Re: [vchkpw] How can I identify a spammer?
On Oct 23, 2004, at 4:16 PM, Erwin Hoffmann wrote: This is a very old story. Pls. visit: http://www.fehcom.de/qmail/smtpauth.html Essentially, with all the disturbed discussion, I'ld like to conclude: - Putting the hostname in the call of qmail-smtpd for SMTP Authentication conforms to the use of qmail-popup/qmail-pop3f, however - forgetting the hostname in there leaves the SMTP server "open", wheres - dropping the requirement for the hostname yields (in worst condition) an error message to the client. Thus, my implementation of the SMTP Authentication for Qmail (apart from the many bug-fixes) is fail save. As outlined, technically there is *NO* need to include a hostname in the call of the PAM; even not for qmail-popup - it's simply historic. regards. --eh. Hello, Just to let you know, i was just pointing the person to a patch that would do what they wanted without the hostname. I have visited your site before, and have read it's entire contents, and I know that you don't need the hostname. Also, the patch i described is part of the vpopmail distribution, and i was just presenting it in an alternate form. I am sorry if your message was towards someone else on the mailling list, but i am rather offended by the thought that you meant me, and thus thought that i did not have the knowledge that it is historic and not needed. J-W
Re: [vchkpw] How can I identify a spammer?
Hi, At 11:50 23.10.04 -0400, you wrote: > >On Oct 23, 2004, at 11:22 AM, Jeremy Kitchen wrote: > >> On Fri, 2004-10-22 at 18:57 -0300, Walter Souto R. Junior wrote: >>> Thanks Tom and Jeremy, >>> >>> I do fix my run file for smtp, but now I have a "501 malformed auth >>> input >>> (#5.5.4)" using telnet. I'm also trying with Opera with plain, auth >>> and >>> cram-md5 without success. My run file looks like: >>> >>> #!/bin/sh >>> >>> LOCAL=`head -1 /var/qmail/control/me` >>> >>> QMAILDUID=`id -u qmaild` >>> NOFILESGID=`id -g qmaild` >> >> Can the qmaild user read your vpopmail information? I certainly hope >> not. This is why you are unabled to authenticate. Now, go fix this >> and >> disable your open relay. >> >> -Jeremy >> >> >> > >I agree with jeremy. I took the patch that vpopmail provides in its >contrib dir, and made it one big rolled in one patch file, instead of >seperate files. This patch requires no hostname in the qmail-smtpd run >file; > >in your qmail source dir just do the following: > >wget http://www.bsdguides.org/downloads/freebsd/qmail-smtpd-auth.patch >(It is used in a guide of mine, but it is for stock qmail) >patch < qmail-smtpd-auth.patch This is a very old story. Pls. visit: http://www.fehcom.de/qmail/smtpauth.html Essentially, with all the disturbed discussion, I'ld like to conclude: - Putting the hostname in the call of qmail-smtpd for SMTP Authentication conforms to the use of qmail-popup/qmail-pop3f, however - forgetting the hostname in there leaves the SMTP server "open", wheres - dropping the requirement for the hostname yields (in worst condition) an error message to the client. Thus, my implementation of the SMTP Authentication for Qmail (apart from the many bug-fixes) is fail save. As outlined, technically there is *NO* need to include a hostname in the call of the PAM; even not for qmail-popup - it's simply historic. regards. --eh. Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24
Re: [vchkpw] How can I identify a spammer?
On Oct 23, 2004, at 11:22 AM, Jeremy Kitchen wrote: On Fri, 2004-10-22 at 18:57 -0300, Walter Souto R. Junior wrote: Thanks Tom and Jeremy, I do fix my run file for smtp, but now I have a "501 malformed auth input (#5.5.4)" using telnet. I'm also trying with Opera with plain, auth and cram-md5 without success. My run file looks like: #!/bin/sh LOCAL=`head -1 /var/qmail/control/me` QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` Can the qmaild user read your vpopmail information? I certainly hope not. This is why you are unabled to authenticate. Now, go fix this and disable your open relay. -Jeremy I agree with jeremy. I took the patch that vpopmail provides in its contrib dir, and made it one big rolled in one patch file, instead of seperate files. This patch requires no hostname in the qmail-smtpd run file; in your qmail source dir just do the following: wget http://www.bsdguides.org/downloads/freebsd/qmail-smtpd-auth.patch (It is used in a guide of mine, but it is for stock qmail) patch < qmail-smtpd-auth.patch Then edit your qmail-smtpd run file to run it as A) root, or B) vpopmail (I personally do root, stops all the permissions crap from sneaking in), and then add ~vpopmail/bin/vchkpw /bin/true right after the call to qmail-smtpd. Don't add a hostname anywhere at all, and you are set. X-Istence
Re: [vchkpw] How can I identify a spammer?
