Re: [qmailtoaster] qmail and spf and gategay

2011-03-01 Thread Gustavo De Poli
Thank you very much Then 1) i'll change 3 by 1 in a file /var/qmail/control/spfbehavior This means no reject spf. Is correct 2) change spammer with: ( but where???) (/var/??) # add score to pass SPF header spf_pass Received-SPF =~ /\bpass\b/ describe spf_pass SPF Test Pass score

Re: [qmailtoaster] qmail and spf and gategay

2011-03-01 Thread PakOgah
1. correct. qmt will not reject email if it doesn't have valid SPF 2. sorry I forgot to tell you. create file in /etc/mail/spamassassin/70_custom_rule.cf then restart qmail detail here: http://www.am3n.co.cc/2011/03/01/spamassasin-custom-rules-to-check-spf-b/ Thank you very much Then 1) i'll

Re: [qmailtoaster] qmail and spf and gategay

2011-03-01 Thread Gustavo De Poli
you great! thanks YO!!! Gustavo 2011/3/1 PakOgah pako...@pala.bo-tak.info 1. correct. qmt will not reject email if it doesn't have valid SPF 2. sorry I forgot to tell you. create file in /etc/mail/spamassassin/70_custom_rule.cf then restart qmail detail here:

Re: [qmailtoaster] qtp-newmodel upgrade fail dependencies on CentOS 5.3

2011-03-01 Thread Jake Vickers
On 02/28/2011 11:03 PM, Sue Jones wrote: Hello, I am trying to update some of my qmailtoaster files using qtp-newmodel, but am running into a problem because we are running it on CentOS 5.3 and getting an error when installing the dependencies (see output below).

[qmailtoaster] .mailfilter rules

2011-03-01 Thread PakOgah
I tried to create a .mailfilter rules based on slamp slamp example http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg15443.html which will deliver email with subject contain qmailtoaster to folder qmailtoaster and email with subject contain SPAM or BULK to folder Spam and other

[qmailtoaster] Re: qtp-newmodel upgrade fail dependencies on CentOS 5.3

2011-03-01 Thread Eric Shubert
On 03/01/2011 07:46 AM, Jake Vickers wrote: On 02/28/2011 11:03 PM, Sue Jones wrote: Hello, I am trying to update some of my qmailtoaster files using qtp-newmodel, but am running into a problem because we are running it on CentOS 5.3 and getting an error when installing the dependencies (see

[qmailtoaster] Re: QTP NewModel and CentOS

2011-03-01 Thread Eric Shubert
On 02/27/2011 09:22 PM, Dan McAllister wrote: Greetings all... I've been using QTP almost since its inception -- I love most of the scripts and find most to be refreshingly robust. I say most, because I did another QMT install this weekend and decided to spend a little time trying to debug an

[qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M
Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Edwin Casimero
Ban the bad guy IP at the firewall level. Best wishes, Edwin On 03/02/2011 08:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami

[qmailtoaster] Re: SMTP attack

2011-03-01 Thread Eric Shubert
Sergio, .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions had a bug where rejected sessions would not terminate immediately, causing excessive idle smtp sessions (and ultimately TIMEOUTs). That may no be affecting you, but you should check to be sure. Run

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Tony White
Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday,

[qmailtoaster] Re: SMTP attack

2011-03-01 Thread Eric Shubert
Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- -Eric 'shubes' On 03/01/2011 06:14 PM, Tony White wrote: Try this at the command

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Carlos Herrera Polo
Greylisting process not work in this problem ? 2011/3/1, Eric Shubert e...@shubes.net: Sergio, .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions had a bug where rejected sessions would not terminate immediately, causing excessive idle smtp sessions (and ultimately

Re: [qmailtoaster] Re: SMTP attack

2011-03-01 Thread Tony White
Agreed Eric, but this is a VERY quick simple fix when the thing starts! On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban

Re: [qmailtoaster] Re: SMTP attack

2011-03-01 Thread Sergio M
Eric Shubert escribió: Sergio, .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions had a bug where rejected sessions would not terminate immediately, causing excessive idle smtp sessions (and ultimately TIMEOUTs). That may no be affecting you, but you should check to be

Re: [qmailtoaster] Re: SMTP attack

2011-03-01 Thread Tony White
Eric, Do you have Fail2Ban working with the qmail logs? On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better

Re: [qmailtoaster] Re: SMTP attack

2011-03-01 Thread Sergio M
I think he said he is not an user yet, but i am looking at: http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23951.html Tony White escribió: Eric, Do you have Fail2Ban working with the qmail logs? On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Cecil Yother, Jr.
Tony, Does this append the existing iptable with the offending IP? I use fail2ban and it works great. OSSEC HIDS is a good tool too. I use them both actually. CJ On 03/01/2011 05:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP

