Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Finn Buhelt (kirstineslund)

Hi Sergio.

If I am reading Your logfile correct You should try to replace 
*vchkpw-pop3: vpopmail user not found*   with *vchkpw-smtp: password 
fail *and leave everything else.


Change this in the filter.d directory and remember to reload fail2ban ( 
fail2ban-client reload  on the CLI)


Regards,
Finn


On 02-03-2011 04:09, Sergio M wrote:

South Computers escribió:
Sounds like they may have gotten hit with a virus or pissed someone 
off. I would block the domain from relaying  inform the customer, 
possibly make them change their email account passwords if it's not a 
large organization. Ask them to relay through their provider if 
possible for the time being. Fail2ban would be the best solution for 
the time being as previously mentioned.



The passwords are all wrong. they are all like:
mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') 
eduardos...@domain.com:201.82.74.70


The domain is blocked in spamdyke, unless they authenticate and bypass 
the filters, so that is covered. But the smtp sessions are used 
nevertheless.


I installed fail2ban (from the repos mentioned in fail2ban.org) but 
cannot make it work with the smtpd. I tried with 
http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23951.html 
but i think it has a conf file missing and the vpopmail is for pop3.
I also tried with 
http://notes.benv.junerules.com/all/software/qmail-spamdyke-and-fail2ban/#more-539 
but cannot make it work with the RBL_MATCH filter.


Any tips from satisfied fail2ban users?

Thanks!
Sergio


- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and 
installations.

 If you need professional help with your setup, contact them today!
- 

Please visit qmailtoaster.com for the latest news, updates, and 
packages.
 To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com






Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M

Finn Buhelt (kirstineslund) escribió:

Hi Sergio.

If I am reading Your logfile correct You should try to replace  
*vchkpw-pop3: vpopmail user not found*   with *vchkpw-smtp: password 
fail *and leave everything else.


Change this in the filter.d directory and remember to reload fail2ban 
( fail2ban-client reload  on the CLI)


Regards,
Finn


Thanks Finn,
I will try this one too.

Anyone can share a qmail/vpopmail/smtp succesful set of rules for fail2ban?

Thanks!


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M

Finn Buhelt (kirstineslund) escribió:

Hi Sergio.

If I am reading Your logfile correct You should try to replace  
*vchkpw-pop3: vpopmail user not found*   with *vchkpw-smtp: password 
fail *and leave everything else.


Change this in the filter.d directory and remember to reload fail2ban 
( fail2ban-client reload  on the CLI)


Regards,
Finn

That didnt't work. I tested with fail2ban-regex:
Failregex
|- Regular expressions:
|  [1] vchkpw-smtp: password fail .*@:HOST
|
`- Number of matches:
  [1] 0 match(es)

But thanks for the tip Finn.

-Sergio

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Finn Buhelt (kirstineslund)

Hi Sergio.

Try to remove the @ sign  and give it a go !

Regards
Finn

On 02-03-2011 13:27, Sergio M wrote:

Finn Buhelt (kirstineslund) escribió:

Hi Sergio.

If I am reading Your logfile correct You should try to replace  
*vchkpw-pop3: vpopmail user not found*   with *vchkpw-smtp: password 
fail *and leave everything else.


Change this in the filter.d directory and remember to reload fail2ban 
( fail2ban-client reload  on the CLI)


Regards,
Finn

That didnt't work. I tested with fail2ban-regex:
Failregex
|- Regular expressions:
|  [1] vchkpw-smtp: password fail .*@:HOST
|
`- Number of matches:
  [1] 0 match(es)

But thanks for the tip Finn.

-Sergio

- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and 
installations.

 If you need professional help with your setup, contact them today!
- 

Please visit qmailtoaster.com for the latest news, updates, and 
packages.
 To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com






-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M

Finn Buhelt (kirstineslund) escribió:

Hi Sergio.

If I am reading Your logfile correct You should try to replace  
*vchkpw-pop3: vpopmail user not found*   with *vchkpw-smtp: password 
fail *and leave everything else.


Change this in the filter.d directory and remember to reload fail2ban 
( fail2ban-client reload  on the CLI)


Regards,
Finn

This one got lots of hits in the regex text:
# cat /etc/fail2ban/filter.d/vpopmail-fail.conf
[Definition]
failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST
ignoreregex =

(i took it from the spanish site I posted before)


I could also use some other set of rules for qmail. The default one does 
not get any hits.


About fail2ban
1. Everytime I reload it I loose the whole set of banned IPs? Same with 
rebooting? Can I make them persist?

2. How can I unban a single IP without restarting fail2ban?

Thanks!
-Sergio

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Finn Buhelt (kirstineslund)

Hi Sergio.

1.There is a *.conf file somewhere on the net that checks fail2ban's 
own logfile and to a certain extend prevent this from happening.(sorry 
cann't remember where but will do some investigation and let You kow if 
I'm successfull)


2.  iptables -D name-of-the-banned -s IP -j DROP   should do the trick

/Finn



On 02-03-2011 13:42, Sergio M wrote:

Finn Buhelt (kirstineslund) escribió:

Hi Sergio.

If I am reading Your logfile correct You should try to replace  
*vchkpw-pop3: vpopmail user not found*   with *vchkpw-smtp: password 
fail *and leave everything else.


Change this in the filter.d directory and remember to reload fail2ban 
( fail2ban-client reload  on the CLI)


Regards,
Finn

This one got lots of hits in the regex text:
# cat /etc/fail2ban/filter.d/vpopmail-fail.conf
[Definition]
failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST
ignoreregex =

(i took it from the spanish site I posted before)


I could also use some other set of rules for qmail. The default one 
does not get any hits.


About fail2ban
1. Everytime I reload it I loose the whole set of banned IPs? Same 
with rebooting? Can I make them persist?

2. How can I unban a single IP without restarting fail2ban?

Thanks!
-Sergio

- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and 
installations.

 If you need professional help with your setup, contact them today!
- 

Please visit qmailtoaster.com for the latest news, updates, and 
packages.
 To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com






-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Finn Buhelt (kirstineslund)

Hi again Sergio.

FYI

fail2ban unbans the IP after X minutes (X is set i the jail.conf either 
globally or per 'filter.conf')


/Finn

On 02-03-2011 13:42, Sergio M wrote:

Finn Buhelt (kirstineslund) escribió:

Hi Sergio.

If I am reading Your logfile correct You should try to replace  
*vchkpw-pop3: vpopmail user not found*   with *vchkpw-smtp: password 
fail *and leave everything else.


Change this in the filter.d directory and remember to reload fail2ban 
( fail2ban-client reload  on the CLI)


Regards,
Finn

This one got lots of hits in the regex text:
# cat /etc/fail2ban/filter.d/vpopmail-fail.conf
[Definition]
failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST
ignoreregex =

(i took it from the spanish site I posted before)


I could also use some other set of rules for qmail. The default one 
does not get any hits.


