 79.189.227.34 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:14 net spamdyke[5025]: DENIED_RDNS_MISSING from: il...@neofiber.com.br mailto:il...@neofiber.com.br to: il...@client.com.br mailto:il...@client.com.br origin_ip: 80.184.67.122 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:14 net spamdyke[5026]: DENIED_RDNS_RESOLVE from: (unknown) to: anonym...@client.ind.br mailto:anonym...@client.ind.br origin_ip: 209.113.141.35 origin_rdns: mlsvr01.mindleaf.com http://mlsvr01.mindleaf.com auth: (unknown) Jun 22 09:02:44 net spamdyke[5033]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br mailto:anonym...@client.ind.br origin_ip: 200.143.203.70 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:50 net spamdyke[5032]: DENIED_OTHER from: rgper...@fibria.com.br mailto:rgper...@fibria.com.br to: anonym...@client.ind.br mailto:anonym...@client.ind.br origin_ip: 200.185.80.78 origin_rdns: smtp4.votorantim.com.br http://smtp4.votorantim.com.br auth: (unknown) Jun 22 09:03:09 net spamdyke[5043]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br mailto:anonym...@client.ind.br origin_ip: 202.181.238.101 origin_rdns: (unknown) auth: (unknown) Jun 22 09:03:26 net spamdyke[5046]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br mailto:anonym...@client.ind.br origin_ip: 200.14.68.55 origin_rdns: (unknown) auth: (unknown) Jun 22 09:03:30 net spamdyke[5050]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br mailto:anonym...@client.ind.br origin_ip: 200.228.168.2 origin_rdns: (unknown) auth: (unknown) Jun 22 09:03:42 net spamdyke[5106]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br mailto:anonym...@client.ind.br origin_ip: 200.228.168.2 origin_rdns: (unknown) auth: (unknown) Jun 22 09:03:53 net spamdyke[5108]: DENIED_RBL_MATCH from: (unknown) to: anonym...@client.ind.br mailto:anonym...@client.ind.br
Re: [qmailtoaster] Attack?
message posted from /var/log/qmail/smtp/current doesnot having any information regarding this issue Step 1. #qmailctl queue it will show the mails in queue. Say for example, i am pasting the output you have posted in first mail. 21 Jun 2010 22:45:02 GMT #3087267 1435 anonym...@client.ind.br remote prittyg...@yahoo.com.br 21 Jun 2010 22:34:44 GMT #3069258 1430 anonym...@client.ind.br remote prisci...@terra.com.br 21 Jun 2010 22:44:39 GMT #3079585 1439 anonym...@client.ind.br remote priscillame...@yahoo.com.br 22 Jun 2010 00:02:57 GMT #2443198 1438 anonym...@client.ind.br remote qeezajtze...@stargate5.com select a mail id which is in 'remote' field. for example let us take, prittyg...@yahoo.com.br. prittyg...@yahoo.com.br Step 2. Use the grep command to search the mailid we collected in the first field. grep -i 'prittyg...@yahoo.com.br' /var/log/qmail/smtp/current if no results found, check time of the mail in queue (21 Jun 2010 22:45:02) for this mail. if so check the log file which is having this time stamp. To do this, go to /var/log/qmail/smtp/ #cd /var/log/qmail/smtp/ #ll or # ls -l check the log file for appropriate date and time. If anything does not work, use, grep -i 'prittyg...@yahoo.com.br' /var/log/qmail/smtp/* grep -i 'prittyg...@yahoo.com.br' /var/log/qmail/submission/* This may take long time and server resource. It will show the log for origin of the mail. --Senthilvel. On Tue, Jun 22, 2010 at 6:16 PM, Rafael Andrade raf...