Re: [toaster] Problem with an open relay
but we see message header ,we can see any valid username ,but we see the From HEADER is 168.1.49.97dgrrtgr and no [EMAIL PROTECTED] Return-Path: Received: (qmail 10514 invoked by uid 89); 8 Jan 2007 01:04:33 - Received: by simscan 1.2.0 ppid: 10447, pid: 10511, t: 0.2801s scanners: attach: 1.2.0 clamav: 0.88.7/m:41/d:2352 Received: from unknown (HELO winxp) ([EMAIL PROTECTED]) by 0 with ESMTPA; 8 Jan 2007 01:04:33 - From: 168.1.49.97dgrrtgr Subject: =?GB2312?B?yeixuM6s0N653MDt?= To: [EMAIL PROTECTED] Content-Type: text/plain MIME-Version: 1.0 Content-Transfer-Encoding: base64 Date: Mon, 8 Jan 2007 09:08:40 +0800 - Original Message - From: Matthew Walker [EMAIL PROTECTED] To: toaster@shupp.org Sent: Tuesday, January 09, 2007 12:42 AM Subject: Re: [toaster] Problem with an open relay On Mon, January 8, 2007 2:10 am, [EMAIL PROTECTED] wrote: 2007-01-08 15:27:47.382518500 22607 250 AUTH LOGIN PLAIN CRAM-MD5 2007-01-08 15:27:47.414664500 22607 AUTH LOGIN 2007-01-08 15:27:47.414789500 22607 334 VXNlcm5hbWU6 2007-01-08 15:27:47.442411500 22607 d2VibWFzdGVy 2007-01-08 15:27:47.442521500 22607 334 UGFzc3dvcmQ6 2007-01-08 15:27:47.462649500 22607 MDAwMDAwMDA= This snippet of the log shows them logging in with a valid username and password. Un-base64 the 4th and 6th lines to see what they used. And then change that password, cause you just posted it on an archived mailing list. -- Matthew Walker Kydance Hosting Consulting LAMP Specialist
Re: [toaster] Problem with an open relay
On Tue, January 9, 2007 4:44 am, [EMAIL PROTECTED] wrote: but we see message header ,we can see any valid username ,but we see the From HEADER is 168.1.49.97dgrrtgr and no [EMAIL PROTECTED] Return-Path: Received: (qmail 10514 invoked by uid 89); 8 Jan 2007 01:04:33 - Received: by simscan 1.2.0 ppid: 10447, pid: 10511, t: 0.2801s scanners: attach: 1.2.0 clamav: 0.88.7/m:41/d:2352 Received: from unknown (HELO winxp) ([EMAIL PROTECTED]) by 0 with ESMTPA; 8 Jan 2007 01:04:33 - From: 168.1.49.97dgrrtgr Subject: =?GB2312?B?yeixuM6s0N653MDt?= To: [EMAIL PROTECTED] Content-Type: text/plain MIME-Version: 1.0 Content-Transfer-Encoding: base64 Date: Mon, 8 Jan 2007 09:08:40 +0800 Headers are NOT reliable. Once a client has authenticated with a valid username and password, they can say whatever they want about who they are for the rest of the conversation. Seriously, you have a compromised account, or a user who is intentionally spamming through your server. Shut them down. -- Matthew Walker Kydance Hosting Consulting LAMP Specialist
Re: [toaster] Problem with an open relay
Matthew Walker wrote: On Tue, January 9, 2007 4:44 am, [EMAIL PROTECTED] wrote: but we see message header ,we can see any valid username ,but we see the From HEADER is 168.1.49.97dgrrtgr and no [EMAIL PROTECTED] Return-Path: Received: (qmail 10514 invoked by uid 89); 8 Jan 2007 01:04:33 - Received: by simscan 1.2.0 ppid: 10447, pid: 10511, t: 0.2801s scanners: attach: 1.2.0 clamav: 0.88.7/m:41/d:2352 Received: from unknown (HELO winxp) ([EMAIL PROTECTED]) by 0 with ESMTPA; 8 Jan 2007 01:04:33 - From: 168.1.49.97dgrrtgr Subject: =?GB2312?B?yeixuM6s0N653MDt?= To: [EMAIL PROTECTED] Content-Type: text/plain MIME-Version: 1.0 Content-Transfer-Encoding: base64 Date: Mon, 8 Jan 2007 09:08:40 +0800 Headers are NOT reliable. Once a client has authenticated with a valid username and password, they can say whatever they want about who they are for the rest of the conversation. Seriously, you have a compromised account, or a user who is intentionally spamming through your server. Shut them down. Hi, Just a thought. Did you upgrade over an older copy of the toaster ? Perhaps one where the smtp-auth code required the domain.com name listed in the run file ? If so, when you upgraded did you just use the old run file and not upgrade as you should, there by leaving yourself as an open relay (because using the old run file with the new code allows anyone to authenticate) ? Regards, Rick
Re: [toaster] Problem with an open relay