About fail2ban
1. Everytime I reload it I loose the whole set of banned IPs? Same 
with rebooting? Can I make them persist?

2. How can I unban a single IP without restarting fail2ban?

Thanks!
-Sergio

- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and 
installations.

 If you need professional help with your setup, contact them today!
- 

Please visit qmailtoaster.com for the latest news, updates, and 
packages.
 To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com






-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M

Finn Buhelt (kirstineslund) escribió:

Hi again Sergio.

FYI

fail2ban unbans the IP after X minutes (X is set i the jail.conf 
either globally or per 'filter.conf')


/Finn
Hi, I am banning them for 1 week, but I wanted to know how to unban 
someone right away if a customer complaints.

Thanks!

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Sergio M

Finn Buhelt (kirstineslund) escribió:

Hi Sergio.

1.There is a *.conf file somewhere on the net that checks 
fail2ban's own logfile and to a certain extend prevent this from 
happening.(sorry cann't remember where but will do some investigation 
and let You kow if I'm successfull)



Finn,
I think this is what you said:
http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban

What do you think about this one? Maybe I like it better
http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/


And to keep the bans upon reloads, if you do a service iptables save and 
then service iptables restart, it just load them again after the 
fail2ban-client flushd the iptables rules.



Thanks.
Sergio

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] SMTP attack

2011-03-02 Thread Finn Buhelt (kirstineslund)

Hi Sergio.
Yep You're right I think that was the one I was thinking on.

I too,  think the second one looks very promising  - I'll have a closer 
look at eh script later on.


Also as You write it's possible to save iptables before reloading 
fail2ban  - good point  - REMEMBER that fail2ban as default reloads once 
a week as I recall it, it's  set in the logrotate.d



Regards,
Finn

On 02-03-2011 17:33, Sergio M wrote:

Finn Buhelt (kirstineslund) escribió:

Hi Sergio.

1.There is a *.conf file somewhere on the net that checks 
fail2ban's own logfile and to a certain extend prevent this from 
happening.(sorry cann't remember where but will do some investigation 
and let You kow if I'm successfull)



Finn,
I think this is what you said:
http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban

What do you think about this one? Maybe I like it better
http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/


And to keep the bans upon reloads, if you do a service iptables save 
and then service iptables restart, it just load them again after the 
fail2ban-client flushd the iptables rules.



Thanks.
Sergio

- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and 
installations.

 If you need professional help with your setup, contact them today!
- 

Please visit qmailtoaster.com for the latest news, updates, and 
packages.
 To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com






-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] SMTP attack

2011-03-02 Thread David Milholen


  
  
+1 on this method but it looks as if the bot has nodes so those ips
need to be blocked also
you can do a range of ips by doing a CDIR notation IE 11.22.33.44/16
= 11.22.00.00 - 11.22.254.254
Be careful with this because you could inadvertently drop legit
mail. 
More than likely if you check their country code where the ip
originates they are coming from some place other than USA.
--Dave
 
On 3/1/2011 7:14 PM, Tony White wrote:
Try
  this at the command line and as root!
  
  
  iptables -I INPUT -s 11.22.33.44 -j DROP
  
  
  This will stop him dead in his tracks.
  
  You can use this command for any ip address that gives
  
  you a problem.
  
  
  
  On 02/03/2011 11:25 AM, Sergio M wrote:
  
  Hi there list,

i have been under heavy traffic since sunday, and its been using
all my inbound connections.

I have a QMT updated box, running the latest spamdyke:

# qtp-whatami

/qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011

DISTRO=CentOS

OSVER=5.5

QTARCH=x86_64

QTKERN=2.6.18-194.32.1.el5

BUILD_DIST=cnt5064

BUILD_DIR=/usr/src/redhat

This machine's OS is supported and has been tested/



Even though spamdyke does not let the spammers relay the mail, i
still get all the connections used, making it very hard for
authenticated users to send mail.

For now I stopped smtpd, but i wanna see if you guys have some
other thoughts to solve this.


If I see the maillog, i see LOTS of entries like these:

/Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip:
201.0.152.106 rbl:
zen.spamhaus.org
Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail
(pass: 'luckymi')
lucianos...@domain.com:190.158.93.231 Feb
27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip:
201.43.79.201 rbl:
zen.spamhaus.org
Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip:
187.106.1.158 file:
/var/qmail/control/ip-blacklist(75)
Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail
(pass: 'jdorm253')
jorgerodrig...@domain.com:201.250.40.202 Feb
27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip:
201.81.74.149 rbl:
zen.spamhaus.org
Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail
(pass: 'edos1kd9')
eduardos...@domain.com:201.82.74.70 Feb
27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip:
189.106.88.244 rdns:
189106088244.user.veloxzone.com.br
Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail
(pass: 'luckymi')
lucianos...@domain.com:201.43.79.201 Feb
27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail
(pass: 'luckymi')
lucianos...@domain.com:189.106.88.244 Feb
27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip:
200.105.97.83 rdns:
rev.97.83-telecablecr.com
Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail
(pass: 'jdorm253')
jorgerodrig...@domain.com:187.106.1.158 Feb
27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail
(pass: 'luckymi')
lucianos...@domain.com:201.0.152.106 Feb
27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip:
93.39.224.8 rbl: zen.spamhaus.org

Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail
(pass: 'luckymi')
lucianos...@domain.com:200.45.73.226 Feb
27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip:
189.54.236.113 rbl: zen.spamhaus.org

Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip:
187.119.172.80 file: /var/qmail/control/ip-blacklist(75)

Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail
(pass: 'luckymi') lucianos...@domain.com:189.114.176.151

Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail
(pass: 'luckymi') lucianos...@domain.com:190.158.93.231

Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail
(pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/


So i guess some botnet is trying to relay mail guessing a
specific domain user's passwords. Most of the attempts are
blocked by RBL checking, but that still create a connection.


Looking at # cat /var/log/qmail/smtp/current | tai64nlocal

/2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from
189.6.164.77


[qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M

Hi there list,
i have been under heavy traffic since sunday, and its been using all my 
inbound connections.

I have a QMT updated box, running the latest spamdyke:
# qtp-whatami
/qtp-whatami v0.3.7 Tue Mar  1 21:14:03 ART 2011
DISTRO=CentOS
OSVER=5.5
QTARCH=x86_64
QTKERN=2.6.18-194.32.1.el5
BUILD_DIST=cnt5064
BUILD_DIR=/usr/src/redhat
This machine's OS is supported and has been tested/


Even though spamdyke does not let the spammers relay the mail, i still 
get all the connections used, making it very hard for authenticated 
users to send mail.
For now I stopped smtpd, but i wanna see if you guys have some other 
thoughts to solve this.


