Re: [qmailtoaster] qmail and spf and gategay
Thank you very much Then 1) i'll change 3 by 1 in a file /var/qmail/control/spfbehavior This means no reject spf. Is correct 2) change spammer with: ( but where???) (/var/??) # add score to pass SPF header spf_pass Received-SPF =~ /\bpass\b/ describe spf_pass SPF Test Pass score spf_pass -2.0 # add score to softfail SPF header spf_softfail Received-SPF =~ /\bsoftfail\b/ describe spf_softfail SPF Test Softfail score spf_softfail 3.0 # add score to fail SPF header spf_fail Received-SPF =~ /\bfail\b/ describe spf_fail SPF Test Fail score spf_fail 6.0 Im continue thinking that it wolud be another way, because in this way every spf come in to my server. Is the problem in de header i supose qmail receibe mail with ip address 10.0.0.190 in the header and this is the razon to reject. Can i change to a original header mail thanks. 2011/3/1 Pak Ogah pako...@pala.bo-tak.info On 01-Mar-11 9:37, Gustavo De Poli wrote: Hi. Sorry my inglish is not to well. i need your help.} Recently i install qmail toaster in a centos 5 ( ip addrr 10.0.0.5). my conection with internet is with a local pc has 10.0.0.190 ( firewall ) this machine doing NAT, then when this machin recibe to port 25 does NAT to 10.0.0.5, There is qmail, But some mails is rejected and im not recibe, when i check /var/log/qmail/smtp/current i see SPF-REJECT i do not know wath can be do to resolve and recibe all mails ... thanks Gustavo no problem, I am native english also but I can understand you. by default file on /var/qmail/control/spfbehavior contain 3 what you can do is change it into 1 for detail spfbehavior option see: http://wiki.qmailtoaster.com/index.php/Spfbehavior then you can add custom SA rules like this one: # add score to pass SPF header spf_pass Received-SPF =~ /\bpass\b/ describe spf_pass SPF Test Pass score spf_pass -2.0 # add score to softfail SPF header spf_softfail Received-SPF =~ /\bsoftfail\b/ describe spf_softfail SPF Test Softfail score spf_softfail 3.0 # add score to fail SPF header spf_fail Received-SPF =~ /\bfail\b/ describe spf_fail SPF Test Fail score spf_fail 6.0 - Qmailtoaster is sponsored by Vickers Consulting Group ( www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] qmail and spf and gategay
1. correct. qmt will not reject email if it doesn't have valid SPF 2. sorry I forgot to tell you. create file in /etc/mail/spamassassin/70_custom_rule.cf then restart qmail detail here: http://www.am3n.co.cc/2011/03/01/spamassasin-custom-rules-to-check-spf-b/ Thank you very much Then 1) i'll change 3 by 1 in a file /var/qmail/control/spfbehavior This means no reject spf. Is correct 2) change spammer with: ( but where???) (/var/??) # add score to pass SPF header spf_pass Received-SPF =~ /\bpass\b/ describe spf_pass SPF Test Pass score spf_pass -2.0 # add score to softfail SPF header spf_softfail Received-SPF =~ /\bsoftfail\b/ describe spf_softfail SPF Test Softfail score spf_softfail 3.0 # add score to fail SPF header spf_fail Received-SPF =~ /\bfail\b/ describe spf_fail SPF Test Fail score spf_fail 6.0 Im continue thinking that it wolud be another way, because in this way every spf come in to my server. Is the problem in de header i supose qmail receibe mail with ip address 10.0.0.190 in the header and this is the razon to reject. Can i change to a original header mail thanks. 2011/3/1 Pak Ogah pako...@pala.bo-tak.info On 01-Mar-11 9:37, Gustavo De Poli wrote: Hi. Sorry my inglish is not to well. i need your help.} Recently i install qmail toaster in a centos 5 ( ip addrr 10.0.0.5). my conection with internet is with a local pc has 10.0.0.190 ( firewall ) this machine doing NAT, then when this machin recibe to port 25 does NAT to 10.0.0.5, There is qmail, But some mails is rejected and im not recibe, when i check /var/log/qmail/smtp/current i see SPF-REJECT i do not know wath can be do to resolve and recibe all mails ... thanks Gustavo no problem, I am native english also but I can understand you. by default file on /var/qmail/control/spfbehavior contain 3 what you can do is change it into 1 for detail spfbehavior option see: http://wiki.qmailtoaster.com/index.php/Spfbehavior then you can add custom SA rules like this one: # add score to pass SPF header spf_pass Received-SPF =~ /\bpass\b/ describe spf_pass SPF Test Pass score spf_pass -2.0 # add score to softfail SPF header spf_softfail Received-SPF =~ /\bsoftfail\b/ describe spf_softfail SPF Test Softfail score spf_softfail 3.0 # add score to fail SPF header spf_fail Received-SPF =~ /\bfail\b/ describe spf_fail SPF Test Fail score spf_fail 6.0 - Qmailtoaster is sponsored by Vickers Consulting Group ( www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] qmail and spf and gategay