On Sat, 23 Oct 2004 10:22:19 -0500, Jeremy Kitchen <[EMAIL PROTECTED]> wrote: On Fri, 2004-10-22 at 18:57 -0300, Walter Souto R. Junior wrote: Thanks Tom and Jeremy, I do fix my run file for smtp, but now I have a "501 malformed auth input (#5.5.4)" using telnet. I'm also trying with Opera with plain, auth and cram-md5 without success. My run file looks like: #!/bin/sh LOCAL=`head -1 /var/qmail/control/me` QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` Can the qmaild user read your vpopmail information? I certainly hope not. This is why you are unabled to authenticate. Now, go fix this and disable your open relay. -Jeremy Ok. I already fix that. I answer to you a few minutes ago... The message don't arrive. I'm thinking I will have some trouble with my IP into RBL's. Regards -- Walter.
Re: [vchkpw] How can I identify a spammer?
Jeremy, It's a REALLY BAD IDEA to leave your system as an open relay. Please, for the sake of yourself, and the rest of the internet, shut your open relay down. -Jeremy Yes! I shut my open relay off. Now I do relay only for myself and my clients. I figure out the problem with my run file for qmail-smtd (with your help of course) and now everything is ok. You can see for yourself! Thank you and Tom for the help and sorry for the time that I "contribute" with the spammer that uses my server to disturb everybody, and you must know that it's will never happen again. Regards, -- Walter.
Re: [vchkpw] How can I identify a spammer?
On Fri, 2004-10-22 at 18:57 -0300, Walter Souto R. Junior wrote: > Thanks Tom and Jeremy, > > I do fix my run file for smtp, but now I have a "501 malformed auth input > (#5.5.4)" using telnet. I'm also trying with Opera with plain, auth and > cram-md5 without success. My run file looks like: > > #!/bin/sh > > LOCAL=`head -1 /var/qmail/control/me` > > QMAILDUID=`id -u qmaild` > NOFILESGID=`id -g qmaild` Can the qmaild user read your vpopmail information? I certainly hope not. This is why you are unabled to authenticate. Now, go fix this and disable your open relay. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ scriptkitchen.com/kitchen.asc signature.asc Description: This is a digitally signed message part
Re: [vchkpw] How can I identify a spammer?
On Sat, 2004-10-23 at 02:35 -0300, Walter Souto R. Junior wrote: > Currently I'm keeping my server "open", without the hostname as a > parameter to qmail-smtpd. Thats the reason that it worked. If I put the > hostaname, nobody can suscefully login and send e-mail, independs on the > method used. I think thats the solution is upgrade vpopmail and use the > more recente smtp-auth patch. > > To be short: If I put the hostname as a parameter, nobody logins, if I > don't, everybody logins, so, I'm missing something, maybe trivial, but in > that moment I can't see... So, have something that I can do now without > upgrade my entire system? It's a REALLY BAD IDEA to leave your system as an open relay. Please, for the sake of yourself, and the rest of the internet, shut your open relay down. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ scriptkitchen.com/kitchen.asc signature.asc Description: This is a digitally signed message part
Re: [vchkpw] How can I identify a spammer?
Hi Tom, On Oct 22, 2004, at 2:57 PM, Walter Souto R. Junior wrote: I do fix my run file for smtp, but now I have a "501 malformed auth input (#5.5.4)" using telnet. I'm also trying with Opera with plain, auth and cram-md5 without success. My run file looks like: Well, you need to enter a properly formatted request. Jeremy's example used bogus input. I just tried your server with 'AUTH PLAIN MTIzADEyMwAxMjM=' and it worked. When you set up Opera, you need to set the complete email address as the username -- perhaps that's your problem? Yes, I'm always use the complete e-mail address as the username. I'm a reader - until now I'm just read - of this list about 3 years, and I can say that is my first thread. Currently I'm keeping my server "open", without the hostname as a parameter to qmail-smtpd. Thats the reason that it worked. If I put the hostaname, nobody can suscefully login and send e-mail, independs on the method used. I think thats the solution is upgrade vpopmail and use the more recente smtp-auth patch. To be short: If I put the hostname as a parameter, nobody logins, if I don't, everybody logins, so, I'm missing something, maybe trivial, but in that moment I can't see... So, have something that I can do now without upgrade my entire system? Thanks, -- Walter.
Re: [vchkpw] How can I identify a spammer?