If I see the maillog, i see LOTS of entries like these:
/Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 
201.0.152.106 rbl: 
zen.spamhaus.org   
Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 
'luckymi') lucianos...@domain.com:190.158.93.231   
Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 
rbl: 
zen.spamhaus.org   
Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 
187.106.1.158 file: 
/var/qmail/control/ip-blacklist(75)
Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 
'jdorm253') jorgerodrig...@domain.com:201.250.40.202   
Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 
rbl: 
zen.spamhaus.org   
Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 
'edos1kd9') eduardos...@domain.com:201.82.74.70
Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 
189.106.88.244 rdns: 
189106088244.user.veloxzone.com.br
Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 
'luckymi') lucianos...@domain.com:201.43.79.201
Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 
'luckymi') lucianos...@domain.com:189.106.88.244   
Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 
200.105.97.83 rdns: 
rev.97.83-telecablecr.com  
Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 
'jdorm253') jorgerodrig...@domain.com:187.106.1.158
Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 
'luckymi') lucianos...@domain.com:201.0.152.106
Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 
rbl: 
zen.spamhaus.org  

Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 
'luckymi') lucianos...@domain.com:200.45.73.226
Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 
189.54.236.113 rbl: zen.spamhaus.org
Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 
187.119.172.80 file: /var/qmail/control/ip-blacklist(75)
Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 
'luckymi') lucianos...@domain.com:189.114.176.151
Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 
'luckymi') lucianos...@domain.com:190.158.93.231
Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 
'edos1kd9') eduardos...@domain.com:93.39.224.8/


So i guess some botnet is trying to relay mail guessing a specific 
domain user's passwords. Most of the attempts are blocked by RBL 
checking, but that still create a connection.


Looking at # cat /var/log/qmail/smtp/current | tai64nlocal
/2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 
189.6.164.77   

2011-03-01 20:54:01.906030500 tcpserver: ok 4879 
mail.myhost.com.ar:11.22.33.44:25 
:189.6.164.77::37629 
2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 
0

2011-03-01 20:54:02.157289500 tcpserver: status: 
24/25

2011-03-01 20:54:02.157290500 tcpserver: status: 
25/25

2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 
190.172.129.24 

2011-03-01 20:54:02.157530500 tcpserver: ok 4881 
mail.myhost.com.ar:11.22.33.44:25 
:190.172.129.24::14782   
2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 
0 

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Edwin Casimero

Ban the bad guy IP at the firewall level.

Best wishes,
Edwin

On 03/02/2011 08:25 AM, Sergio M wrote:

Hi there list,
i have been under heavy traffic since sunday, and its been using all 
my inbound connections.

I have a QMT updated box, running the latest spamdyke:
# qtp-whatami
/qtp-whatami v0.3.7 Tue Mar  1 21:14:03 ART 2011
DISTRO=CentOS
OSVER=5.5
QTARCH=x86_64
QTKERN=2.6.18-194.32.1.el5
BUILD_DIST=cnt5064
BUILD_DIR=/usr/src/redhat
This machine's OS is supported and has been tested/


Even though spamdyke does not let the spammers relay the mail, i still 
get all the connections used, making it very hard for authenticated 
users to send mail.
For now I stopped smtpd, but i wanna see if you guys have some other 
thoughts to solve this.


If I see the maillog, i see LOTS of entries like these:
/Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 
201.0.152.106 rbl: 
zen.spamhaus.org   
Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail 
(pass: 'luckymi') 
lucianos...@domain.com:190.158.93.231   Feb 27 
14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: 
zen.spamhaus.org   
Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 
187.106.1.158 file: 
/var/qmail/control/ip-blacklist(75)
Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail 
(pass: 'jdorm253') 
jorgerodrig...@domain.com:201.250.40.202   Feb 27 
14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: 
zen.spamhaus.org   
Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail 
(pass: 'edos1kd9') 
eduardos...@domain.com:201.82.74.70Feb 27 
14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 
rdns: 
189106088244.user.veloxzone.com.br
Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail 
(pass: 'luckymi') 
lucianos...@domain.com:201.43.79.201Feb 27 
14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 
'luckymi') lucianos...@domain.com:189.106.88.244   
Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 
200.105.97.83 rdns: 
rev.97.83-telecablecr.com  
Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail 
(pass: 'jdorm253') 
jorgerodrig...@domain.com:187.106.1.158Feb 27 
14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 
'luckymi') lucianos...@domain.com:201.0.152.106
Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 
rbl: zen.spamhaus.org
Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail 
(pass: 'luckymi') 
lucianos...@domain.com:200.45.73.226Feb 27 
14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 
rbl: zen.spamhaus.org
Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 
187.119.172.80 file: /var/qmail/control/ip-blacklist(75)
Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail 
(pass: 'luckymi') lucianos...@domain.com:189.114.176.151
Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail 
(pass: 'luckymi') lucianos...@domain.com:190.158.93.231
Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail 
(pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/


So i guess some botnet is trying to relay mail guessing a specific 
domain user's passwords. Most of the attempts are blocked by RBL 
checking, but that still create a connection.


Looking at # cat /var/log/qmail/smtp/current | tai64nlocal
/2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77
2011-03-01 20:54:01.906030500 tcpserver: ok 4879 
mail.myhost.com.ar:11.22.33.44:25 
:189.6.164.77::37629 
2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0

2011-03-01 20:54:02.157289500 tcpserver: status: 24/25
2011-03-01 20:54:02.157290500 tcpserver: status: 25/25
2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24
2011-03-01 20:54:02.157530500 tcpserver: ok 4881 
mail.myhost.com.ar:11.22.33.44:25 
:190.172.129.24::14782   
2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0

2011-03-01 20:54:05.433211500 tcpserver: status: 24/25
2011-03-01 20:54:05.433212500 tcpserver: status: 25/25
2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139
2011-03-01 20:54:05.433215500 tcpserver: ok 4903 
mail.myhost.com.ar:11.22.33.44:25 
:189.78.49.139::36877
2011-03-01 20:54:06.075161500 tcpserver: end 4800 status 0

2011-03-01 20:54:06.075164500 tcpserver: status: 24/25
2011-03-01 20:54:06.075165500 

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Tony White

Try this at the command line and as root!

iptables -I INPUT -s 11.22.33.44 -j DROP

This will stop him dead in his tracks.
You can use this command for any ip address that gives
you a problem.


On 02/03/2011 11:25 AM, Sergio M wrote:

Hi there list,
i have been under heavy traffic since sunday, and its been using all my inbound 
connections.
I have a QMT updated box, running the latest spamdyke:
# qtp-whatami
/qtp-whatami v0.3.7 Tue Mar  1 21:14:03 ART 2011
DISTRO=CentOS
OSVER=5.5
QTARCH=x86_64
QTKERN=2.6.18-194.32.1.el5
BUILD_DIST=cnt5064
BUILD_DIR=/usr/src/redhat
This machine's OS is supported and has been tested/


Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard 
for authenticated users to send mail.