you great! thanks YO!!! Gustavo 2011/3/1 PakOgah pako...@pala.bo-tak.info 1. correct. qmt will not reject email if it doesn't have valid SPF 2. sorry I forgot to tell you. create file in /etc/mail/spamassassin/70_custom_rule.cf then restart qmail detail here: http://www.am3n.co.cc/2011/03/01/spamassasin-custom-rules-to-check-spf-b/ Thank you very much Then 1) i'll change 3 by 1 in a file /var/qmail/control/spfbehavior This means no reject spf. Is correct 2) change spammer with: ( but where???) (/var/??) # add score to pass SPF header spf_pass Received-SPF =~ /\bpass\b/ describe spf_pass SPF Test Pass score spf_pass -2.0 # add score to softfail SPF header spf_softfail Received-SPF =~ /\bsoftfail\b/ describe spf_softfail SPF Test Softfail score spf_softfail 3.0 # add score to fail SPF header spf_fail Received-SPF =~ /\bfail\b/ describe spf_fail SPF Test Fail score spf_fail 6.0 Im continue thinking that it wolud be another way, because in this way every spf come in to my server. Is the problem in de header i supose qmail receibe mail with ip address 10.0.0.190 in the header and this is the razon to reject. Can i change to a original header mail thanks. 2011/3/1 Pak Ogah pako...@pala.bo-tak.info On 01-Mar-11 9:37, Gustavo De Poli wrote: Hi. Sorry my inglish is not to well. i need your help.} Recently i install qmail toaster in a centos 5 ( ip addrr 10.0.0.5). my conection with internet is with a local pc has 10.0.0.190 ( firewall ) this machine doing NAT, then when this machin recibe to port 25 does NAT to 10.0.0.5, There is qmail, But some mails is rejected and im not recibe, when i check /var/log/qmail/smtp/current i see SPF-REJECT i do not know wath can be do to resolve and recibe all mails ... thanks Gustavo no problem, I am native english also but I can understand you. by default file on /var/qmail/control/spfbehavior contain 3 what you can do is change it into 1 for detail spfbehavior option see: http://wiki.qmailtoaster.com/index.php/Spfbehavior then you can add custom SA rules like this one: # add score to pass SPF header spf_pass Received-SPF =~ /\bpass\b/ describe spf_pass SPF Test Pass score spf_pass -2.0 # add score to softfail SPF header spf_softfail Received-SPF =~ /\bsoftfail\b/ describe spf_softfail SPF Test Softfail score spf_softfail 3.0 # add score to fail SPF header spf_fail Received-SPF =~ /\bfail\b/ describe spf_fail SPF Test Fail score spf_fail 6.0 - Qmailtoaster is sponsored by Vickers Consulting Group ( www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group ( www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] qtp-newmodel upgrade fail dependencies on CentOS 5.3
On 02/28/2011 11:03 PM, Sue Jones wrote: Hello, I am trying to update some of my qmailtoaster files using qtp-newmodel, but am running into a problem because we are running it on CentOS 5.3 and getting an error when installing the dependencies (see output below). http://mirror.nic.uoregon.edu/centos/5.3/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. http://mirror.raystedman.net/centos/5.3/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. http://mirror.stanford.edu/yum/pub/centos/5.3/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. http://mirrors.bluehost.com/centos/5.3/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. http://mirrors.gigenet.com/centos/5.3/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. http://mirrors.xmission.com/centos/5.3/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. http://www.cyberuse.com/centos/5.3/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. Error: Cannot retrieve repository metadata (repomd.xml) for repository: base. Please verify its path and try again qtp-newmodel - installation of dependent packages failed, exiting Basically your CentOS version is deprecated and the packages you are asking for are no longer available. Browsing to one of the paths you were trying to get to: http://mirror.raystedman.net/centos/5.3/ You are provided this readme: --start-- This directory (and version of CentOS) is depreciated. For normal users, you should use /5/ and not /5.3/ in your path. Please see this FAQ concerning the CentOS release scheme: http://www.centos.org/modules/smartfaq/faq.php?faqid=34 If you know what you are doing, and absolutely want to remain at the 5.3 level, go to http://vault.centos.org/ for packages. --end-- You could try manually rebuilding the packages, or wait until you do the full OS upgrade. Not sure how old of versions of packages your on, but I imagine if you update clamav, squirrelmail, and qmailadmin you will be fine.