On Oct 22, 2004, at 2:57 PM, Walter Souto R. Junior wrote: I do fix my run file for smtp, but now I have a "501 malformed auth input (#5.5.4)" using telnet. I'm also trying with Opera with plain, auth and cram-md5 without success. My run file looks like: Well, you need to enter a properly formatted request. Jeremy's example used bogus input. I just tried your server with 'AUTH PLAIN MTIzADEyMwAxMjM=' and it worked. When you set up Opera, you need to set the complete email address as the username -- perhaps that's your problem? -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] How can I identify a spammer?
Thanks Tom and Jeremy, I do fix my run file for smtp, but now I have a "501 malformed auth input (#5.5.4)" using telnet. I'm also trying with Opera with plain, auth and cram-md5 without success. My run file looks like: #!/bin/sh LOCAL=`head -1 /var/qmail/control/me` QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`/bin/cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 1500 \ /usr/local/bin/tcpserver \ -H -l $LOCAL \ -v -x /etc/tcp.smtp.cdb \ -c $MAXSMTPD -R -u $QMAILDUID -g $NOFILESGID 0 smtp \ /var/qmail/bin/qmail-smtpd $LOCAL /home/vpopmail/bin/vchkpw /bin/true 2>&1 On Fri, 22 Oct 2004 12:04:04 -0500, Jeremy Kitchen <[EMAIL PROTECTED]> wrote: On Friday 22 October 2004 10:33 am, Walter Souto R. Junior wrote: Received: (qmail 5098 invoked by uid 1010); 22 Oct 2004 11:46:22 -0200 Received: from [EMAIL PROTECTED] by alonso.bayweb.biz by uid 0 with qmail-scanner-1.22 (clamdscan: 0.74. spamassassin: 2.63. as Tom pointed out, you are an open relay: [EMAIL PROTECTED] ~ $ telnet alonso.bayweb.biz 25 Trying 69.0.231.11... Connected to ns1.bayweb.biz. Escape character is '^]'. 220 alonso.bayweb.biz ESMTP ehlo bob 250-alonso.bayweb.biz 250-AUTH LOGIN CRAM-MD5 PLAIN 250-AUTH=LOGIN CRAM-MD5 PLAIN 250-STARTTLS 250-PIPELINING 250 8BITMIME auth login 334 VXNlcm5hbWU6 jkflds 334 UGFzc3dvcmQ6 jlfds 235 ok, go ahead (#2.0.0) quit 221 alonso.bayweb.biz Connection closed by foreign host. http://homepages.tesco.net/~J.deBoynePollard/FGA/qmail-promiscuous-smtp-auth-misconfiguration.html -Jeremy Thanks, -- Walter.
Re: [vchkpw] How can I identify a spammer?
On Friday 22 October 2004 10:33 am, Walter Souto R. Junior wrote: > Received: (qmail 5098 invoked by uid 1010); 22 Oct 2004 11:46:22 -0200 > Received: from [EMAIL PROTECTED] by alonso.bayweb.biz by uid 0 > with qmail-scanner-1.22 > (clamdscan: 0.74. spamassassin: 2.63. as Tom pointed out, you are an open relay: [EMAIL PROTECTED] ~ $ telnet alonso.bayweb.biz 25 Trying 69.0.231.11... Connected to ns1.bayweb.biz. Escape character is '^]'. 220 alonso.bayweb.biz ESMTP ehlo bob 250-alonso.bayweb.biz 250-AUTH LOGIN CRAM-MD5 PLAIN 250-AUTH=LOGIN CRAM-MD5 PLAIN 250-STARTTLS 250-PIPELINING 250 8BITMIME auth login 334 VXNlcm5hbWU6 jkflds 334 UGFzc3dvcmQ6 jlfds 235 ok, go ahead (#2.0.0) quit 221 alonso.bayweb.biz Connection closed by foreign host. http://homepages.tesco.net/~J.deBoynePollard/FGA/qmail-promiscuous-smtp-auth-misconfiguration.html -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ scriptkitchen.com/kitchen.asc pgprTvKZ4V2vH.pgp Description: PGP signature
Re: [vchkpw] How can I identify a spammer?
On Oct 22, 2004, at 8:33 AM, Walter Souto R. Junior wrote: Received: from unknown (HELO meals) ([EMAIL PROTECTED]) by xxx.yyy.zzz with SMTP; 22 Oct 2004 11:46:16 -0200 It looks like he's coming from IP 218.61.42.211, and authenticating as '123'. Do you have a user 123 in your default domain, or as a system user? Is user 123's password easy to guess? Actually, it looks like your AUTH installation is broken -- you can auth as any user on your system. Take a look at the run file for qmail-smtpd. There are two types of patch, and yours is the one that requires a hostname after qmail-smtpd and before vchkpw. Fix the run script and then restart qmail-smtpd and you'll be fine. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] How can I identify a spammer?