For now I stopped smtpd, but i wanna see if you guys have some other thoughts 
to solve this.

If I see the maillog, i see LOTS of entries like these:
/Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: 
zen.spamhaus.org   Feb 27 14:57:38 mail vpopmail[31072]: 
vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231   Feb 27 14:57:38 
mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: 
zen.spamhaus.org   Feb 27 14:57:38 mail spamdyke[31075]: 
FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75)Feb 27 
14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') 
jorgerodrig...@domain.com:201.250.40.202   Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 
201.81.74.149 rbl: zen.spamhaus.org   Feb 27 14:57:39 mail 
vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70
Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 
189106088244.user.veloxzone.com.brFeb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: 
password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201Feb 27 14:57:40 mail 
vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244   
Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: 
rev.97.83-telecablecr.com  Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: 
password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158Feb 27 14:57:42 mail 
vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106
Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org
Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') 
lucianos...@domain.com:200.45.73.226Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 
189.54.236.113 rbl: zen.spamhaus.org

Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 
file: /var/qmail/control/ip-blacklist(75)
Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 
'luckymi') lucianos...@domain.com:189.114.176.151
Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 
'luckymi') lucianos...@domain.com:190.158.93.231
Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 
'edos1kd9') eduardos...@domain.com:93.39.224.8/

So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are 
blocked by RBL checking, but that still create a connection.


Looking at # cat /var/log/qmail/smtp/current | tai64nlocal
/2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77
2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 
:189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 
status 0

2011-03-01 20:54:02.157289500 tcpserver: status: 24/25
2011-03-01 20:54:02.157290500 tcpserver: status: 25/25
2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24
2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 
:190.172.129.24::14782   2011-03-01 20:54:05.433208500 tcpserver: end 4857 
status 0

2011-03-01 20:54:05.433211500 tcpserver: status: 24/25
2011-03-01 20:54:05.433212500 tcpserver: status: 25/25
2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139
2011-03-01 20:54:05.433215500 tcpserver: ok 4903 mail.myhost.com.ar:11.22.33.44:25 
:189.78.49.139::368772011-03-01 20:54:06.075161500 tcpserver: end 

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Carlos Herrera Polo
Greylisting process not work in this problem ?


2011/3/1, Eric Shubert e...@shubes.net:
 Sergio,

 .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions
 had a bug where rejected sessions would not terminate immediately,
 causing excessive idle smtp sessions (and ultimately TIMEOUTs). That may
 no be affecting you, but you should check to be sure. Run
 qtp-install-spamdyke to upgrade to the latest version.

 .) I would recommend installing fail2ban. This will automatically ban IP
 addresses which have several failed login attempts. There doesn't appear
 to be a wiki page about this yet (ANY TAKERS??), but you should find
 info about it in the list archives. Someone here should be able to help
 if you run into difficulty with it. (Not me though, as I haven't
 implemented it yet).

 .) 25 smtp sessions is rather low. I've seen a Celeron 1GH processor
 handle twice that number. You might need to bump up the spamassassin
 child processes to get there, but it should be doable. What are your HW
 specs?

 That's all that comes to my mind right now. Let us know how you make out.

 --
 -Eric 'shubes'

 On 03/01/2011 05:25 PM, Sergio M wrote:
 Hi there list,
 i have been under heavy traffic since sunday, and its been using all my
 inbound connections.
 I have a QMT updated box, running the latest spamdyke:
 # qtp-whatami
 /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011
 DISTRO=CentOS
 OSVER=5.5
 QTARCH=x86_64
 QTKERN=2.6.18-194.32.1.el5
 BUILD_DIST=cnt5064
 BUILD_DIR=/usr/src/redhat
 This machine's OS is supported and has been tested/


 Even though spamdyke does not let the spammers relay the mail, i still
 get all the connections used, making it very hard for authenticated
 users to send mail.
 For now I stopped smtpd, but i wanna see if you guys have some other
 thoughts to solve this.

 If I see the maillog, i see LOTS of entries like these:
 /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip:
 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail
 vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi')
 lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail
 spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl:
 zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]:
 FILTER_BLACKLIST_IP ip: 187.106.1.158 file:
 /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail
 vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253')
 jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail
 spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl:
 zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp:
 password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb
 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244
 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail
 vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi')
 lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail
 vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi')
 lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail
 spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns:
 rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]:
 vchkpw-smtp: password fail (pass: 'jdorm253')
 jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail
 vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi')
 lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail
 spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org
 Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass:
 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail
 spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org
 Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip:
 187.119.172.80 file: /var/qmail/control/ip-blacklist(75)
 Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass:
 'luckymi') lucianos...@domain.com:189.114.176.151
 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass:
 'luckymi') lucianos...@domain.com:190.158.93.231
 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass:
 'edos1kd9') eduardos...@domain.com:93.39.224.8/

 So i guess some botnet is trying to relay mail guessing a specific
 domain user's passwords. Most of the attempts are blocked by RBL
 checking, but that still create a connection.

 Looking at # cat /var/log/qmail/smtp/current | tai64nlocal
 /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77
 2011-03-01 20:54:01.906030500 tcpserver: ok 4879
 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01
 20:54:02.157286500 tcpserver: end 4797 status 0
 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25
 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25
 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24
 2011-03-01 20:54:02.157530500 tcpserver: ok 4881
 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01
 20:54:05.433208500 

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Cecil Yother, Jr.
Tony,

Does this append the existing iptable with the offending IP?

I use fail2ban and it works great.  OSSEC HIDS is a good tool too.  I
use them both actually.

CJ

On 03/01/2011 05:14 PM, Tony White wrote:
 Try this at the command line and as root!

 iptables -I INPUT -s 11.22.33.44 -j DROP

 This will stop him dead in his tracks.
 You can use this command for any ip address that gives
 you a problem.


 On 02/03/2011 11:25 AM, Sergio M wrote:
 Hi there list,
 i have been under heavy traffic since sunday, and its been using all
 my inbound connections.
 I have a QMT updated box, running the latest spamdyke:
 # qtp-whatami
 /qtp-whatami v0.3.7 Tue Mar  1 21:14:03 ART 2011
 DISTRO=CentOS
 OSVER=5.5
 QTARCH=x86_64
 QTKERN=2.6.18-194.32.1.el5
 BUILD_DIST=cnt5064
 BUILD_DIR=/usr/src/redhat
 This machine's OS is supported and has been tested/


 Even though spamdyke does not let the spammers relay the mail, i
 still get all the connections used, making it very hard for
 authenticated users to send mail.
 For now I stopped smtpd, but i wanna see if you guys have some other
 thoughts to solve this.

