Re: [qmailtoaster] SMTP attack
Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban ( fail2ban-client reload on the CLI) Regards, Finn On 02-03-2011 04:09, Sergio M wrote: South Computers escribió: Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if possible for the time being. Fail2ban would be the best solution for the time being as previously mentioned. The passwords are all wrong. they are all like: mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 The domain is blocked in spamdyke, unless they authenticate and bypass the filters, so that is covered. But the smtp sessions are used nevertheless. I installed fail2ban (from the repos mentioned in fail2ban.org) but cannot make it work with the smtpd. I tried with http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23951.html but i think it has a conf file missing and the vpopmail is for pop3. I also tried with http://notes.benv.junerules.com/all/software/qmail-spamdyke-and-fail2ban/#more-539 but cannot make it work with the RBL_MATCH filter. Any tips from satisfied fail2ban users? Thanks! Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban ( fail2ban-client reload on the CLI) Regards, Finn Thanks Finn, I will try this one too. Anyone can share a qmail/vpopmail/smtp succesful set of rules for fail2ban? Thanks! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban ( fail2ban-client reload on the CLI) Regards, Finn That didnt't work. I tested with fail2ban-regex: Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail .*@:HOST | `- Number of matches: [1] 0 match(es) But thanks for the tip Finn. -Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Hi Sergio. Try to remove the @ sign and give it a go ! Regards Finn On 02-03-2011 13:27, Sergio M wrote: Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban ( fail2ban-client reload on the CLI) Regards, Finn That didnt't work. I tested with fail2ban-regex: Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail .*@:HOST | `- Number of matches: [1] 0 match(es) But thanks for the tip Finn. -Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban ( fail2ban-client reload on the CLI) Regards, Finn This one got lots of hits in the regex text: # cat /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = (i took it from the spanish site I posted before) I could also use some other set of rules for qmail. The default one does not get any hits. About fail2ban 1. Everytime I reload it I loose the whole set of banned IPs? Same with rebooting? Can I make them persist? 2. How can I unban a single IP without restarting fail2ban? Thanks! -Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Hi Sergio. 1.There is a *.conf file somewhere on the net that checks fail2ban's own logfile and to a certain extend prevent this from happening.(sorry cann't remember where but will do some investigation and let You kow if I'm successfull) 2. iptables -D name-of-the-banned -s IP -j DROP should do the trick /Finn On 02-03-2011 13:42, Sergio M wrote: Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban ( fail2ban-client reload on the CLI) Regards, Finn This one got lots of hits in the regex text: # cat /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = (i took it from the spanish site I posted before) I could also use some other set of rules for qmail. The default one does not get any hits. About fail2ban 1. Everytime I reload it I loose the whole set of banned IPs? Same with rebooting? Can I make them persist? 2. How can I unban a single IP without restarting fail2ban? Thanks! -Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Hi again Sergio. FYI fail2ban unbans the IP after X minutes (X is set i the jail.conf either globally or per 'filter.conf') /Finn On 02-03-2011 13:42, Sergio M wrote: Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban ( fail2ban-client reload on the CLI) Regards, Finn This one got lots of hits in the regex text: # cat /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = (i took it from the spanish site I posted before) I could also use some other set of rules for qmail. The default one does not get any hits. About fail2ban 1. Everytime I reload it I loose the whole set of banned IPs? Same with rebooting? Can I make them persist? 2. How can I unban a single IP without restarting fail2ban? Thanks! -Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Finn Buhelt (kirstineslund) escribió: Hi again Sergio. FYI fail2ban unbans the IP after X minutes (X is set i the jail.conf either globally or per 'filter.conf') /Finn Hi, I am banning them for 1 week, but I wanted to know how to unban someone right away if a customer complaints. Thanks! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Finn Buhelt (kirstineslund) escribió: Hi Sergio. 1.There is a *.conf file somewhere on the net that checks fail2ban's own logfile and to a certain extend prevent this from happening.(sorry cann't remember where but will do some investigation and let You kow if I'm successfull) Finn, I think this is what you said: http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban What do you think about this one? Maybe I like it better http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ And to keep the bans upon reloads, if you do a service iptables save and then service iptables restart, it just load them again after the fail2ban-client flushd the iptables rules. Thanks. Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Hi Sergio. Yep You're right I think that was the one I was thinking on. I too, think the second one looks very promising - I'll have a closer look at eh script later on. Also as You write it's possible to save iptables before reloading fail2ban - good point - REMEMBER that fail2ban as default reloads once a week as I recall it, it's set in the logrotate.d Regards, Finn On 02-03-2011 17:33, Sergio M wrote: Finn Buhelt (kirstineslund) escribió: Hi Sergio. 1.There is a *.conf file somewhere on the net that checks fail2ban's own logfile and to a certain extend prevent this from happening.(sorry cann't remember where but will do some investigation and let You kow if I'm successfull) Finn, I think this is what you said: http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban What do you think about this one? Maybe I like it better http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ And to keep the bans upon reloads, if you do a service iptables save and then service iptables restart, it just load them again after the fail2ban-client flushd the iptables rules. Thanks. Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
+1 on this method but it looks as if the bot has nodes so those ips need to be blocked also you can do a range of ips by doing a CDIR notation IE 11.22.33.44/16 = 11.22.00.00 - 11.22.254.254 Be careful with this because you could inadvertently drop legit mail. More than likely if you check their country code where the ip originates they are coming from some place other than USA. --Dave On 3/1/2011 7:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77
Re: [qmailtoaster] SMTP attack
Ban the bad guy IP at the firewall level. Best wishes, Edwin On 03/02/2011 08:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139 2011-03-01 20:54:05.433215500 tcpserver: ok 4903 mail.myhost.com.ar:11.22.33.44:25 :189.78.49.139::36877 2011-03-01 20:54:06.075161500 tcpserver: end 4800 status 0 2011-03-01 20:54:06.075164500 tcpserver: status: 24/25 2011-03-01 20:54:06.075165500
Re: [qmailtoaster] SMTP attack
Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75)Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.brFeb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139 2011-03-01 20:54:05.433215500 tcpserver: ok 4903 mail.myhost.com.ar:11.22.33.44:25 :189.78.49.139::368772011-03-01 20:54:06.075161500 tcpserver: end
Re: [qmailtoaster] SMTP attack
Greylisting process not work in this problem ? 2011/3/1, Eric Shubert e...@shubes.net: Sergio, .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions had a bug where rejected sessions would not terminate immediately, causing excessive idle smtp sessions (and ultimately TIMEOUTs). That may no be affecting you, but you should check to be sure. Run qtp-install-spamdyke to upgrade to the latest version. .) I would recommend installing fail2ban. This will automatically ban IP addresses which have several failed login attempts. There doesn't appear to be a wiki page about this yet (ANY TAKERS??), but you should find info about it in the list archives. Someone here should be able to help if you run into difficulty with it. (Not me though, as I haven't implemented it yet). .) 25 smtp sessions is rather low. I've seen a Celeron 1GH processor handle twice that number. You might need to bump up the spamassassin child processes to get there, but it should be doable. What are your HW specs? That's all that comes to my mind right now. Let us know how you make out. -- -Eric 'shubes' On 03/01/2011 05:25 PM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500
Re: [qmailtoaster] SMTP attack
Tony, Does this append the existing iptable with the offending IP? I use fail2ban and it works great. OSSEC HIDS is a good tool too. I use them both actually. CJ On 03/01/2011 05:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75)Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25
RE: [qmailtoaster] SMTP attack
Are all of the username portions of the e-mail addresses legitimate e-mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but not with all legit e-mails. If they are all legit, is the domain yours? Or is it theirs? (IE do you host it as an ISP, or is this the only domain and you control it?) Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: Sergio M [mailto:sergio...@gmail.com] Sent: Tuesday, March 01, 2011 4:25 PM To: QmailToaster List Subject: [qmailtoaster] SMTP attack Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139 2011-03-01 20:54:05.433215500 tcpserver: ok 4903 mail.myhost.com.ar:11.22.33.44:25 :189.78.49.139::36877 2011-03-01 20:54:06.075161500 tcpserver: end 4800 status 0 2011-03-01 20:54:06.075164500 tcpserver: status: 24/25
Re: [qmailtoaster] SMTP attack
Michael Colvin escribió: Are all of the username portions of the e-mail addresses legitimate e-mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but not with all legit e-mails. If they are all legit, is the domain yours? Or is it theirs? (IE do you host it as an ISP, or is this the only domain and you control it?) Michael J. Colvin NorCal Internet Services www.norcalisp.com Hi Michael, they are all legitimate email addresses, for one domain only though. We host it as an ISP. Thanks! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] SMTP attack