On Jan 9, 2007, at 3:44 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] tech.com wrote: but we see message header ,we can see any valid username ,but we see the From HEADER is 168.1.49.97dgrrtgr and no [EMAIL PROTECTED] tech.com Return-Path: Received: (qmail 10514 invoked by uid 89); 8 Jan 2007 01:04:33 - Received: by simscan 1.2.0 ppid: 10447, pid: 10511, t: 0.2801s scanners: attach: 1.2.0 clamav: 0.88.7/m:41/d:2352 Received: from unknown (HELO winxp) ([EMAIL PROTECTED]) by 0 with ESMTPA; 8 Jan 2007 01:04:33 - The key header is the first Received header. You see where it says ([EMAIL PROTECTED])? That means someone connected from 59.41.183.162 and authenticated as user webmaster. -- Tom Collins - [EMAIL PROTECTED] Vpopmail - virtual domains for qmail: http://vpopmail.sf.net/ QmailAdmin - web interface for Vpopmail: http://qmailadmin.sf.net/
Re: [toaster] Problem with an open relay
On Tue, January 9, 2007 9:41 am, Rick Macdougall wrote: Just a thought. Did you upgrade over an older copy of the toaster ? Perhaps one where the smtp-auth code required the domain.com name listed in the run file ? If so, when you upgraded did you just use the old run file and not upgrade as you should, there by leaving yourself as an open relay (because using the old run file with the new code allows anyone to authenticate) ? I suppose he might have that problem, but unless his auth is completely broken, that original log snipped showed a user logging in successfully, which he claims is responsible for sending the spams. -- Matthew Walker Kydance Hosting Consulting LAMP Specialist
[toaster] Mailing List question
I wanted to search through the mailing list to see if someone was experiencing what I am. I noticed that on the www.shupp.org website the link to the list which is how I got onto the list in the first place) and its searchable. I also that the most recent emails onto this list are as of 05/20/2006 am I looking at this right or is there a glitch that the newer emails are not making it into the list? Great product and mods! My problem is more of questions with the null sender. It seems that I am getting slammed with tons of spam as of nov 1,2006 and installed the toaster as the front end to the mail mail mailserver. the toaster is getting slammed hard and 99% of the emails are from null sender. I'd love to just drop the connection for the null sender. My concurrencyincoming is set to 600 and it fills up (600 out of 600) within seconds and stays there. With the connections tapped out, legitimate emails do not get through because the server is is almost constantly at 600/600. I've thrown a second MX server in line and that too fills up almost instantly. (700/700... thats 1300 connections in a blink of an eye!) I've blocked as much as I can of overseas (RIPE, APNIC, etc) But I believe that the rise is due to the BOT NET garbage going on. The blocking lowered the connections for less than 1 day. Now most of the connections are coming in from legitimate companies... or so I think. I've been tracking all of the connections for the last week and while some look like IP attacks ( example: xxx.xxx.xxx.1, .2, .56, .90 etc.) I can block those ranges easily. But the killer is that the majority use an IP address only once or twice in a week. Sure I can take all of the IPs and put them into the tcp.smtp but thats NUTS if you ask me. Any ideas ? tia Nitch. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [toaster] Mailing List question