@riosulense.com.brwrote: Same time in /var/log/qmail/smtp/current show this log: @40004c20ae8b0e33b054 CHKUSER accepted null sender: from :: remote eslovenia.intralesc.sc.gov.br:unknown:200.192.66.25 rcpt : accepted null sender always @40004c20ae8c09af4944 tcpserver: status: 14/100 @40004c20ae8c09af5114 tcpserver: pid 8948 from 123.127.247.104 @40004c20ae8c09af54fc tcpserver: ok 8948 net:10.1.1.254:25:123.127.247.104: :55903 @40004c20ae90008f12f4 CHKUSER accepted null sender: from :: remote exchange.lvcgroup.com:unknown:123.127.247.104 rcpt : accepted null sender always @40004c20ae920602eae4 tcpserver: status: 15/100 @40004c20ae920602f2b4 tcpserver: pid 8950 from 200.228.168.2 @40004c20ae920602f69c tcpserver: ok 8950 net:10.1.1.254:25:200.228.168.2: :52084 @40004c20ae92225def7c tcpserver: end 8948 status 0 @40004c20ae92225df74c tcpserver: status: 14/100 @40004c20ae931ac30d24 CHKUSER accepted null sender: from :: remote server.aceam.unb.org.br:unknown:200.228.168.2 rcpt : accepted null sender always in /var/log/maillog Jun 22 09:37:27 net spamdyke[8948]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 123.127.247.104 origin_rdns: (unknown) auth: (unknown) Jun 22 09:37:29 net spamdyke[8950]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 200.228.168.2 origin_rdns: (unknown) auth: (unknown) Jun 22 09:37:44 net spamdyke[8952]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 200.228.168.2 origin_rdns: (unknown) auth: (unknown) Jun 22 09:38:03 net spamdyke[8954]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br origin_ip: 195.235.66.91 origin_rdns: (unknown) auth: (unknown) Rafael Andrade http://www.riosulense.com.br ...Administrador de Sistemas . 47 3531-4152 Antes de imprimir, pense em sua responsabilidade e compromisso com o Meio Ambiente! senthil vel escreveu: Honestly, I am not using, spamdyke. Does spamtyke appends all the log to /var/log/maillog? also seems spamdyke is rejecting these mails. Is this current log? if so somebody still sending mails. Can't you get any information from /var/log/qmail/smtp/current regarding this? On Tue, Jun 22, 2010 at 5:43 PM, Rafael Andrade raf...@riosulense.com.brmailto: raf...@riosulense.com.br wrote: Look in /var/log/maillog Jun 22 09:02:10 net spamdyke[5028]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@client.ind.br mailto:anonym...@client.ind.br origin_ip: 189.2.134.108 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:11 net spamdyke[5024]: DENIED_RDNS_MISSING from: affectionatevb...@semagroup.sema.se mailto:affectionatevb...@semagroup.sema.se to: r...@metalservice.ind.br mailto:r...@metalservice.ind.br origin_ip: 79.189.227.34 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:14 net spamdyke[5025]: DENIED_RDNS_MISSING from: il...@neofiber.com.br mailto:il...@neofiber.com.br to: il...@client.com.br mailto:il...@client.com.br origin_ip: 80.184.67.122 origin_rdns: (unknown) auth: (unknown) Jun 22 09:02:14 net spamdyke[5026]: DENIED_RDNS_RESOLVE from: (unknown) to: anonym...@client.ind.br mailto:anonym...@client.ind.br origin_ip: 209.113.141.35
Re: [qmailtoaster] Attack?
cat /var/log/qmail/smtp/* | grep -i prittyg...@yahoo.com.br (empty) cat /var/log/qmail/submission/* | grep -i prittyg...@yahoo.com.br (empty) :( still showing in maillog: Jun 22 10:59:33 net spamdyke[16032]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@metalservice.ind.br origin_ip: 200.228.168.2 origin_rdns: (unknown) auth: (unknown) Jun 22 10:59:43 net spamdyke[16034]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@metalservice.ind.br origin_ip: 200.228.168.2 origin_rdns: (unknown) auth: (unknown) Jun 22 11:00:15 net spamdyke[16038]: DENIED_OTHER from: (unknown) to: anonym...@metalservice.ind.br origin_ip: 64.20.61.10 origin_rdns: ip10.njs0.srv.infoex.com auth: (unknown) Jun 22 11:00:30 net spamdyke[16042]: DENIED_RDNS_MISSING from: (unknown) to: anonym...@metalservice.ind.br origin_ip: 200.14.68.55 origin_rdns: (unknown) auth: (unknown) Jun 22 11:01:07 net spamdyke[16046]: DENIED_OTHER from: (unknown) to: anonym...@metalservice.ind.br origin_ip: 200.174.214.66 origin_rdns: ns.usinamoreno.com.br auth: (unknown) [r...