[qmailtoaster] Re: SMTP attack

2011-03-01 Thread Eric Shubert
I don't think so. The hacker is trying to authenticate, and failing. Greylisting would prohibit mail from being received, but the problem occurs before an email is transmitted. Thanks for the suggestion though. -- -Eric 'shubes' On 03/01/2011 06:38 PM, Carlos Herrera Polo wrote: Greylisting

RE: [qmailtoaster] SMTP attack

2011-03-01 Thread Michael Colvin
Are all of the username portions of the e-mail addresses legitimate e-mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but not with all legit e-mails.

[qmailtoaster] Re: SMTP attack

2011-03-01 Thread Eric Shubert
True enough. Can be a quick and dirty (temporary) fix. -- -Eric 'shubes' On 03/01/2011 06:44 PM, Tony White wrote: Agreed Eric, but this is a VERY quick simple fix when the thing starts! On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M
Michael Colvin escribió: Are all of the username portions of the e-mail addresses legitimate e-mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but

[qmailtoaster] Re: SMTP attack

2011-03-01 Thread Eric Shubert
If CJ got it working, then I expect that just about anyone can do it. ;) JK CJ. Would you care to create a page on the wiki for this? -- -Eric 'shubes' On 03/01/2011 06:58 PM, Cecil Yother, Jr. wrote: Tony, Does this append the existing iptable with the offending IP? I use fail2ban and it

[qmailtoaster] Re: SMTP attack

2011-03-01 Thread Eric Shubert
I haven't implemented Fail2Ban yet. Been meaning to, but haven't had the need. I believe others on this list have though. -- -Eric 'shubes' On 03/01/2011 06:52 PM, Tony White wrote: Eric, Do you have Fail2Ban working with the qmail logs? On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but

RE: [qmailtoaster] SMTP attack

2011-03-01 Thread Michael Colvin
Well... My first thought would be to isolate this domain from my mail server, so that it isn't affecting my other customers. Perhaps changing DNS (Change the IP for the server to something non-existent for now, like 192.168.0.1 or something.) Likely won't stop it immediately but might prevent

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread South Computers
Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if possible for the time

RE: [qmailtoaster] SMTP attack

2011-03-01 Thread Michael Colvin
I agree about Fail2Ban. That's your ultimate goal, but for me, getting the other users of the mail server back online is first... (Assuming you can w/o using Fail2ban) I've found once attacks like this get effectively blocked, they go away, unless as South says, they pissed someone off and are

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M
South Computers escribió: Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Tony White
It does yes! On 02/03/2011 12:58 PM, Cecil Yother, Jr. wrote: Tony, Does this append the existing iptable with the offending IP? I use fail2ban and it works great. OSSEC HIDS is a good tool too. I use them both actually. CJ On 03/01/2011 05:14 PM, Tony White wrote: Try this at the

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Tony White
Hi, FWIIW I have some scripts that you can download from my ftp server in the pub/qtp folder. They are not all documented but they are reasonably simple scripts that can be understood easily. goto ftp.ycs.com.au cd /pub/qtp qtp user are welcome to them but please use anonymous and your email

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M
I found this to use fail2ban to block vpopmail failed passwd attempts, but cannot make it work. Its in spanish, but the code is in english anyway. http://systemadmin.es/2011/01/anadir-nuevas-reglas-de-filtrado-a-fail2ban any ideas, specially about the regex? Thanks! -Sergio

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Tony White
Fail2Ban does not work with qmail out of the box. The scripting for the qmail log files needs to be written specifically for fail2ban. Has anyone managed to do this yet? If so what price your script please? On 02/03/2011 2:09 PM, Sergio M wrote: South Computers escribió: Sounds like they

Re: [qmailtoaster] Re: SMTP attack

2011-03-01 Thread Maxwell Smart
I actually use OSSECHIDS for this type of attack. I use fail2ban for ftp and ssh. Ole is the chap that knows fail2ban for Qmail. You can install it now using yum install fail2ban instead of compiling. On 03/01/2011 06:40 PM, Eric Shubert wrote: If CJ got it working, then I expect that just

Re: [qmailtoaster] Re: SMTP attack

2011-03-01 Thread Tony White
Trouble is Fail2Ban requires the shorewall firewall! At least if you use the rpm's. On 02/03/2011 3:58 PM, Maxwell Smart wrote: I actually use OSSECHIDS for this type of attack. I use fail2ban for ftp and ssh. Ole is the chap that knows fail2ban for Qmail. You can install it now using yum