Nitchi DaMon wrote: I wanted to search through the mailing list to see if someone was experiencing what I am. I noticed that on the www.shupp.org website the link to the list which is how I got onto the list in the first place) and its searchable. I also that the most recent emails onto this list are as of 05/20/2006 am I looking at this right or is there a glitch that the newer emails are not making it into the list? Great product and mods! My problem is more of questions with the null sender. It seems that I am getting slammed with tons of spam as of nov 1,2006 and installed the toaster as the front end to the mail mail mailserver. the toaster is getting slammed hard and 99% of the emails are from null sender. Is it spam or bounces ? Is addressed to valid users or unknown users ? Are you rejecting mail to unknown users ? I'm going to guess, since you didn't tell us, that it's bounces and mail to unknown users and you aren't rejecting unknown users for some reason. Here's a nice regex for simscan to reject those. :clam=yes,spam=yes,regex=^Subject.*failure\snotice.*:^Subject.*Delivery\sStatus\ sNotification.*:^Subject.*Mail\sdelivery\sfailed.*:^Subject.*Returned\smail.*:^S ubject.*Undelivered\sMail.*:^Subject.*DELIVERY\sFAILURE.*:^Subject.*Message.Deli very.Failed.*:^Subject.*Undeliverable.*:^Subject.*mail.delivery.status.*:^Subjec t.*Undeliverable\sMail.*:^Subject.*Mail\sSystem\sError.*:^Subject.*Returned\sMai l.*:^Subject.*[D|d]elivery\s[F|f]ail.*:^Subject.*Undelivered\smail.*:^Subject.*f ailure\snotice.*:^Subject.*Envio\sde\scorreo\sfallido.*:^Subject.*Delivery\sNoti fication.*:^Subject.*Notificaci.*:^Subject.*Benachrichtung.*:^Subject.*BULK\sEMA IL\sfrom\syou.*:^Subject.*Delivery_failure.*:^Subject.*bulk\semail\sfilter.*:^Su bject.*Non\sdelivery\sreport.*:^Subject.*Information Response from listserver.* Happens here all the time, and we aren't rejecting unknown users because we are in the middle of a mail server migration that hasn't been completed yet so the forward facing MX servers don't know which users are valid. Regards, Rick
Re: [toaster] Mailing List question
My problem is more of questions with the null sender. It seems that I am getting slammed with tons of spam as of nov 1,2006 and installed the toaster as the front end to the mail mail mailserver. the toaster is getting slammed hard and 99% of the emails are from null sender. I'd love to just drop the connection for the null sender. Sure, different ways you could do it. However, you are going against the RFC (http://www.faqs.org/rfcs/rfc821.html). In other words, you will be breaking the NDR's. Dont look at dropping the NDR's but look at what these NDR's are, why are you getting so many of them? Have you set your domain to bounce messages for non-exsitant users? This way chkuser can do its job properly. NDR's are the by products of SMTP, and spammers are now using them as the last resort to deliver spam in form of NDR's. My concurrencyincoming is set to 600 and it fills up (600 out of 600) within seconds and stays there. With the connections tapped out, legitimate emails do not get through because the server is is almost constantly at 600/600. I've thrown a second MX server in line and that too fills up almost instantly. (700/700... thats 1300 connections in a blink of an eye!) Well you have a serious problem there, agreed. But again look at the connections, look at the logs, what and where are these connections from? Null sender is your least of worries. You sure you havent opened up your server for relay? What's in /home/vpopmail/etc/tcp.smtp? HTH Harman
Re: [toaster] Problem with an open relay
yes ,you are right ,thank you very much i see the log in mysql log like this 2851 webmaster 12345 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '12345') webmast... 1168331134 3 2852 webmaster 123456 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '123456') webmas... 1168342700 3 2853 webmaster 12345 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '12345') webmast... 1168342708 3 2854 webmaster 123456 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '123456') webmas... 1168344724 3 2855 webmaster 12345 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '12345') webmast... 1168344732 3 2856 webmaster 123456 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '123456') webmas... 1168346732 3 2857 webmaster 12345 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '12345') webmast... 1168346745 3 2858 webmaster 123456 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '123456') webmas... 