Re: [spamdyke-users] MAILER-DAEMON Flood
On 11/9/2016 6:27 AM, Sam Clippinger via spamdyke-users wrote: Do you have 10.0.1.15 whitelisted because it's the local IP? Or is it configured in your /etc/tcp.smtp as a relay client? Either setting would cause spamdyke to allow these messages. Thanks, Sam. That was the issue (both places). I need to study the purpose of the tcp.smtp file a bit more... ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] MAILER-DAEMON Flood
On 11/9/2016 6:27 AM, Sam Clippinger via spamdyke-users wrote: I don't understand how you have your jails configured -- is qmail in a different jail from spamdyke? I'm just wondering, if the message is originating locally, why does spamdyke see the origin IP as 10.0.1.15 instead of 127.0.0.1? And where is the message really coming from -- maybe a rogue process or a compromised PHP script is generating them? Do you have 10.0.1.15 whitelisted because it's the local IP? Or is it configured in your /etc/tcp.smtp as a relay client? Either setting would cause spamdyke to allow these messages. -- Sam Clippinger Ah, you may have hit on something. The qmaild jail contains everything that is mail related (qmail and spamdyke) and necessary to run both. My firewall / router is pf and I use redirection to point incoming port 25 to the jail IP. Jails are a little weird if you don't know about them, in that inside the jail, any references to 127.0.0.1 are morphed into the jail IP address. Not running any PHP scripts. But I do have the entire 10. network whitelisted as well as 127. and 10. allowing relay in the tcp.smtp file. So I'll need to twiddle with those and see if I can get this to stop (another 100+ came in last night and one just a few moments ago as well.) Thank you, Sam! ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] MAILER-DAEMON Flood
I don't understand how you have your jails configured -- is qmail in a different jail from spamdyke? I'm just wondering, if the message is originating locally, why does spamdyke see the origin IP as 10.0.1.15 instead of 127.0.0.1? And where is the message really coming from -- maybe a rogue process or a compromised PHP script is generating them? Do you have 10.0.1.15 whitelisted because it's the local IP? Or is it configured in your /etc/tcp.smtp as a relay client? Either setting would cause spamdyke to allow these messages. -- Sam Clippinger On Nov 8, 2016, at 10:53 PM, BC via spamdyke-users wrote: > > Well, I have spamdyke-qrv installed and turned on in spamdyke.conf, but am > still getting stuff like this (maillog): > > Nov 8 21:48:51 33a45916-5b78-11e6-a0e5-0cc47a6975be spamdyke[17138]: ALLOWED > from: filenkokir...@shopon.net to: sergushk...@bk.ru origin_ip: 10.0.1.15 > origin_rdns: (unknown) auth: (unknown) encryption: (none) reason: > 250_ok_1478666931_qp_17140 > > so someone is trying to use my system as a relay, right? > > with the resulting MAILER-DAEMON bounce. The 10.0.1.15 is the IP of the jail > that qmail runs in. > > Any other thoughts? > > > On 11/7/2016 9:13 AM, Gary Gendel via spamdyke-users wrote: >> This doesn't look like it's email originating from your system. Instead, it >> looks like spamdyke has accepted the message and then qmail is doing the >> rejection. My guess is that it passes through spamdyke with an invalid >> destination user. Qmail then tries to reject it. >> >> You can avoid this by adding invalid user checks in spamdyke so it doesn't >> reach qmail by setting "recipient-validation-command=" (I use >> spamdyke-qrv) and "reject-recipient=invalid". >> >> Gary > > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] MAILER-DAEMON Flood
Well, I have spamdyke-qrv installed and turned on in spamdyke.conf, but am still getting stuff like this (maillog): Nov 8 21:48:51 33a45916-5b78-11e6-a0e5-0cc47a6975be spamdyke[17138]: ALLOWED from: filenkokir...@shopon.net to: sergushk...@bk.ru origin_ip: 10.0.1.15 origin_rdns: (unknown) auth: (unknown) encryption: (none) reason: 250_ok_1478666931_qp_17140 so someone is trying to use my system as a relay, right? with the resulting MAILER-DAEMON bounce. The 10.0.1.15 is the IP of the jail that qmail runs in. Any other thoughts? On 11/7/2016 9:13 AM, Gary Gendel via spamdyke-users wrote: This doesn't look like it's email originating from your system. Instead, it looks like spamdyke has accepted the message and then qmail is doing the rejection. My guess is that it passes through spamdyke with an invalid destination user. Qmail then tries to reject it. You can avoid this by adding invalid user checks in spamdyke so it doesn't reach qmail by setting "recipient-validation-command=" (I use spamdyke-qrv) and "reject-recipient=invalid". Gary ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] MAILER-DAEMON Flood
Thank you very much. I'll look into that. On 11/7/2016 9:13 AM, Gary Gendel via spamdyke-users wrote: This doesn't look like it's email originating from your system. Instead, it looks like spamdyke has accepted the message and then qmail is doing the rejection. My guess is that it passes through spamdyke with an invalid destination user. Qmail then tries to reject it. You can avoid this by adding invalid user checks in spamdyke so it doesn't reach qmail by setting "recipient-validation-command=" (I use spamdyke-qrv) and "reject-recipient=invalid". ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] MAILER-DAEMON Flood
This doesn't look like it's email originating from your system. Instead, it looks like spamdyke has accepted the message and then qmail is doing the rejection. My guess is that it passes through spamdyke with an invalid destination user. Qmail then tries to reject it. You can avoid this by adding invalid user checks in spamdyke so it doesn't reach qmail by setting "recipient-validation-command=" (I use spamdyke-qrv) and "reject-recipient=invalid". Gary On 11/07/2016 10:59 AM, BC via spamdyke-users wrote: It hasn't risen to the level of DDOS, yet, but I'm getting many hundreds of these messages per night (and it is now continuing during the day). They look like this: Hi. This is the qmail-send program at purgatoire.org. I tried to deliver a bounce message to this address, but the bounce bounced! : 212.4.107.202 does not like recipient. Remote host said: 550 5.1.1: Recipient address rejected: telcom.es Giving up on 212.4.107.202. --- Below this line is the original bounce. ... each one with totally unrelated email and IP addresses and with variable sizes and all in MIME format. I use FreeBSD here. Running qmail in a jail. I do use ssmtp running on the host (not jailed) in order to get the periodic daily/weekly/monthly reports. Is someone somehow using my system to try to send spam? Any idea how to block this? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users smime.p7s Description: S/MIME Cryptographic Signature ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] MAILER-DAEMON Flood
It hasn't risen to the level of DDOS, yet, but I'm getting many hundreds of these messages per night (and it is now continuing during the day). They look like this: Hi. This is the qmail-send program at purgatoire.org. I tried to deliver a bounce message to this address, but the bounce bounced! : 212.4.107.202 does not like recipient. Remote host said: 550 5.1.1: Recipient address rejected: telcom.es Giving up on 212.4.107.202. --- Below this line is the original bounce. ... each one with totally unrelated email and IP addresses and with variable sizes and all in MIME format. I use FreeBSD here. Running qmail in a jail. I do use ssmtp running on the host (not jailed) in order to get the periodic daily/weekly/monthly reports. Is someone somehow using my system to try to send spam? Any idea how to block this? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users