[qmailtoaster] .mailfilter rules
I tried to create a .mailfilter rules based on slamp slamp example
http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg15443.html
which will deliver email with subject contain qmailtoaster to folder
qmailtoaster
and email with subject contain SPAM or BULK to folder Spam
and other email goes to inbox
but somehow the file didn't work.
Can someone tell me what's wrong with it ?
Thank b4
[root@svr-m1 ~]# cat
/home/vpopmail/domains/pala.bo-tak.info/pakogah/.mailfilter
if (/^Subject: *qmailtoaster*/)
{
exception {
to $VHOME/Maildir/.qmailtoaster/
}
}
if (/^Subject: *SPAM*/ || /^Subject:.*BULK*/)
{
exception {
to $VHOME/Maildir/.Spam/
}
}
to $VHOME/Maildir
-
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: qtp-newmodel upgrade fail dependencies on CentOS 5.3
On 03/01/2011 07:46 AM, Jake Vickers wrote: On 02/28/2011 11:03 PM, Sue Jones wrote: Hello, I am trying to update some of my qmailtoaster files using qtp-newmodel, but am running into a problem because we are running it on CentOS 5.3 and getting an error when installing the dependencies (see output below). http://mirror.nic.uoregon.edu/centos/5.3/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. http://mirror.raystedman.net/centos/5.3/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. http://mirror.stanford.edu/yum/pub/centos/5.3/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. http://mirrors.bluehost.com/centos/5.3/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. http://mirrors.gigenet.com/centos/5.3/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. http://mirrors.xmission.com/centos/5.3/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. http://www.cyberuse.com/centos/5.3/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. Error: Cannot retrieve repository metadata (repomd.xml) for repository: base. Please verify its path and try again qtp-newmodel - installation of dependent packages failed, exiting Basically your CentOS version is deprecated and the packages you are asking for are no longer available. Browsing to one of the paths you were trying to get to: http://mirror.raystedman.net/centos/5.3/ You are provided this readme: --start-- This directory (and version of CentOS) is depreciated. For normal users, you should use /5/ and not /5.3/ in your path. Please see this FAQ concerning the CentOS release scheme: http://www.centos.org/modules/smartfaq/faq.php?faqid=34 If you know what you are doing, and absolutely want to remain at the 5.3 level, go tohttp://vault.centos.org/ for packages. --end-- You could try manually rebuilding the packages, or wait until you do the full OS upgrade. Not sure how old of versions of packages your on, but I imagine if you update clamav, squirrelmail, and qmailadmin you will be fine. You really should consider upgrading your OS version, especially if you have nothing else running on the QMT host. That being said, you'll probably be ok bypassing the qtp-dependencies processing given that you're at 5.3 already. To use qtp-newmodel w/out doing the dependencies (they're mostly for SpamAssassin), you can commend out the a4_check_dependencies line near (~24 lines from) the end of the script like such: # a4_check_dependencies This will bypass the dependencies, and everything else should run just fine. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: QTP NewModel and CentOS
On 02/27/2011 09:22 PM, Dan McAllister wrote: Greetings all... I've been using QTP almost since its inception -- I love most of the scripts and find most to be refreshingly robust. I say most, because I did another QMT install this weekend and decided to spend a little time trying to debug an error I've had from the beginning: On a CentOS 5 x86_64 install that is upgraded from an older version to CentOS 5.5, the qtp-newmodel script consistently fails to mount a unioned sandbox. I know there are issues with CentOS 5 due to the merging of FUSE in general into the mainline kernel during the CentOS 5 lifetime. Furthermore, I am aware that the dkms-fuse package has been removed from the rpmforge repository entirely. But I can get around those. The issue seems to be with