1168348947 3 2859 webmaster 12345 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '12345') webmast... 1168348956 3 2860 webmaster 123456 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '123456') webmas... 1168351121 3 2861 webmaster 12345 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '12345') webmast... 1168351130 3 2862 webmaster 123456 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '123456') webmas... 1168353178 3 2863 webmaster 12345 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '12345') webmast... 1168353187 3 2864 webmaster 123456 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '123456') webmas... 1168355243 3 2865 webmaster 12345 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '12345') webmast... 1168355251 3 2866 webmaster 123456 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '123456') webmas... 1168357372 3 2867 webmaster 12345 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '12345') webmast... 1168357381 3 2868 webmaster 123456 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '123456') webmas... 1168359395 3 2869 webmaster 12345 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '12345') webmast... 1168359404 3 2870 webmaster 123456 sve-tech.com webmaster 59.40.27.78 vchkpw-smtp: password fail (pass: '123456') webmas... 11683612 now i change the passwd of webmaster ,i think the problem will be OK now - Original Message - From: Matthew Walker [EMAIL PROTECTED] To: toaster@shupp.org Sent: Wednesday, January 10, 2007 12:13 AM Subject: Re: [toaster] Problem with an open relay On Tue, January 9, 2007 4:44 am, [EMAIL PROTECTED] wrote: but we see message header ,we can see any valid username ,but we see the From HEADER is 168.1.49.97dgrrtgr and no [EMAIL PROTECTED] Return-Path: Received: (qmail 10514 invoked by uid 89); 8 Jan 2007 01:04:33 - Received: by simscan 1.2.0 ppid: 10447, pid: 10511, t: 0.2801s scanners: attach: 1.2.0 clamav: 0.88.7/m:41/d:2352 Received: from unknown (HELO winxp) ([EMAIL PROTECTED]) by 0 with ESMTPA; 8 Jan 2007 01:04:33 - From: 168.1.49.97dgrrtgr Subject: =?GB2312?B?yeixuM6s0N653MDt?= To: [EMAIL PROTECTED] Content-Type: text/plain MIME-Version: 1.0 Content-Transfer-Encoding: base64 Date: Mon, 8 Jan 2007 09:08:40 +0800 Headers are NOT reliable. Once a client has authenticated with a valid username and password, they can say whatever they want about who they are for the rest of the conversation. Seriously, you have a compromised account, or a user who is intentionally spamming through your server. Shut them down. -- Matthew Walker Kydance Hosting Consulting LAMP Specialist
Re: [toaster] Mailing List question
Is it spam or bounces ? RCPT bounces it looks like to unknown users. Is addressed to valid users or unknown users ? invalid users on each domain that this cluster (mini) is accepting. Are you rejecting mail to unknown users ? Yes. I'm going to guess, since you didn't tell us, that it's bounces and mail to unknown users and you aren't rejecting unknown users for some reason. Here's a nice regex for simscan to reject those. :clam=yes,spam=yes,regex=^Subject.*failure\snotice.*:^Subject.*Delivery\sStatus\ sNotification.*:^Subject.*Mail\sdelivery\sfailed.*:^Subject.*Returned\smail.*:^S ubject.*Undelivered\sMail.*:^Subject.*DELIVERY\sFAILURE.*:^Subject.*Message.Deli very.Failed.*:^Subject.*Undeliverable.*:^Subject.*mail.delivery.status.*:^Subjec t.*Undeliverable\sMail.*:^Subject.*Mail\sSystem\sError.*:^Subject.*Returned\sMai l.*:^Subject.*[D|d]elivery\s[F|f]ail.*:^Subject.*Undelivered\smail.*:^Subject.*f ailure\snotice.*:^Subject.*Envio\sde\scorreo\sfallido.*:^Subject.*Delivery\sNoti fication.*:^Subject.*Notificaci.*:^Subject.*Benachrichtung.*:^Subject.*BULK\sEMA IL\sfrom\syou.*:^Subject.*Delivery_failure.*:^Subject.*bulk\semail\sfilter.*:^Su bject.*Non\sdelivery\sreport.*:^Subject.*Information Response from listserver.