 If I see the maillog, i see LOTS of entries like these:
 /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip:
 201.0.152.106 rbl:
 zen.spamhaus.org  
 Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail
 (pass: 'luckymi')
 lucianos...@domain.com:190.158.93.231   Feb 27
 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201
 rbl:
 zen.spamhaus.org  
 Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip:
 187.106.1.158 file:
 /var/qmail/control/ip-blacklist(75)Feb
 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass:
 'jdorm253')
 jorgerodrig...@domain.com:201.250.40.202   Feb 27
 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149
 rbl:
 zen.spamhaus.org  
 Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail
 (pass: 'edos1kd9')
 eduardos...@domain.com:201.82.74.70Feb 27
 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244
 rdns:
 189106088244.user.veloxzone.com.br   
 Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail
 (pass: 'luckymi')
 lucianos...@domain.com:201.43.79.201Feb 27
 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass:
 'luckymi')
 lucianos...@domain.com:189.106.88.244   Feb 27
 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83
 rdns:
 rev.97.83-telecablecr.com  Feb
 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass:
 'jdorm253')
 jorgerodrig...@domain.com:187.106.1.158Feb 27
 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass:
 'luckymi')
 lucianos...@domain.com:201.0.152.106Feb 27
 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl:
 zen.spamhaus.org
 Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail
 (pass: 'luckymi')
 lucianos...@domain.com:200.45.73.226Feb 27
 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113
 rbl: zen.spamhaus.org
 Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip:
 187.119.172.80 file: /var/qmail/control/ip-blacklist(75)
 Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail
 (pass: 'luckymi') lucianos...@domain.com:189.114.176.151
 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail
 (pass: 'luckymi') lucianos...@domain.com:190.158.93.231
 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail
 (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/

 So i guess some botnet is trying to relay mail guessing a specific
 domain user's passwords. Most of the attempts are blocked by RBL
 checking, but that still create a connection.

 Looking at # cat /var/log/qmail/smtp/current | tai64nlocal
 /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77
 2011-03-01 20:54:01.906030500 tcpserver: ok 4879
 mail.myhost.com.ar:11.22.33.44:25
 :189.6.164.77::37629
 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0
 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25
 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25
 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24
 2011-03-01 20:54:02.157530500 tcpserver: ok 4881
 mail.myhost.com.ar:11.22.33.44:25
 :190.172.129.24::14782  
 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0
 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25
 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25
 

RE: [qmailtoaster] SMTP attack

2011-03-01 Thread Michael Colvin
Are all of the username portions of the e-mail addresses legitimate e-mails?
IE, it looks like you cleansed the domain portion, but, in the log, are the
all, or most, of the e-mails legitimate?

I've seen this with random attempts at guessing e-mails and passwords, but
not with all legit e-mails.

If they are all legit, is the domain yours?  Or is it theirs?  (IE do you
host it as an ISP, or is this the only domain and you control it?)

 
Michael J. Colvin
NorCal Internet Services
www.norcalisp.com
 


 -Original Message-
 From: Sergio M [mailto:sergio...@gmail.com]
 Sent: Tuesday, March 01, 2011 4:25 PM
 To: QmailToaster List
 Subject: [qmailtoaster] SMTP attack
 
 Hi there list,
 i have been under heavy traffic since sunday, and its been using all my
 inbound connections.
 I have a QMT updated box, running the latest spamdyke:
 # qtp-whatami
 /qtp-whatami v0.3.7 Tue Mar  1 21:14:03 ART 2011
 DISTRO=CentOS
 OSVER=5.5
 QTARCH=x86_64
 QTKERN=2.6.18-194.32.1.el5
 BUILD_DIST=cnt5064
 BUILD_DIR=/usr/src/redhat
 This machine's OS is supported and has been tested/
 
 
 Even though spamdyke does not let the spammers relay the mail, i still
 get all the connections used, making it very hard for authenticated
 users to send mail.
 For now I stopped smtpd, but i wanna see if you guys have some other
 thoughts to solve this.
 
 If I see the maillog, i see LOTS of entries like these:
 /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip:
 201.0.152.106 rbl:
 zen.spamhaus.org
 Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass:
 'luckymi') lucianos...@domain.com:190.158.93.231
 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201
 rbl:
 zen.spamhaus.org
 Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip:
 187.106.1.158 file:
 /var/qmail/control/ip-blacklist(75)
 Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass:
 'jdorm253') jorgerodrig...@domain.com:201.250.40.202
 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149
 rbl:
 zen.spamhaus.org
 Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass:
 'edos1kd9') eduardos...@domain.com:201.82.74.70
 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip:
 189.106.88.244 rdns:
 189106088244.user.veloxzone.com.br
 Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass:
 'luckymi') lucianos...@domain.com:201.43.79.201
 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass:
 'luckymi') lucianos...@domain.com:189.106.88.244
 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip:
 200.105.97.83 rdns:
 rev.97.83-telecablecr.com
 Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass:
 'jdorm253') jorgerodrig...@domain.com:187.106.1.158
 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass:
 'luckymi') lucianos...@domain.com:201.0.152.106
 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8
 rbl:
 zen.spamhaus.org
 
 Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass:
 'luckymi') lucianos...@domain.com:200.45.73.226
 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip:
 189.54.236.113 rbl: zen.spamhaus.org
 Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip:
 187.119.172.80 file: /var/qmail/control/ip-blacklist(75)
 Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass:
 'luckymi') lucianos...@domain.com:189.114.176.151
 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass:
 'luckymi') lucianos...@domain.com:190.158.93.231
 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass:
 'edos1kd9') eduardos...@domain.com:93.39.224.8/
 
 So i guess some botnet is trying to relay mail guessing a specific
 domain user's passwords. Most of the attempts are blocked by RBL
 checking, but that still create a connection.
 
 Looking at # cat /var/log/qmail/smtp/current | tai64nlocal
 /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from
 189.6.164.77
 
 2011-03-01 20:54:01.906030500 tcpserver: ok 4879
 mail.myhost.com.ar:11.22.33.44:25
 :189.6.164.77::37629
 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status
 0
 
 2011-03-01 20:54:02.157289500 tcpserver: status:
 24/25
 
 2011-03-01 20:54:02.157290500 tcpserver: status:
 25/25
 
 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from
 190.172.129.24
 
 2011-03-01 20:54:02.157530500 tcpserver: ok 4881
 mail.myhost.com.ar:11.22.33.44:25
 :190.172.129.24::14782
 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status
 0
 
 2011-03-01 20:54:05.433211500 tcpserver: status:
 24/25
 
 2011-03-01 20:54:05.433212500 tcpserver: status:
 25/25
 
 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from
 189.78.49.139
 
 2011-03-01 20:54:05.433215500 tcpserver: ok 4903
 mail.myhost.com.ar:11.22.33.44:25
 :189.78.49.139::36877
 2011-03-01 20:54:06.075161500 tcpserver: end 4800 status
 0
 
 2011-03-01 20:54:06.075164500 tcpserver: status:
 24/25

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M

Michael Colvin escribió:

Are all of the username portions of the e-mail addresses legitimate e-mails?
IE, it looks like you cleansed the domain portion, but, in the log, are the
all, or most, of the e-mails legitimate?