the script mounting /opt/qtp-overlay and it not showing up in /etc/mtab. Quite honestly, since I wrote my own update/install script BEFORE I used QTP, I have in the past just used my script to do the install, then use the QTP scripts to manage it after that. But I'd sure like to get to the bottom of this -- even if CentOS 6 comes out in a month or two, I don't intent to upgrade to it before 2012... so any help would be GREATLY appreciated. I can provide traces and logs to anyone familiar with the qtp-sandbox for union-fs and how it's supposed to work. Thanks in advance. Dan McAllister IT4SOHO - Hey Dan. I'll be working on QMT this week and will look into this (now that I have a 64-bit host to test with, thanks to Scott at SouthComputers). Stay tuned. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Ban the bad guy IP at the firewall level. Best wishes, Edwin On 03/02/2011 08:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139 2011-03-01 20:54:05.433215500 tcpserver: ok 4903 mail.myhost.com.ar:11.22.33.44:25 :189.78.49.139::36877 2011-03-01 20:54:06.075161500 tcpserver: end 4800 status 0 2011-03-01 20:54:06.075164500 tcpserver: status: 24/25 2011-03-01 20:54:06.075165500
[qmailtoaster] Re: SMTP attack
Sergio, .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions had a bug where rejected sessions would not terminate immediately, causing excessive idle smtp sessions (and ultimately TIMEOUTs). That may no be affecting you, but you should check to be sure. Run qtp-install-spamdyke to upgrade to the latest version. .) I would recommend installing fail2ban. This will automatically ban IP addresses which have several failed login attempts. There doesn't appear to be a wiki page about this yet (ANY TAKERS??), but you should find info about it in the list archives. Someone here should be able to help if you run into difficulty with it. (Not me though, as I haven't implemented it yet). .) 25 smtp sessions is rather low. I've seen a Celeron 1GH processor handle twice that number. You might need to bump up the spamassassin child processes to get there, but it should be doable. What are your HW specs? That's all that comes to my mind right now. Let us know how you make out. -- -Eric 'shubes' On 03/01/2011 05:25 PM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 2011-03-01
Re: [qmailtoaster] SMTP attack
Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75)Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.brFeb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139 2011-03-01 20:54:05.433215500 tcpserver: ok 4903 mail.myhost.com.ar:11.22.33.44:25 :189.78.49.139::368772011-03-01 20:54:06.075161500 tcpserver: end
[qmailtoaster] Re: SMTP attack
Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- -Eric 'shubes' On 03/01/2011 06:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139 2011-03-01 20:54:05.433215500 tcpserver: ok 4903 mail.myhost.com.ar:11.22.33.44:25 :189.78.49.139::36877 2011-03-01 20:54:06.075161500 tcpserver: end 4800 status 0 2011-03-01 20:54:06.075164500 tcpserver: status: 24/25 2011-03-01 20:54:06.075165500 tcpserver: status: 25/25 2011-03-01 20:54:06.075166500 tcpserver: pid 4908 from 186.114.65.254 2011-03-01 20:54:06.075168500 tcpserver: ok 4908 mail.myhost.com.ar:11.22.33.44:25 :186.114.65.254::13026 2011-03-01 20:54:06.441699500 tcpserver: end 4821 status 0 2011-03-01
Re: [qmailtoaster] SMTP attack
Greylisting process not work in this problem ? 2011/3/1, Eric Shubert e...@shubes.net: Sergio, .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions had a bug where rejected sessions would not terminate immediately, causing excessive idle smtp sessions (and ultimately TIMEOUTs). That may no be affecting you, but you should check to be sure. Run qtp-install-spamdyke to upgrade to the latest version. .) I would recommend installing fail2ban. This will automatically ban IP addresses which have several failed login attempts. There doesn't appear to be a wiki page about this yet (ANY TAKERS??), but you should find info about it in the list archives. Someone here should be able to help if you run into difficulty with it. (Not me though, as I haven't implemented it yet). .) 25 smtp sessions is rather low. I've seen a Celeron 1GH processor handle twice that number. You might need to bump up the spamassassin child processes to get there, but it should be doable. What are your HW specs? That's all that comes to my mind right now. Let us know how you make out. -- -Eric 'shubes' On 03/01/2011 05:25 PM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500