* kewl.. thanks! Happens here all the time, and we aren't rejecting unknown users because we are in the middle of a mail server migration that hasn't been completed yet so the forward facing MX servers don't know which users are valid. The original problem is the continuation of whats happening now and WHY I put in the toaster as a front end to another qmail server (running Qmail Rocks, which both have good points, but I really like the simplicity set up of Bills toaster.) the main mx server was swamped the first week of december and I quickly acertained its time to split functions (pop/smtp). Small domains with under 500 users total, but still... 1300+ connections continuous is nuts! The problem was that the QMR server needed to be updated with the CHKUSER patch but I also wanted to split things up and put in a cluster where I could easily add more pop or mx servers as needed. Thus I looked at and chose the toaster. VERY happy I did this. Immediately upon moving the old MX server out of the loop, the new MX server (running the toaster) stopped accepting the invalid users via chkuser. (should be noted that I built it with MYsql. I don;t think the instructions shows the requirements for mysql, but thats not a problem.) its been running good stopping things and the more I place blocks on RIPE, APNIC, lacnic sites it calms down. Case in point right now its running on average 36/600 but its after hours and night, in the morning it takes off again. thanks for the response! Nitch. Regards, Rick __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [toaster] Mailing List question
--- Harman Nagra [EMAIL PROTECTED] wrote: Sure, different ways you could do it. However, you are going against the RFC (http://www.faqs.org/rfcs/rfc821.html). In other words, you will be breaking the NDR's. Dont look at dropping the NDR's but look at what these NDR's are, why are you getting so many of them? most are invalid users, looks like bounces and the invalid user is a rcpt. Have you set your domain to bounce messages for non-exsitant users? This way chkuser can do its job properly. yes. NDR's are the by products of SMTP, and spammers are now using them as the last resort to deliver spam in form of NDR's. So I've noticed. Well you have a serious problem there, agreed. But again look at the connections, look at the logs, what and where are these connections from? The majority were from RIPE and APNIC. As I put blocks in place in the tcp.smtp and also runing iptables so I put in place acls to DROP the connection for the ip blocks. As I continue to watch this, I've noticed they moved to LACNIC and certain IPs that are in north america (inclding canada). I've blocked some others by adding in tcp.smtp entries with a bounce message to email me at an external address if this is in error. A great deal came from within road runner and.. earthlink. So I blocked these servers for a period of time until it calmed down and they moved off. yes, I've already notified both providers, but I believe that its due to the botnets. Null sender is your least of worries. You sure you havent opened up your server for relay? I checked that once I set up the server. It was tested and passed as NOT an open relay. What's in /home/vpopmail/etc/tcp.smtp? tons of things... here is a sample: 127.:allow,RELAYCLIENT= :allow,QMAILQUEUE=/var/qmail/bin/simscan 195.:allow,RBLSMTPD=-Connections from this IP have been banned If this is en error, please send an email to [ external address at yahoo.com ] .ch:allow,RBLSMTPD=-Connections from this IP have been banned If this is en error, please send an email to [ external address at yahoo.com ] I'm using IPtables for blocks of IPs, example: -A RH-Firewall-1-INPUT -s 150.1.0.0/16 -m state --state NEW -m tcp -p tcp --dport ! 80 -j DROP -A RH-Firewall-1-INPUT -s 150.2.0.0/15 -m state --state NEW -m tcp -p tcp --dport ! 80 -j DROP This drops connections before tcp.smtp and can log them as well. In the samples, I do not show the LOGging. I am using the tcp.smtp for those ips and addresses that possibly could be reopened and the iptables acl for those I knw I permantly do not want. thanks for the reply. Nitch. HTH Harman __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