I've seen this with random attempts at guessing e-mails and passwords, but
not with all legit e-mails.

If they are all legit, is the domain yours?  Or is it theirs?  (IE do you
host it as an ISP, or is this the only domain and you control it?)

 
Michael J. Colvin

NorCal Internet Services
www.norcalisp.com
 
  

Hi Michael,
they are all legitimate email addresses, for one domain only though.
We host it as an ISP.
Thanks!

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




RE: [qmailtoaster] SMTP attack

2011-03-01 Thread Michael Colvin
Well...  My first thought would be to isolate this domain from my mail
server, so that it isn't affecting my other customers.

Perhaps changing DNS (Change the IP for the server to something non-existent
for now, like 192.168.0.1 or something.)  Likely won't stop it immediately
but might prevent new Bots from finding the server after you block
existing ones.  

Also, block the domain in spamdyke.  I think that will drop the connection
at the SMTP level almost immediately, and prevent them from possibly finding
a good username/password combo. 

This might free up enough resources to allow your other customers to start
being able to send.

Then maybe go through the logs, add IP's to IPTABLES, and hope the DNS
changes prevent new bots from finding the server.

 
Michael J. Colvin
NorCal Internet Services
www.norcalisp.com
 



 -Original Message-
 From: Sergio M [mailto:sergio...@gmail.com]
 Sent: Tuesday, March 01, 2011 6:45 PM
 To: qmailtoaster-list@qmailtoaster.com
 Subject: Re: [qmailtoaster] SMTP attack
 
 Michael Colvin escribió:
  Are all of the username portions of the e-mail addresses legitimate e-
 mails?
  IE, it looks like you cleansed the domain portion, but, in the log, are
 the
  all, or most, of the e-mails legitimate?
 
  I've seen this with random attempts at guessing e-mails and passwords,
 but
  not with all legit e-mails.
 
  If they are all legit, is the domain yours?  Or is it theirs?  (IE do
 you
  host it as an ISP, or is this the only domain and you control it?)
 
 
  Michael J. Colvin
  NorCal Internet Services
  www.norcalisp.com
 
 
 Hi Michael,
 they are all legitimate email addresses, for one domain only though.
  We host it as an ISP.
 Thanks!
 
 --
 ---
 Qmailtoaster is sponsored by Vickers Consulting Group
 (www.vickersconsulting.com)
 Vickers Consulting Group offers Qmailtoaster support and
 installations.
   If you need professional help with your setup, contact them today!
 --
 ---
  Please visit qmailtoaster.com for the latest news, updates, and
 packages.
 
   To unsubscribe, e-mail: qmailtoaster-list-
 unsubscr...@qmailtoaster.com
  For additional commands, e-mail: qmailtoaster-list-
 h...@qmailtoaster.com
 



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] SMTP attack

2011-03-01 Thread South Computers
Sounds like they may have gotten hit with a virus or pissed someone off. 
I would block the domain from relaying  inform the customer, possibly 
make them change their email account passwords if it's not a large 
organization. Ask them to relay through their provider if possible for 
the time being. Fail2ban would be the best solution for the time being 
as previously mentioned.


Sergio M wrote:

Michael Colvin escribió:
Are all of the username portions of the e-mail addresses legitimate 
e-mails?
IE, it looks like you cleansed the domain portion, but, in the log, 
are the

all, or most, of the e-mails legitimate?

I've seen this with random attempts at guessing e-mails and 
passwords, but

not with all legit e-mails.

If they are all legit, is the domain yours?  Or is it theirs?  (IE do 
you

host it as an ISP, or is this the only domain and you control it?)


Michael J. Colvin
NorCal Internet Services
www.norcalisp.com


Hi Michael,
they are all legitimate email addresses, for one domain only though.
We host it as an ISP.
Thanks!

- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and 
installations.

 If you need professional help with your setup, contact them today!
- 

Please visit qmailtoaster.com for the latest news, updates, and 
packages.
 To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com








-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




RE: [qmailtoaster] SMTP attack

2011-03-01 Thread Michael Colvin
I agree about Fail2Ban.  That's your ultimate goal, but for me, getting the
other users of the mail server back online is first...  (Assuming you can
w/o using Fail2ban)

I've found once attacks like this get effectively blocked, they go away,
unless as  South says, they pissed someone off and are a specific target...

 
Michael J. Colvin
NorCal Internet Services
www.norcalisp.com
 



 -Original Message-
 From: South Computers [mailto:i...@southcomputers.com]
 Sent: Tuesday, March 01, 2011 7:07 PM
 To: qmailtoaster-list@qmailtoaster.com
 Subject: Re: [qmailtoaster] SMTP attack
 
 Sounds like they may have gotten hit with a virus or pissed someone off.
 I would block the domain from relaying  inform the customer, possibly
 make them change their email account passwords if it's not a large
 organization. Ask them to relay through their provider if possible for
 the time being. Fail2ban would be the best solution for the time being
 as previously mentioned.
 
 Sergio M wrote:
  Michael Colvin escribió:
  Are all of the username portions of the e-mail addresses legitimate
  e-mails?
  IE, it looks like you cleansed the domain portion, but, in the log,
  are the
  all, or most, of the e-mails legitimate?
 
  I've seen this with random attempts at guessing e-mails and
  passwords, but
  not with all legit e-mails.
 
  If they are all legit, is the domain yours?  Or is it theirs?  (IE do
  you
  host it as an ISP, or is this the only domain and you control it?)
 
 
  Michael J. Colvin
  NorCal Internet Services
  www.norcalisp.com
 
  Hi Michael,
  they are all legitimate email addresses, for one domain only though.
  We host it as an ISP.
  Thanks!
 
  
 -
 
  Qmailtoaster is sponsored by Vickers Consulting Group
  (www.vickersconsulting.com)
 Vickers Consulting Group offers Qmailtoaster support and
  installations.
   If you need professional help with your setup, contact them today!
  
 -
 
  Please visit qmailtoaster.com for the latest news, updates, and
  packages.
   To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com
 
 
 
 
 
 
 --
 ---
 Qmailtoaster is sponsored by Vickers Consulting Group
 (www.vickersconsulting.com)
 Vickers Consulting Group offers Qmailtoaster support and
 installations.
   If you need professional help with your setup, contact them today!
 --
 ---
  Please visit qmailtoaster.com for the latest news, updates, and
 packages.
 