Re: [qmailtoaster] Re: SMTP attack
Agreed Eric, but this is a VERY quick simple fix when the thing starts! On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- best wishes Tony White Yea Computing Services http://www.ycs.com.au 4 The Crescent Yea Victoria Australia 3717 Telephone No's VIC : 03 9008 5614 FAX : 03 9008 5610 (FAX2Email) IMPORTANT NOTICE This communication including any file attachments is intended solely for the use of the individual or entity to whom it is addressed. If you are not the intended recipient, or the person responsible for delivering this communication to the intended recipient, please immediately notify the sender by email and delete the original transmission and its contents. Any unauthorised use, dissemination, forwarding, printing or copying of this communication including file attachments is prohibited. It is your responsibility to scan this communication including any file attachments for viruses and other defects. To the extent permitted by law, Yea Computing Services and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
Eric Shubert escribió: Sergio, .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions had a bug where rejected sessions would not terminate immediately, causing excessive idle smtp sessions (and ultimately TIMEOUTs). That may no be affecting you, but you should check to be sure. Run qtp-install-spamdyke to upgrade to the latest version. .) I would recommend installing fail2ban. This will automatically ban IP addresses which have several failed login attempts. There doesn't appear to be a wiki page about this yet (ANY TAKERS??), but you should find info about it in the list archives. Someone here should be able to help if you run into difficulty with it. (Not me though, as I haven't implemented it yet). .) 25 smtp sessions is rather low. I've seen a Celeron 1GH processor handle twice that number. You might need to bump up the spamassassin child processes to get there, but it should be doable. What are your HW specs? That's all that comes to my mind right now. Let us know how you make out. Thanks Eric! I updated spamdyke this morning. I have a Quad-Core AMD Opteron(tm) Processor 1354 cpu MHz : 1100.000 with 1Gb RAM. Using 25 sessions, in a normal day its never gets past 20 of 25. I thought about raising them, but they will all get used by spammers. What about those child processes you mentioned? I am also looking at fail2ban. @Carlos: Graylisting is not working because mail is not accepted, but the sessions are used anyway. Thanks guys! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
Eric, Do you have Fail2Ban working with the qmail logs? On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- best wishes Tony White - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
I think he said he is not an user yet, but i am looking at: http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23951.html Tony White escribió: Eric, Do you have Fail2Ban working with the qmail logs? On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Tony, Does this append the existing iptable with the offending IP? I use fail2ban and it works great. OSSEC HIDS is a good tool too. I use them both actually. CJ On 03/01/2011 05:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75)Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25
[qmailtoaster] Re: SMTP attack
I don't think so. The hacker is trying to authenticate, and failing. Greylisting would prohibit mail from being received, but the problem occurs before an email is transmitted. Thanks for the suggestion though. -- -Eric 'shubes' On 03/01/2011 06:38 PM, Carlos Herrera Polo wrote: Greylisting process not work in this problem ? 2011/3/1, Eric Shuberte...@shubes.net: Sergio, .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions had a bug where rejected sessions would not terminate immediately, causing excessive idle smtp sessions (and ultimately TIMEOUTs). That may no be affecting you, but you should check to be sure. Run qtp-install-spamdyke to upgrade to the latest version. .) I would recommend installing fail2ban. This will automatically ban IP addresses which have several failed login attempts. There doesn't appear to be a wiki page about this yet (ANY TAKERS??), but you should find info about it in the list archives. Someone here should be able to help if you run into difficulty with it. (Not me though, as I haven't implemented it yet). .) 25 smtp sessions is rather low. I've seen a Celeron 1GH processor handle twice that number. You might need to bump up the spamassassin child processes to get there, but it should be doable. What are your HW specs? That's all that comes to my mind right now. Let us know how you make out. -- -Eric 'shubes' On 03/01/2011 05:25 PM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01