Well... My first thought would be to isolate this domain from my mail server, so that it isn't affecting my other customers. Perhaps changing DNS (Change the IP for the server to something non-existent for now, like 192.168.0.1 or something.) Likely won't stop it immediately but might prevent new Bots from finding the server after you block existing ones. Also, block the domain in spamdyke. I think that will drop the connection at the SMTP level almost immediately, and prevent them from possibly finding a good username/password combo. This might free up enough resources to allow your other customers to start being able to send. Then maybe go through the logs, add IP's to IPTABLES, and hope the DNS changes prevent new bots from finding the server. Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: Sergio M [mailto:sergio...@gmail.com] Sent: Tuesday, March 01, 2011 6:45 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] SMTP attack Michael Colvin escribió: Are all of the username portions of the e-mail addresses legitimate e- mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but not with all legit e-mails. If they are all legit, is the domain yours? Or is it theirs? (IE do you host it as an ISP, or is this the only domain and you control it?) Michael J. Colvin NorCal Internet Services www.norcalisp.com Hi Michael, they are all legitimate email addresses, for one domain only though. We host it as an ISP. Thanks! -- --- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! -- --- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list- unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list- h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if possible for the time being. Fail2ban would be the best solution for the time being as previously mentioned. Sergio M wrote: Michael Colvin escribió: Are all of the username portions of the e-mail addresses legitimate e-mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but not with all legit e-mails. If they are all legit, is the domain yours? Or is it theirs? (IE do you host it as an ISP, or is this the only domain and you control it?) Michael J. Colvin NorCal Internet Services www.norcalisp.com Hi Michael, they are all legitimate email addresses, for one domain only though. We host it as an ISP. Thanks! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] SMTP attack
I agree about Fail2Ban. That's your ultimate goal, but for me, getting the other users of the mail server back online is first... (Assuming you can w/o using Fail2ban) I've found once attacks like this get effectively blocked, they go away, unless as South says, they pissed someone off and are a specific target... Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: South Computers [mailto:i...@southcomputers.com] Sent: Tuesday, March 01, 2011 7:07 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] SMTP attack Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if possible for the time being. Fail2ban would be the best solution for the time being as previously mentioned. Sergio M wrote: Michael Colvin escribió: Are all of the username portions of the e-mail addresses legitimate e-mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but not with all legit e-mails. If they are all legit, is the domain yours? Or is it theirs? (IE do you host it as an ISP, or is this the only domain and you control it?) Michael J. Colvin NorCal Internet Services www.norcalisp.com Hi Michael, they are all legitimate email addresses, for one domain only though. We host it as an ISP. Thanks! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- --- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! -- --- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list- unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list- h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
South Computers escribió: Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if possible for the time being. Fail2ban would be the best solution for the time being as previously mentioned. The passwords are all wrong. they are all like: mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 The domain is blocked in spamdyke, unless they authenticate and bypass the filters, so that is covered. But the smtp sessions are used nevertheless. I installed fail2ban (from the repos mentioned in fail2ban.org) but cannot make it work with the smtpd. I tried with http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23951.html but i think it has a conf file missing and the vpopmail is for pop3. I also tried with http://notes.benv.junerules.com/all/software/qmail-spamdyke-and-fail2ban/#more-539 but cannot make it work with the RBL_MATCH filter. Any tips from satisfied fail2ban users? Thanks! Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