   To unsubscribe, e-mail: qmailtoaster-list-
 unsubscr...@qmailtoaster.com
  For additional commands, e-mail: qmailtoaster-list-
 h...@qmailtoaster.com
 



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M

South Computers escribió:
Sounds like they may have gotten hit with a virus or pissed someone 
off. I would block the domain from relaying  inform the customer, 
possibly make them change their email account passwords if it's not a 
large organization. Ask them to relay through their provider if 
possible for the time being. Fail2ban would be the best solution for 
the time being as previously mentioned.



The passwords are all wrong. they are all like:
mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') 
eduardos...@domain.com:201.82.74.70


The domain is blocked in spamdyke, unless they authenticate and bypass 
the filters, so that is covered. But the smtp sessions are used 
nevertheless.


I installed fail2ban (from the repos mentioned in fail2ban.org) but 
cannot make it work with the smtpd. I tried with 
http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23951.html 
but i think it has a conf file missing and the vpopmail is for pop3.
I also tried with 
http://notes.benv.junerules.com/all/software/qmail-spamdyke-and-fail2ban/#more-539 
but cannot make it work with the RBL_MATCH filter.


Any tips from satisfied fail2ban users?

Thanks!
Sergio


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Tony White

It does yes!


On 02/03/2011 12:58 PM, Cecil Yother, Jr. wrote:

Tony,

Does this append the existing iptable with the offending IP?

I use fail2ban and it works great.  OSSEC HIDS is a good tool too.  I
use them both actually.

CJ

On 03/01/2011 05:14 PM, Tony White wrote:

Try this at the command line and as root!

iptables -I INPUT -s 11.22.33.44 -j DROP

This will stop him dead in his tracks.
You can use this command for any ip address that gives
you a problem.


On 02/03/2011 11:25 AM, Sergio M wrote:

Hi there list,
i have been under heavy traffic since sunday, and its been using all
my inbound connections.
I have a QMT updated box, running the latest spamdyke:
# qtp-whatami
/qtp-whatami v0.3.7 Tue Mar  1 21:14:03 ART 2011
DISTRO=CentOS
OSVER=5.5
QTARCH=x86_64
QTKERN=2.6.18-194.32.1.el5
BUILD_DIST=cnt5064
BUILD_DIR=/usr/src/redhat
This machine's OS is supported and has been tested/


Even though spamdyke does not let the spammers relay the mail, i
still get all the connections used, making it very hard for
authenticated users to send mail.
For now I stopped smtpd, but i wanna see if you guys have some other
thoughts to solve this.

If I see the maillog, i see LOTS of entries like these:
/Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip:
201.0.152.106 rbl:
zen.spamhaus.org
Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail
(pass: 'luckymi')
lucianos...@domain.com:190.158.93.231   Feb 27
14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201
rbl:
zen.spamhaus.org
Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip:
187.106.1.158 file:
/var/qmail/control/ip-blacklist(75)Feb
27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass:
'jdorm253')
jorgerodrig...@domain.com:201.250.40.202   Feb 27
14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149
rbl:
zen.spamhaus.org
Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail
(pass: 'edos1kd9')
eduardos...@domain.com:201.82.74.70Feb 27
14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244
rdns:
189106088244.user.veloxzone.com.br
Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail
(pass: 'luckymi')
lucianos...@domain.com:201.43.79.201Feb 27
14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass:
'luckymi')
lucianos...@domain.com:189.106.88.244   Feb 27
14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83
rdns:
rev.97.83-telecablecr.com  Feb
27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass:
'jdorm253')
jorgerodrig...@domain.com:187.106.1.158Feb 27
14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass:
'luckymi')
lucianos...@domain.com:201.0.152.106Feb 27
14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl:
zen.spamhaus.org
Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail
(pass: 'luckymi')
lucianos...@domain.com:200.45.73.226Feb 27
14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113
rbl: zen.spamhaus.org
Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip:
187.119.172.80 file: /var/qmail/control/ip-blacklist(75)
Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail
(pass: 'luckymi') lucianos...@domain.com:189.114.176.151
Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail
(pass: 'luckymi') lucianos...@domain.com:190.158.93.231
Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail
(pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/

So i guess some botnet is trying to relay mail guessing a specific
domain user's passwords. Most of the attempts are blocked by RBL
checking, but that still create a connection.

Looking at # cat /var/log/qmail/smtp/current | tai64nlocal
/2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77
2011-03-01 20:54:01.906030500 tcpserver: ok 4879
mail.myhost.com.ar:11.22.33.44:25
:189.6.164.77::37629
2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0
2011-03-01 20:54:02.157289500 tcpserver: status: 24/25
2011-03-01 20:54:02.157290500 tcpserver: status: 25/25
2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24
2011-03-01 20:54:02.157530500 tcpserver: ok 4881
mail.myhost.com.ar:11.22.33.44:25
:190.172.129.24::14782
2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0
2011-03-01 20:54:05.433211500 tcpserver: status: 24/25
2011-03-01 20:54:05.433212500 tcpserver: status: 25/25
2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139
2011-03-01 20:54:05.433215500 tcpserver: ok 4903
mail.myhost.com.ar:11.22.33.44:25
:189.78.49.139::36877
2011-03-01 20:54:06.075161500 tcpserver: end 4800 status 0
2011-03-01 20:54:06.075164500 tcpserver: status: 24/25
2011-03-01 20:54:06.075165500 tcpserver: 

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Tony White

Hi,
  FWIIW I have some scripts that you can download
from my ftp server in the pub/qtp folder. They are
not all documented but they are reasonably simple
scripts that can be understood easily.

goto
ftp.ycs.com.au
cd /pub/qtp

qtp user are welcome to them but please use
anonymous and your email address to login.

  The scripts are as is and work for me. They may need
changes to suit your needs.
  If anyone improves on them I would appreciate knowing.


On 02/03/2011 12:58 PM, Cecil Yother, Jr. wrote:

Tony,

Does this append the existing iptable with the offending IP?

I use fail2ban and it works great.  OSSEC HIDS is a good tool too.  I
use them both actually.

CJ

On 03/01/2011 05:14 PM, Tony White wrote:

Try this at the command line and as root!

iptables -I INPUT -s 11.22.33.44 -j DROP

This will stop him dead in his tracks.
You can use this command for any ip address that gives
you a problem.


On 02/03/2011 11:25 AM, Sergio M wrote:

Hi there list,
i have been under heavy traffic since sunday, and its been using all
my inbound connections.
I have a QMT updated box, running the latest spamdyke:
# qtp-whatami
/qtp-whatami v0.3.7 Tue Mar  1 21:14:03 ART 2011
DISTRO=CentOS
OSVER=5.5
QTARCH=x86_64
QTKERN=2.6.18-194.32.1.el5
BUILD_DIST=cnt5064
BUILD_DIR=/usr/src/redhat
This machine's OS is supported and has been tested/


Even though spamdyke does not let the spammers relay the mail, i
still get all the connections used, making it very hard for
authenticated users to send mail.
For now I stopped smtpd, but i wanna see if you guys have some other
thoughts to solve this.