RE: [qmailtoaster] SMTP attack
Are all of the username portions of the e-mail addresses legitimate e-mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but not with all legit e-mails. If they are all legit, is the domain yours? Or is it theirs? (IE do you host it as an ISP, or is this the only domain and you control it?) Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: Sergio M [mailto:sergio...@gmail.com] Sent: Tuesday, March 01, 2011 4:25 PM To: QmailToaster List Subject: [qmailtoaster] SMTP attack Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139 2011-03-01 20:54:05.433215500 tcpserver: ok 4903 mail.myhost.com.ar:11.22.33.44:25 :189.78.49.139::36877 2011-03-01 20:54:06.075161500 tcpserver: end 4800 status 0 2011-03-01 20:54:06.075164500 tcpserver: status: 24/25
[qmailtoaster] Re: SMTP attack
True enough. Can be a quick and dirty (temporary) fix. -- -Eric 'shubes' On 03/01/2011 06:44 PM, Tony White wrote: Agreed Eric, but this is a VERY quick simple fix when the thing starts! On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Michael Colvin escribió: Are all of the username portions of the e-mail addresses legitimate e-mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but not with all legit e-mails. If they are all legit, is the domain yours? Or is it theirs? (IE do you host it as an ISP, or is this the only domain and you control it?) Michael J. Colvin NorCal Internet Services www.norcalisp.com Hi Michael, they are all legitimate email addresses, for one domain only though. We host it as an ISP. Thanks! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: SMTP attack
If CJ got it working, then I expect that just about anyone can do it. ;) JK CJ. Would you care to create a page on the wiki for this? -- -Eric 'shubes' On 03/01/2011 06:58 PM, Cecil Yother, Jr. wrote: Tony, Does this append the existing iptable with the offending IP? I use fail2ban and it works great. OSSEC HIDS is a good tool too. I use them both actually. CJ On 03/01/2011 05:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: SMTP attack
I haven't implemented Fail2Ban yet. Been meaning to, but haven't had the need. I believe others on this list have though. -- -Eric 'shubes' On 03/01/2011 06:52 PM, Tony White wrote: Eric, Do you have Fail2Ban working with the qmail logs? On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] SMTP attack
Well... My first thought would be to isolate this domain from my mail server, so that it isn't affecting my other customers. Perhaps changing DNS (Change the IP for the server to something non-existent for now, like 192.168.0.1 or something.) Likely won't stop it immediately but might prevent new Bots from finding the server after you block existing ones. Also, block the domain in spamdyke. I think that will drop the connection at the SMTP level almost immediately, and prevent them from possibly finding a good username/password combo. This might free up enough resources to allow your other customers to start being able to send. Then maybe go through the logs, add IP's to IPTABLES, and hope the DNS changes prevent new bots from finding the server. Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: Sergio M [mailto:sergio...@gmail.com] Sent: Tuesday, March 01, 2011 6:45 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] SMTP attack Michael Colvin escribió: Are all of the username portions of the e-mail addresses legitimate e- mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but not with all legit e-mails. If they are all legit, is the domain yours? Or is it theirs? (IE do you host it as an ISP, or is this the only domain and you control it?) Michael J. Colvin NorCal Internet Services www.norcalisp.com Hi Michael, they are all legitimate email addresses, for one domain only though. We host it as an ISP. Thanks! -- --- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! -- --- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list- unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list- h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if possible for the time being. Fail2ban would be the best solution for the time being as previously mentioned. Sergio M wrote: Michael Colvin escribió: Are all of the username portions of the e-mail addresses legitimate e-mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but not with all legit e-mails. If they are all legit, is the domain yours? Or is it theirs? (IE do you host it as an ISP, or is this the only domain and you control it?) Michael J. Colvin NorCal Internet Services www.norcalisp.com Hi Michael, they are all legitimate email addresses, for one domain only though. We host it as an ISP. Thanks! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] SMTP attack