@net metalservice.ind.br]# cat /var/log/qmail/smtp/current | grep -i ns.usinamoreno.com.br @40004c20b8c62a1ca99c CHKUSER rejected rcpt: from :: remote ns.usinamoreno.com.br:unknown:200.174.214.66 rcpt anonym...@metalservice.ind.br : not existing recipient @40004c20bd792b6ff8e4 CHKUSER accepted null sender: from :: remote ns.usinamoreno.com.br:unknown:200.174.214.66 rcpt : accepted null sender always @40004c20bd793057445c CHKUSER rejected rcpt: from :: remote ns.usinamoreno.com.br:unknown:200.174.214.66 rcpt anonym...@metalservice.ind.br : not existing recipient @40004c20c22b376a2e1c CHKUSER accepted null sender: from :: remote ns.usinamoreno.com.br:unknown:200.174.214.66 rcpt : accepted null sender always @40004c20c22c00a04934 CHKUSER rejected rcpt: from :: remote ns.usinamoreno.com.br:unknown:200.174.214.66 rcpt anonym...@metalservice.ind.br : not existing recipient senthil vel escreveu: message posted from /var/log/qmail/smtp/current doesnot having any information regarding this issue Step 1. #qmailctl queue it will show the mails in queue. Say for example, i am pasting the output you have posted in first mail. 21 Jun 2010 22:45:02 GMT #3087267 1435 anonym...@client.ind.br mailto:anonym...@client.ind.br remote prittyg...@yahoo.com.br mailto:prittyg...@yahoo.com.br 21 Jun 2010 22:34:44 GMT #3069258 1430 anonym...@client.ind.br mailto:anonym...@client.ind.br remote prisci...@terra.com.br mailto:prisci...@terra.com.br 21 Jun 2010 22:44:39 GMT #3079585 1439 anonym...@client.ind.br mailto:anonym...@client.ind.br remote priscillame...@yahoo.com.br mailto:priscillame...@yahoo.com.br 22 Jun 2010 00:02:57 GMT #2443198 1438 anonym...@client.ind.br mailto:anonym...@client.ind.br remote qeezajtze...@stargate5.com mailto:qeezajtze...@stargate5.com select a mail id which is in 'remote' field. for example let us take, prittyg...@yahoo.com.br. mailto:prittyg...@yahoo.com.br Step 2. Use the grep command to search the mailid we collected in the first field. grep -i 'prittyg...@yahoo.com.br mailto:prittyg...@yahoo.com.br' /var/log/qmail/smtp/current if no results found, check time of the mail in queue (21 Jun 2010 22:45:02) for this mail. if so check the log file which is having this time stamp. To do this, go to /var/log/qmail/smtp/ #cd /var/log/qmail/smtp/ #ll or # ls -l check the log file for appropriate date and time. If anything does not work, use, grep -i 'prittyg...@yahoo.com.br mailto:prittyg...@yahoo.com.br' /var/log/qmail/smtp/* grep -i 'prittyg...@yahoo.com.br mailto:prittyg...@yahoo.com.br' /var/log/qmail/submission/* This may take long time and server resource. It will show the log for origin of the mail. --Senthilvel. On Tue, Jun 22, 2010 at 6:16 PM, Rafael Andrade raf...@riosulense.com.br mailto:raf...@riosulense.com.br wrote: Same time in /var/log/qmail/smtp/current show this log: @40004c20ae8b0e33b054 CHKUSER accepted null sender: from :: remote eslovenia.intralesc.sc.gov.br:unknown:200.192.66.25 rcpt : accepted null sender always @40004c20ae8c09af4944 tcpserver: status: 14/100 @40004c20ae8c09af5114 tcpserver: pid 8948 from 123.127.247.104 @40004c20ae8c09af54fc tcpserver: ok 8948 net:10.1.1.254:25 http://10.1.1.254:25 :123.127.247.104::55903 @40004c20ae90008f12f4 CHKUSER accepted null sender: from :: remote exchange.lvcgroup.com:unknown:123.127.247.104 rcpt : accepted null sender always @40004c20ae920602eae4 tcpserver: status: 15/100 @40004c20ae920602f2b4 tcpserver: pid 8950 from 200.228.168.2 @40004c20ae920602f69c tcpserver: ok 8950 net:10.1.1.254:25 http://10.1.1.254:25 :200.228.168.2::52084 @40004c20ae92225def7c tcpserver: end 8948 status 0 @40004c20ae92225df74c tcpserver: status: 14/100 @40004c20ae931ac30d24 CHKUSER
Re: [qmailtoaster] Attack?