If I see the maillog, i see LOTS of entries like these:
/Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip:
201.0.152.106 rbl:
zen.spamhaus.org
Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail
(pass: 'luckymi')
lucianos...@domain.com:190.158.93.231   Feb 27
14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201
rbl:
zen.spamhaus.org
Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip:
187.106.1.158 file:
/var/qmail/control/ip-blacklist(75)Feb
27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass:
'jdorm253')
jorgerodrig...@domain.com:201.250.40.202   Feb 27
14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149
rbl:
zen.spamhaus.org
Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail
(pass: 'edos1kd9')
eduardos...@domain.com:201.82.74.70Feb 27
14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244
rdns:
189106088244.user.veloxzone.com.br
Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail
(pass: 'luckymi')
lucianos...@domain.com:201.43.79.201Feb 27
14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass:
'luckymi')
lucianos...@domain.com:189.106.88.244   Feb 27
14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83
rdns:
rev.97.83-telecablecr.com  Feb
27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass:
'jdorm253')
jorgerodrig...@domain.com:187.106.1.158Feb 27
14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass:
'luckymi')
lucianos...@domain.com:201.0.152.106Feb 27
14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl:
zen.spamhaus.org
Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail
(pass: 'luckymi')
lucianos...@domain.com:200.45.73.226Feb 27
14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113
rbl: zen.spamhaus.org
Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip:
187.119.172.80 file: /var/qmail/control/ip-blacklist(75)
Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail
(pass: 'luckymi') lucianos...@domain.com:189.114.176.151
Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail
(pass: 'luckymi') lucianos...@domain.com:190.158.93.231
Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail
(pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/

So i guess some botnet is trying to relay mail guessing a specific
domain user's passwords. Most of the attempts are blocked by RBL
checking, but that still create a connection.

Looking at # cat /var/log/qmail/smtp/current | tai64nlocal
/2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77
2011-03-01 20:54:01.906030500 tcpserver: ok 4879
mail.myhost.com.ar:11.22.33.44:25
:189.6.164.77::37629
2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0
2011-03-01 20:54:02.157289500 tcpserver: status: 24/25
2011-03-01 20:54:02.157290500 tcpserver: status: 25/25
2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24
2011-03-01 20:54:02.157530500 tcpserver: ok 4881
mail.myhost.com.ar:11.22.33.44:25
:190.172.129.24::14782
2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0

Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Sergio M
I found this to use fail2ban to block vpopmail failed passwd attempts, 
but cannot make it work.

Its in spanish, but the code is in english anyway.
http://systemadmin.es/2011/01/anadir-nuevas-reglas-de-filtrado-a-fail2ban

any ideas, specially about the regex?

Thanks!
-Sergio

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] SMTP attack

2011-03-01 Thread Tony White

Fail2Ban does not work with qmail out of the box.
The scripting for the qmail log files needs to be
written specifically for fail2ban.
  Has anyone managed to do this yet?

If so what price your script please?


On 02/03/2011 2:09 PM, Sergio M wrote:

South Computers escribió:
Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying  inform 
the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to 
relay through their provider if possible for the time being. Fail2ban would be the best solution for the time being as 
previously mentioned.



The passwords are all wrong. they are all like:
mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') 
eduardos...@domain.com:201.82.74.70

The domain is blocked in spamdyke, unless they authenticate and bypass the filters, so that is covered. But the smtp 
sessions are used nevertheless.


I installed fail2ban (from the repos mentioned in fail2ban.org) but cannot make it work with the smtpd. I tried with 
http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23951.html but i think it has a conf file missing and 
the vpopmail is for pop3.
I also tried with http://notes.benv.junerules.com/all/software/qmail-spamdyke-and-fail2ban/#more-539 but cannot make it 
work with the RBL_MATCH filter.


Any tips from satisfied fail2ban users?

Thanks!
Sergio


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.
 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com






--
best wishes
  Tony White

Yea Computing Services
http://www.ycs.com.au
4 The Crescent
Yea
Victoria
Australia 3717

Telephone No's
VIC : 03 9008 5614
FAX : 03 9008 5610 (FAX2Email)



IMPORTANT NOTICE

This communication including any file attachments is intended solely for
the use of the individual or entity to whom it is addressed. If you are
not the intended recipient, or the person responsible for delivering
this communication to the intended recipient, please immediately notify
the sender by email and delete the original transmission and its
contents. Any unauthorised use, dissemination, forwarding, printing or
copying of this communication including file attachments is prohibited.
It is your responsibility to scan this communication including any file
attachments for viruses and other defects. To the extent permitted by
law, Yea Computing Services and its associates will not be liable for
any loss or damage arising in any way from this communication including
any file attachments.


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] SMTP attack warning

2010-08-16 Thread Jake Vickers

 On 08/14/2010 02:56 PM, Aleksander Podsiadły wrote:

Last time I notified intensive dictionary attack on mail servers from
many IP's. For example:
Aug 14 10:19:21 srv vpopmail[4345]: vchkpw-smtp: vpopmail user not found
admin@:68.115.208.106
Aug 14 12:19:49 srv vpopmail[26126]: vchkpw-smtp: vpopmail user not
found mickey@:69.178.165.154
Aug 14 14:29:57 srv vpopmail[27259]: vchkpw-smtp: vpopmail user not
found admin@:68.115.208.106
Aug 14 17:48:46 srv vpopmail[11419]: vchkpw-smtp: vpopmail user not
found admin@:80.153.178.39

IMHO it's not normal activity, so I suggest to check mail logs.



Thanks Aleksander. We'll keep an eye out.
Didn't someone write something on the wiki about using fail2ban to 
capture these crackers?



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




[qmailtoaster] SMTP attack warning

2010-08-14 Thread Aleksander Podsiadły
Last time I notified intensive dictionary attack on mail servers from
many IP's. For example:
Aug 14 10:19:21 srv vpopmail[4345]: vchkpw-smtp: vpopmail user not found
admin@:68.115.208.106
Aug 14 12:19:49 srv vpopmail[26126]: vchkpw-smtp: vpopmail user not
found mickey@:69.178.165.154
Aug 14 14:29:57 srv vpopmail[27259]: vchkpw-smtp: vpopmail user not
found admin@:68.115.208.106
Aug 14 17:48:46 srv vpopmail[11419]: vchkpw-smtp: vpopmail user not
found admin@:80.153.178.39

IMHO it's not normal activity, so I suggest to check mail logs.

-- 
Pozdrawiam / Regards,
Aleksander Podsiadły
mail: a...@westside.kielce.pl
jid: a...@jabber.westside.kielce.pl
ICQ: 201121279
gg: 9150578


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com