I agree about Fail2Ban. That's your ultimate goal, but for me, getting the other users of the mail server back online is first... (Assuming you can w/o using Fail2ban) I've found once attacks like this get effectively blocked, they go away, unless as South says, they pissed someone off and are a specific target... Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: South Computers [mailto:i...@southcomputers.com] Sent: Tuesday, March 01, 2011 7:07 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] SMTP attack Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if possible for the time being. Fail2ban would be the best solution for the time being as previously mentioned. Sergio M wrote: Michael Colvin escribió: Are all of the username portions of the e-mail addresses legitimate e-mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but not with all legit e-mails. If they are all legit, is the domain yours? Or is it theirs? (IE do you host it as an ISP, or is this the only domain and you control it?) Michael J. Colvin NorCal Internet Services www.norcalisp.com Hi Michael, they are all legitimate email addresses, for one domain only though. We host it as an ISP. Thanks! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- --- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! -- --- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list- unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list- h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
South Computers escribió: Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if possible for the time being. Fail2ban would be the best solution for the time being as previously mentioned. The passwords are all wrong. they are all like: mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 The domain is blocked in spamdyke, unless they authenticate and bypass the filters, so that is covered. But the smtp sessions are used nevertheless. I installed fail2ban (from the repos mentioned in fail2ban.org) but cannot make it work with the smtpd. I tried with http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23951.html but i think it has a conf file missing and the vpopmail is for pop3. I also tried with http://notes.benv.junerules.com/all/software/qmail-spamdyke-and-fail2ban/#more-539 but cannot make it work with the RBL_MATCH filter. Any tips from satisfied fail2ban users? Thanks! Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
It does yes! On 02/03/2011 12:58 PM, Cecil Yother, Jr. wrote: Tony, Does this append the existing iptable with the offending IP? I use fail2ban and it works great. OSSEC HIDS is a good tool too. I use them both actually. CJ On 03/01/2011 05:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75)Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139 2011-03-01 20:54:05.433215500 tcpserver: ok 4903 mail.myhost.com.ar:11.22.33.44:25 :189.78.49.139::36877 2011-03-01 20:54:06.075161500 tcpserver: end 4800 status 0 2011-03-01 20:54:06.075164500 tcpserver: status: 24/25 2011-03-01 20:54:06.075165500 tcpserver:
Re: [qmailtoaster] SMTP attack
Hi, FWIIW I have some scripts that you can download from my ftp server in the pub/qtp folder. They are not all documented but they are reasonably simple scripts that can be understood easily. goto ftp.ycs.com.au cd /pub/qtp qtp user are welcome to them but please use anonymous and your email address to login. The scripts are as is and work for me. They may need changes to suit your needs. If anyone improves on them I would appreciate knowing. On 02/03/2011 12:58 PM, Cecil Yother, Jr. wrote: Tony, Does this append the existing iptable with the offending IP? I use fail2ban and it works great. OSSEC HIDS is a good tool too. I use them both actually. CJ On 03/01/2011 05:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75)Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0