[r...@net metalservice.ind.br]# qmailctl queue | wc -l 86325 :( [r...@net metalservice.ind.br]# qmailctl queue | head -n 50 messages in queue: 40591 messages in queue but not yet preprocessed: 15 22 Jun 2010 15:46:19 GMT #2467164 1456 anonym...@metalservice.ind.br remote mat...@mikrus.com.br 22 Jun 2010 15:09:18 GMT #3087267 1459 anonym...@metalservice.ind.br remote robertajard...@yahoo.com.br 22 Jun 2010 15:37:38 GMT #2461644 1463 anonym...@metalservice.ind.br remote mate...@cetesbnet.sp.gov.br 22 Jun 2010 15:45:28 GMT #2447016 1457 anonym...@metalservice.ind.br remote mati...@joinet.com.br 22 Jun 2010 15:49:08 GMT #3069258 1461 anonym...@metalservice.ind.br remote mattaro...@psibo.unibo.it 22 Jun 2010 15:38:28 GMT #2462288 2835 #...@[] remote postmas...@net 22 Jun 2010 15:44:16 GMT #2465807 1455 anonym...@metalservice.ind.br remote mati...@is-koeln.de 22 Jun 2010 15:28:35 GMT #2455112 1451 anonym...@metalservice.ind.br remote rodolfo...@uol.com.br 22 Jun 2010 15:46:45 GMT #2467555 1454 anonym...@metalservice.ind.br remote matildene...@msn.com 22 Jun 2010 15:02:44 GMT #3069603 1454 anonym...@metalservice.ind.br remote roberto.come...@bol.com.br 22 Jun 2010 15:42:13 GMT #2464565 1460 anonym...@metalservice.ind.br remote matoso.sona...@gmail.com 22 Jun 2010 15:34:11 GMT #2443198 2872 #...@[] remote postmas...@net 22 Jun 2010 15:50:15 GMT #2470591 1459 anonym...@metalservice.ind.br remote mat...@sum.desktop.com.br 22 Jun 2010 15:53:22 GMT #2450535 1465 anonym...@metalservice.ind.br local metalservice.ind.br-audito...@metalservice.ind.br remote matilhaproduc...@terra.com.br 22 Jun 2010 15:56:32 GMT #2506264 1452 anonym...@metalservice.ind.br local metalservice.ind.br-audito...@metalservice.ind.br remote matr...@uol.com.br 22 Jun 2010 15:53:25 GMT #2448971 1457 anonym...@metalservice.ind.br local metalservice.ind.br-audito...@metalservice.ind.br remote matle...@terra.com.br 22 Jun 2010 15:43:26 GMT #2465278 1458 anonym...@metalservice.ind.br remote mat...@infraero.gov.br 22 Jun 2010 15:38:51 GMT #2462702 1459 anonym...@metalservice.ind.br remote mat...@dequi.eel.usp.br As i can delete all msgs to anonym...@metalservice.ind.br using qmail-remove ( syntax ? ) Thanks so much again senthil vel escreveu: Not sure what is going on.. Some other spamdyke gurus may help. How many mails are there in the queue now? If the mail queue is still large, use qmail-remove to remove the mails in the queue. If qmail remove is not installed, please follow this. *Install Qmail-Remove* First you need to download latest version from here http://www.linuxmagic.com/opensource/qmail/qmail-remove/ current version is Qmail-Remove 0.95 Download using the following command #wget http://www.linuxmagic.com/opensource/qmail/qmail-remove/qmail-remove-0.95.tar.gz Now you have qmail-remove-0.95.tar.gz file and now you need to extract using the following command #tar -zxvf qmail-remove-0.95.tar.gz Now you should have qmail-remove-0.95 folder go in to the directory and run the following commands #make #make install This will complete the installation. Now you need to create a directory named “yanked” in the qmail queue directory you intend to use before using this program. #mkdir /var/qmail/queue/yanked *Using qmail-remove* *Syntax* qmail-remove [options] *Available options* -e use extended POSIX regular expressions -h, -? this help message -i search case insensitively [default: case sensitive] -n limit our search to the first bytes of each file -p specify the pattern to search for -q specify the base qmail queue dir [default: /var/qmail/queue] -r actually remove files, without this we’ll only print them -s specify your conf-split value if non-standard [default: 23] -v increase verbosity (can be used more than once) -y directory to put files yanked from the queue [default: /yanked] -X modify timestamp on matching files, to make qmail expire mail is the number of seconds we want to move the file into the past.specifying a value of 0 causes this to default to (604800) -x modify timestamp on matching files, to make qmail expire mail is a date/time string in the format of output of the “date” program. *Examples for qmail-remove* To delete mails from Que, # qmail-remove -r -p gtre.ac.net http://gtre.ac.net 324001: yes moved mess/0/324001 to yanked/324001.mess moved remote/0/324001 to yanked/324001.remote moved info/0/324001 to yanked/324001.info http://324001.info 324024: yes moved mess/0/324024 to yanked/324024.mess moved remote/0/324024 to yanked/324024.remote moved info/0/324024 to yanked/324024.info http://324024.info This will remove all emails http://www.debianhelp.co.uk/qmailqueue.htm# in que with “gtre.ac.net http://gtre.ac.net” in it and place it in