Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Finn Buhelt (kirstineslund)
Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban ( fail2ban-client reload on the CLI)

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M
Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban (

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M
Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban (

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Finn Buhelt (kirstineslund)
Hi Sergio. Try to remove the @ sign and give it a go ! Regards Finn On 02-03-2011 13:27, Sergio M wrote: Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M
Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban (

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Finn Buhelt (kirstineslund)
Hi Sergio. 1.There is a *.conf file somewhere on the net that checks fail2ban's own logfile and to a certain extend prevent this from happening.(sorry cann't remember where but will do some investigation and let You kow if I'm successfull) 2. iptables -D name-of-the-banned -s IP -j

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Finn Buhelt (kirstineslund)
Hi again Sergio. FYI fail2ban unbans the IP after X minutes (X is set i the jail.conf either globally or per 'filter.conf') /Finn On 02-03-2011 13:42, Sergio M wrote: Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M
Finn Buhelt (kirstineslund) escribió: Hi again Sergio. FYI fail2ban unbans the IP after X minutes (X is set i the jail.conf either globally or per 'filter.conf') /Finn Hi, I am banning them for 1 week, but I wanted to know how to unban someone right away if a customer complaints. Thanks!

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M
Finn Buhelt (kirstineslund) escribió: Hi Sergio. 1.There is a *.conf file somewhere on the net that checks fail2ban's own logfile and to a certain extend prevent this from happening.(sorry cann't remember where but will do some investigation and let You kow if I'm successfull) Finn, I

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Finn Buhelt (kirstineslund)
Hi Sergio. Yep You're right I think that was the one I was thinking on. I too, think the second one looks very promising - I'll have a closer look at eh script later on. Also as You write it's possible to save iptables before reloading fail2ban - good point - REMEMBER that fail2ban as

Re: [qmailtoaster] SMTP attack

2011-03-02 Thread David Milholen
+1 on this method but it looks as if the bot has nodes so those ips need to be blocked also you can do a range of ips by doing a CDIR notation IE 11.22.33.44/16 = 11.22.00.00 - 11.22.254.254 Be careful with this because you could inadvertently drop legit mail.

[qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M
Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Edwin Casimero
Ban the bad guy IP at the firewall level. Best wishes, Edwin On 03/02/2011 08:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Tony White
Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday,

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Carlos Herrera Polo
Greylisting process not work in this problem ? 2011/3/1, Eric Shubert e...@shubes.net: Sergio, .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions had a bug where rejected sessions would not terminate immediately, causing excessive idle smtp sessions (and ultimately

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Cecil Yother, Jr.
Tony, Does this append the existing iptable with the offending IP? I use fail2ban and it works great. OSSEC HIDS is a good tool too. I use them both actually. CJ On 03/01/2011 05:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP

RE: [qmailtoaster] SMTP attack

2011-03-01 Thread Michael Colvin
, March 01, 2011 4:25 PM To: QmailToaster List Subject: [qmailtoaster] SMTP attack Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M
Michael Colvin escribió: Are all of the username portions of the e-mail addresses legitimate e-mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but

RE: [qmailtoaster] SMTP attack

2011-03-01 Thread Michael Colvin
...@gmail.com] Sent: Tuesday, March 01, 2011 6:45 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] SMTP attack Michael Colvin escribió: Are all of the username portions of the e-mail addresses legitimate e- mails? IE, it looks like you cleansed the domain portion

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread South Computers
Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if possible for the time

RE: [qmailtoaster] SMTP attack

2011-03-01 Thread Michael Colvin
and are a specific target...   Michael J. Colvin NorCal Internet Services www.norcalisp.com   -Original Message- From: South Computers [mailto:i...@southcomputers.com] Sent: Tuesday, March 01, 2011 7:07 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] SMTP attack

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M
South Computers escribió: Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Tony White
It does yes! On 02/03/2011 12:58 PM, Cecil Yother, Jr. wrote: Tony, Does this append the existing iptable with the offending IP? I use fail2ban and it works great. OSSEC HIDS is a good tool too. I use them both actually. CJ On 03/01/2011 05:14 PM, Tony White wrote: Try this at the

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Tony White
Hi, FWIIW I have some scripts that you can download from my ftp server in the pub/qtp folder. They are not all documented but they are reasonably simple scripts that can be understood easily. goto ftp.ycs.com.au cd /pub/qtp qtp user are welcome to them but please use anonymous and your email

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M
I found this to use fail2ban to block vpopmail failed passwd attempts, but cannot make it work. Its in spanish, but the code is in english anyway. http://systemadmin.es/2011/01/anadir-nuevas-reglas-de-filtrado-a-fail2ban any ideas, specially about the regex? Thanks! -Sergio

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Tony White
Fail2Ban does not work with qmail out of the box. The scripting for the qmail log files needs to be written specifically for fail2ban. Has anyone managed to do this yet? If so what price your script please? On 02/03/2011 2:09 PM, Sergio M wrote: South Computers escribió: Sounds like they

Re: [qmailtoaster] SMTP attack warning

2010-08-16 Thread Jake Vickers
On 08/14/2010 02:56 PM, Aleksander Podsiadły wrote: Last time I notified intensive dictionary attack on mail servers from many IP's. For example: Aug 14 10:19:21 srv vpopmail[4345]: vchkpw-smtp: vpopmail user not found admin@:68.115.208.106 Aug 14 12:19:49 srv vpopmail[26126]: vchkpw-smtp:

[qmailtoaster] SMTP attack warning

2010-08-14 Thread Aleksander Podsiadły
Last time I notified intensive dictionary attack on mail servers from many IP's. For example: Aug 14 10:19:21 srv vpopmail[4345]: vchkpw-smtp: vpopmail user not found admin@:68.115.208.106 Aug 14 12:19:49 srv vpopmail[26126]: vchkpw-smtp: vpopmail user not found mickey@:69.178.165.154 Aug 14