Re: [qmailtoaster] SMTP attack
I found this to use fail2ban to block vpopmail failed passwd attempts, but cannot make it work. Its in spanish, but the code is in english anyway. http://systemadmin.es/2011/01/anadir-nuevas-reglas-de-filtrado-a-fail2ban any ideas, specially about the regex? Thanks! -Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Fail2Ban does not work with qmail out of the box. The scripting for the qmail log files needs to be written specifically for fail2ban. Has anyone managed to do this yet? If so what price your script please? On 02/03/2011 2:09 PM, Sergio M wrote: South Computers escribió: Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if possible for the time being. Fail2ban would be the best solution for the time being as previously mentioned. The passwords are all wrong. they are all like: mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 The domain is blocked in spamdyke, unless they authenticate and bypass the filters, so that is covered. But the smtp sessions are used nevertheless. I installed fail2ban (from the repos mentioned in fail2ban.org) but cannot make it work with the smtpd. I tried with http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23951.html but i think it has a conf file missing and the vpopmail is for pop3. I also tried with http://notes.benv.junerules.com/all/software/qmail-spamdyke-and-fail2ban/#more-539 but cannot make it work with the RBL_MATCH filter. Any tips from satisfied fail2ban users? Thanks! Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- best wishes Tony White Yea Computing Services http://www.ycs.com.au 4 The Crescent Yea Victoria Australia 3717 Telephone No's VIC : 03 9008 5614 FAX : 03 9008 5610 (FAX2Email) IMPORTANT NOTICE This communication including any file attachments is intended solely for the use of the individual or entity to whom it is addressed. If you are not the intended recipient, or the person responsible for delivering this communication to the intended recipient, please immediately notify the sender by email and delete the original transmission and its contents. Any unauthorised use, dissemination, forwarding, printing or copying of this communication including file attachments is prohibited. It is your responsibility to scan this communication including any file attachments for viruses and other defects. To the extent permitted by law, Yea Computing Services and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
I actually use OSSECHIDS for this type of attack. I use fail2ban for ftp and ssh. Ole is the chap that knows fail2ban for Qmail. You can install it now using yum install fail2ban instead of compiling. On 03/01/2011 06:40 PM, Eric Shubert wrote: If CJ got it working, then I expect that just about anyone can do it. ;) JK CJ. Would you care to create a page on the wiki for this? -- Cecil Yother, Jr. cj cj's 2318 Clement Ave Alameda, CA 94501 tel 510.865.2787 http://yother.com Check out the new Volvo classified resource http://www.volvoclassified.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
Trouble is Fail2Ban requires the shorewall firewall! At least if you use the rpm's. On 02/03/2011 3:58 PM, Maxwell Smart wrote: I actually use OSSECHIDS for this type of attack. I use fail2ban for ftp and ssh. Ole is the chap that knows fail2ban for Qmail. You can install it now using yum install fail2ban instead of compiling. On 03/01/2011 06:40 PM, Eric Shubert wrote: If CJ got it working, then I expect that just about anyone can do it. ;) JK CJ. Would you care to create a page on the wiki for this? -- best wishes Tony White Yea Computing Services http://www.ycs.com.au 4 The Crescent Yea Victoria Australia 3717 Telephone No's VIC : 03 9008 5614 FAX : 03 9008 5610 (FAX2Email) IMPORTANT NOTICE This communication including any file attachments is intended solely for the use of the individual or entity to whom it is addressed. If you are not the intended recipient, or the person responsible for delivering this communication to the intended recipient, please immediately notify the sender by email and delete the original transmission and its contents. Any unauthorised use, dissemination, forwarding, printing or copying of this communication including file attachments is prohibited. It is your responsibility to scan this communication including any file attachments for viruses and other defects. To the extent permitted by law, Yea Computing Services and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