Hi Jeremy, the smtp auth patch you use should be putting a header in the email saying who sent it.. check for that header, and shut the guy off. This is the first thing that I did try. My server was set 2 years ago and vpopmail version is 5.3.20. I use the toaster guide from Bill Shup and his large patch. I never get a problem like that. The version of smtp-auth patch does not put the information into the headers. The message bellow is what the spammer sends out. The IP listed always change. I test my server right now and it isn't an open relay. So when I identify the vpopmail user that was used to do that I can take the properly action, but how? -- MESSAGE NUMBER 32964920 -- Received: (qmail 5098 invoked by uid 1010); 22 Oct 2004 11:46:22 -0200 Received: from [EMAIL PROTECTED] by alonso.bayweb.biz by uid 0 with qmail-scanner-1.22 (clamdscan: 0.74. spamassassin: 2.63. Clear:RC:0(218.61.42.211):SA:1(7.4/4.0):. Processed in 5.793772 secs); 22 Oct 2004 13:46:22 - Received: from unknown (HELO meals) ([EMAIL PROTECTED]) by alonso.bayweb.biz with SMTP; 22 Oct 2004 11:46:16 -0200 From: "Michael Sapanna"<[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [SPAM] ARE YOU HAPP1lIY? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Qmail-Scanner-Message-ID: <[EMAIL PROTECTED]> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on alonso.bayweb.biz X-Spam-Report: * 1.9 DATE_MISSING Missing Date: header * 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 0.1 RCVD_IN_RFCI RBL: Sent via a relay in ipwhois.rfc-ignorant.org * [218.61.42.211 has inaccurate or missing WHOIS] [data at the RIR] * 0.0 UPPERCASE_25_50 message body is 25-50% uppercase X-Spam-Status: Yes, hits=7.4 required=4.0 tests=BAYES_99,DATE_MISSING, RCVD_IN_RFCI,UPPERCASE_25_50 autolearn=no version=2.63 X-Spam-Level: *** http://VI1aggar_C000O0delne_Xana|x_Va||um_...and___mO000Ore http://VI1aggar_C0O000delne_Xana|x_Va||um_CIa1lis_...and___mO0O00re http://C1aI|is_Vl|aggar_...and___m0O0O0re V|SIT 0UR S1TE AND 0RDER HERE http://sear.cndbvsa.com/as#boathouse Thanks in advance, -- Walter.
Re: [vchkpw] How can I identify a spammer?
On Friday 22 October 2004 06:17 am, Walter Souto R. Junior wrote: > Hi, > > I have one of my users using my server to send spam (I think). The > messages came from 200.78.38.103. When I figure that out, I just block him > and bring my server back... So how can I see what account on vpopmail did > used to do this kind of thing? I have only auth-smtp, and just accept > messages from one of my domains, that are about six and nothing more. I'm > afraid that I don't have vpopmail logs, perhaps I did install vpopmail > without them, so... the smtp auth patch you use should be putting a header in the email saying who sent it.. check for that header, and shut the guy off. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ scriptkitchen.com/kitchen.asc pgpbOpoWACp4i.pgp Description: PGP signature
Re: [vchkpw] How can I identify a spammer?
Install this http://www.enderunix.org/isoqlog/ Don't forget the cron job to update it's webpages. It reads from qmail logs, so hopefully qmail is logging properly on your box. =) Best Regards, Jeremy Eder Hi-Tek Data, Corp. V: 516-797-8800 F: 516-797-8892 Thanks Jeremy, but the spammer changes your IP every time I block it. So, how can I efectively block this guy since his IP always changes? I can't figure how they get access to my server. Thanks, -- Walter.
RE: [vchkpw] How can I identify a spammer?
-Original Message- From: Walter Souto R. Junior [mailto:[EMAIL PROTECTED] Sent: Friday, October 22, 2004 7:18 AM To: [EMAIL PROTECTED] Subject: [vchkpw] How can I identify a spammer? Hi, I have one of my users using my server to send spam (I think). The messages came from 200.78.38.103. When I figure that out, I just block him and bring my server back... So how can I see what account on vpopmail did used to do this kind of thing? I have only auth-smtp, and just accept messages from one of my domains, that are about six and nothing more. I'm afraid that I don't have vpopmail logs, perhaps I did install vpopmail without them, so... Thanks for any help, -- Walter. Install this http://www.enderunix.org/isoqlog/ Don't forget the cron job to update it's webpages. It reads from qmail logs, so hopefully qmail is logging properly on your box. =) Best Regards, Jeremy Eder Hi-Tek Data, Corp. V: 516-797-8800 F: 516-797-8892