[qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M
Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5

Re: [qmailtoaster] Re: SMTP attack

2011-03-01 Thread Sergio M
Eric Shubert escribió: Sergio, .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions had a bug where rejected sessions would not terminate immediately, causing excessive idle smtp sessions (and ultimately TIMEOUTs). That may no be affecting you, but you should check to be

Re: [qmailtoaster] Re: SMTP attack

2011-03-01 Thread Sergio M
I think he said he is not an user yet, but i am looking at: http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23951.html Tony White escribió: Eric, Do you have Fail2Ban working with the qmail logs? On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M
Michael Colvin escribió: Are all of the username portions of the e-mail addresses legitimate e-mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M
South Computers escribió: Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M
I found this to use fail2ban to block vpopmail failed passwd attempts, but cannot make it work. Its in spanish, but the code is in english anyway. http://systemadmin.es/2011/01/anadir-nuevas-reglas-de-filtrado-a-fail2ban any ideas, specially about the regex? Thanks! -Sergio

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M
Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban (

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M
Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban (

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M
Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban (

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M
Finn Buhelt (kirstineslund) escribió: Hi again Sergio. FYI fail2ban unbans the IP after X minutes (X is set i the jail.conf either globally or per 'filter.conf') /Finn Hi, I am banning them for 1 week, but I wanted to know how to unban someone right away if a customer complaints. Thanks!

[qmailtoaster] Fail2ban and vpopmail

2011-03-02 Thread Sergio M
[from this other thread http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html ] As I said, being under SMTP attack I installed fail2ban and created a set of rules like: *** jail.conf *** (...) [vpopmail] enabled = true port = pop3 filter = vpopmail action =

[qmailtoaster] Re: Fail2ban and vpopmail

2011-03-02 Thread Sergio M
Sergio M escribió: [from this other thread http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html ] As I said, being under SMTP attack I installed fail2ban and created a set of rules like: *** jail.conf *** (...) [vpopmail] enabled = true port = pop3 filter

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M
Finn Buhelt (kirstineslund) escribió: Hi Sergio. 1.There is a *.conf file somewhere on the net that checks fail2ban's own logfile and to a certain extend prevent this from happening.(sorry cann't remember where but will do some investigation and let You kow if I'm successfull) Finn, I

Re: [qmailtoaster] Re: Fail2ban and vpopmail

2011-03-02 Thread Sergio M
Eric Shubert escribió: On 03/02/2011 06:31 AM, Sergio M wrote: [from this other thread http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html ] As I said, being under SMTP attack I installed fail2ban and created a set of rules like: *** jail.conf *** (...) [vpopmail

Re: [qmailtoaster] Re: Fail2ban and vpopmail

2011-03-02 Thread Sergio M
Eric Shubert escribió: You should see: 03-02 10:09:37 tcpserver: status: 0/25 right after you start qmail. If it doesn't drop to 0 when you start it, then something's wrong. Please check the status message which corresponds to the start of qmail. If it's not 0/25, please post several lines

Re: [qmailtoaster] Re: Fail2ban and vpopmail

2011-03-02 Thread Sergio M
Eric Shubert escribió: On 03/02/2011 10:22 AM, Sergio M wrote: Eric Shubert escribió: You should see: 03-02 10:09:37 tcpserver: status: 0/25 right after you start qmail. If it doesn't drop to 0 when you start it, then something's wrong. Please check the status message which corresponds

Re: [qmailtoaster] Re: Fail2ban and vpopmail

2011-03-02 Thread Sergio M
#!/bin/sh exec /usr/bin/spamd -x -m 8 -u vpopmail -s stderr 21 That's a good start. What are your load number looking like? Pretty low I expect. I'd open that puppy up. You can handle way more than 25 connections. I'd go back to the default value of 100 for starters, and double the number

Re: [qmailtoaster] Re: Fail2ban and vpopmail

2011-03-02 Thread Sergio M
Eric Shubert escribió: On 03/02/2011 12:04 PM, Sergio M wrote: #!/bin/sh exec /usr/bin/spamd -x -m 8 -u vpopmail -s stderr 21 That's a good start. What are your load number looking like? Pretty low I expect. I'd open that puppy up. You can handle way more than 25 connections. I'd go back

Re: [qmailtoaster] Re: Fail2ban and vpopmail

2011-03-02 Thread Sergio M
Eric Shubert escribió: On 03/02/2011 12:32 PM, Sergio M wrote: Eric Shubert escribió: On 03/02/2011 12:04 PM, Sergio M wrote: #!/bin/sh exec /usr/bin/spamd -x -m 8 -u vpopmail -s stderr 21 That's a good start. What are your load number looking like? Pretty low I expect. I'd open

Re: [qmailtoaster] Re: Fail2ban and vpopmail

2011-03-02 Thread Sergio M
I can say that with 64 concurrencyincoming and 16 spamd childs (and a magic reboot, just in case) its now flowing smoothly and the sessions are under 40/64 most of the time. (for now) # top top - 17:19:24 up 43 min, 1 user, load average: 0.55, 0.73, 0.95 Tasks: 269 total, 1 running, 268

Re: [qmailtoaster] Re: SMTP attack

2011-03-04 Thread Sergio M
formatting, specially the code snipets and quotes. Thanks! -- pre Sergio M mailto:sergio...@gmail.com /pre font face=Verdana, Arial, Helvetica, sans-serif size=3 color=#00CC00bP: /b/fontfont face=Verdana, Arial, Helvetica, sans-serif size=1 color=#66iquest;Realmente necesitaacute;s

Re: [qmailtoaster] Re: SMTP attack

2011-03-05 Thread Sergio M
Eric Shubert escribi: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=""> Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). Hey guys, I created a basic article,

Re: Re: [qmailtoaster] Re: SMTP attack

2011-03-08 Thread Sergio M
Pak Ogah escribió: div class=moz-text-flowed style=font-family: -moz-fixedOn 07-Mar-11 21:49, Eric Shubert wrote: Great job, Pak. Thanks, Toma. Pak, will you get this incorporated into the wiki? TIA. Ok Eric, it's done but since I just copy-paste as is and re-formatting, I didn't know what

[qmailtoaster] QMT service lock errors

2011-07-07 Thread Sergio M
Hi there list. Yesterday I had this weird problem with my QMT box. First, the SMTP and POP3 services stopped to answer. So I ssh'ed in and made a qmailctl stat. Every service looked like this: supervise: fatal: unable to acquire log/supervise/lock: read-only file system So I tried to qmailctl

Re: Re: [qmailtoaster] QMT service lock errors

2011-07-09 Thread Sergio M
El -10/01/37 16:59, Jake Vickers escribió: On 07/07/2011 11:47 AM, Sergio M wrote: Hi there list. Yesterday I had this weird problem with my QMT box. First, the SMTP and POP3 services stopped to answer. So I ssh'ed in and made a qmailctl stat. Every service looked like this: supervise: fatal

Re: [qmailtoaster] QMT service lock errors

2011-07-12 Thread Sergio M
El 09/07/11 19:31, Sergio M escribió: El -10/01/37 16:59, Jake Vickers escribió: On 07/07/2011 11:47 AM, Sergio M wrote: Hi there list. Yesterday I had this weird problem with my QMT box. First, the SMTP and POP3 services stopped to answer. So I ssh'ed in and made a qmailctl stat. Every