It does yes! On 02/03/2011 12:58 PM, Cecil Yother, Jr. wrote: Tony, Does this append the existing iptable with the offending IP? I use fail2ban and it works great. OSSEC HIDS is a good tool too. I use them both actually. CJ On 03/01/2011 05:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75)Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139 2011-03-01 20:54:05.433215500 tcpserver: ok 4903 mail.myhost.com.ar:11.22.33.44:25 :189.78.49.139::36877 2011-03-01 20:54:06.075161500 tcpserver: end 4800 status 0 2011-03-01 20:54:06.075164500 tcpserver: status: 24/25 2011-03-01 20:54:06.075165500 tcpserver:
Re: [qmailtoaster] SMTP attack
Hi, FWIIW I have some scripts that you can download from my ftp server in the pub/qtp folder. They are not all documented but they are reasonably simple scripts that can be understood easily. goto ftp.ycs.com.au cd /pub/qtp qtp user are welcome to them but please use anonymous and your email address to login. The scripts are as is and work for me. They may need changes to suit your needs. If anyone improves on them I would appreciate knowing. On 02/03/2011 12:58 PM, Cecil Yother, Jr. wrote: Tony, Does this append the existing iptable with the offending IP? I use fail2ban and it works great. OSSEC HIDS is a good tool too. I use them both actually. CJ On 03/01/2011 05:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75)Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0
Re: [qmailtoaster] SMTP attack
I found this to use fail2ban to block vpopmail failed passwd attempts, but cannot make it work. Its in spanish, but the code is in english anyway. http://systemadmin.es/2011/01/anadir-nuevas-reglas-de-filtrado-a-fail2ban any ideas, specially about the regex? Thanks! -Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Fail2Ban does not work with qmail out of the box. The scripting for the qmail log files needs to be written specifically for fail2ban. Has anyone managed to do this yet? If so what price your script please? On 02/03/2011 2:09 PM, Sergio M wrote: South Computers escribió: Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if possible for the time being. Fail2ban would be the best solution for the time being as previously mentioned. The passwords are all wrong. they are all like: mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 The domain is blocked in spamdyke, unless they authenticate and bypass the filters, so that is covered. But the smtp sessions are used nevertheless. I installed fail2ban (from the repos mentioned in fail2ban.org) but cannot make it work with the smtpd. I tried with http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23951.html but i think it has a conf file missing and the vpopmail is for pop3. I also tried with http://notes.benv.junerules.com/all/software/qmail-spamdyke-and-fail2ban/#more-539 but cannot make it work with the RBL_MATCH filter. Any tips from satisfied fail2ban users? Thanks! Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- best wishes Tony White Yea Computing Services http://www.ycs.com.au 4 The Crescent Yea Victoria Australia 3717 Telephone No's VIC : 03 9008 5614 FAX : 03 9008 5610 (FAX2Email) IMPORTANT NOTICE This communication including any file attachments is intended solely for the use of the individual or entity to whom it is addressed. If you are not the intended recipient, or the person responsible for delivering this communication to the intended recipient, please immediately notify the sender by email and delete the original transmission and its contents. Any unauthorised use, dissemination, forwarding, printing or copying of this communication including file attachments is prohibited. It is your responsibility to scan this communication including any file attachments for viruses and other defects. To the extent permitted by law, Yea Computing Services and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack warning
On 08/14/2010 02:56 PM, Aleksander Podsiadły wrote: Last time I notified intensive dictionary attack on mail servers from many IP's. For example: Aug 14 10:19:21 srv vpopmail[4345]: vchkpw-smtp: vpopmail user not found admin@:68.115.208.106 Aug 14 12:19:49 srv vpopmail[26126]: vchkpw-smtp: vpopmail user not found mickey@:69.178.165.154 Aug 14 14:29:57 srv vpopmail[27259]: vchkpw-smtp: vpopmail user not found admin@:68.115.208.106 Aug 14 17:48:46 srv vpopmail[11419]: vchkpw-smtp: vpopmail user not found admin@:80.153.178.39 IMHO it's not normal activity, so I suggest to check mail logs. Thanks Aleksander. We'll keep an eye out. Didn't someone write something on the wiki about using fail2ban to capture these crackers? - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] SMTP attack warning
Last time I notified intensive dictionary attack on mail servers from many IP's. For example: Aug 14 10:19:21 srv vpopmail[4345]: vchkpw-smtp: vpopmail user not found admin@:68.115.208.106 Aug 14 12:19:49 srv vpopmail[26126]: vchkpw-smtp: vpopmail user not found mickey@:69.178.165.154 Aug 14 14:29:57 srv vpopmail[27259]: vchkpw-smtp: vpopmail user not found admin@:68.115.208.106 Aug 14 17:48:46 srv vpopmail[11419]: vchkpw-smtp: vpopmail user not found admin@:80.153.178.39 IMHO it's not normal activity, so I suggest to check mail logs. -- Pozdrawiam / Regards, Aleksander Podsiadły mail: a...@westside.kielce.pl jid: a...@jabber.westside.kielce.pl ICQ: 201121279 gg: 9150578 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com