Re: [toaster] Mailing List question
On Jan 12, 2007, at 9:28 AM, Nitchi DaMon wrote: Putting in the hostname now in the latest version, NOW makes it an open relay but in previous versions it what the other way around ? Actually, it's been like that for a long time now. It's a change in the SMTP AUTH patch to qmail, not vpopmail, that resulted in the parameter changes. -- Tom Collins - [EMAIL PROTECTED] Vpopmail - virtual domains for qmail: http://vpopmail.sf.net/ QmailAdmin - web interface for Vpopmail: http://qmailadmin.sf.net/
Re: [toaster] Mailing List question
You GOT to be joking... Putting in the hostname now in the latest version, NOW makes it an open relay but in previous versions it what the other way around ? arrrggg OK will remove it... thanks.. again, is there anyway to specifically test for an open relay when dealing with a toaster cluster ?? thanks Nitch. --- Rick Macdougall [EMAIL PROTECTED] wrote: Nitchi DaMon wrote: there are references to adding the hostname all over the mailing list otherwise its an open relay. So I added it to the qmail-smtp run file as such: /var/qmail/bin/qmail-smtpd [HOSTNAME] \ /home/vpopmail/bin/vchkpw /bin/true 21 [HOSTNAME] is hte actual name of the host its running on. Why? in the later version does it NOT need to be here? It was needed for a much older version. If you have the hostname in there now you are an open relay. Regards, Rick Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited
Re: [toaster] Mailing List question
Thanks for updating the list at www.shupp.org I see it now has up to date emails. thanks. I'm sure some of my questions are answered in there now. Nitch. The fish are biting. Get more visitors on your site using Yahoo! Search Marketing. http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php
Re: [toaster] Mailing List question
Nitchi DaMon wrote: Thanks for updating the list at www.shupp.org I see it now has up to date emails. When I moved shupp.org to a new server in may, the newer ezmlm install stopped looking for the archived file and instead parsed headeradd. I never noticed it until recently, and finally fixed it. Bill
Re: [toaster] Mailing List question
Ok, here is an update... the server clamed down for the last few days after blocking more and ore of APNIC addresses and LACNIC addresses. But I have seena huge increase in .ca sites now and all doign the same things... RCPT to to an invalid user. While the front end toasters are coming back invalid user and rejecting it, the frequency has dramatically increased. I was running for a few days here about 60/1600 now, its back full all day again. Its nuts! I read all I coudl about open relays and have tested the servers and they came back clean BUT I noticed I did not have the host names int eh RUN file as shown. Ok that done, I reran the abuse.net tests and I failed??? Huh? Now I understand that these tests really are inconclusive, but when I used to run sendmail (don;t throw anything on saying that word), they used to be pretty accurate. Are there any conclusive tests to run on any of the front end server? I built my toasters within the last month here and followed the instructions to the T. so To fully test one of the servers, do I need to remove the RCPTHOSTS entries and the SMTPROUTES files? and just leave the entries for the local machines? Looking at the QMAIL logs, only the qmail-smtp/current log has anyhting in it. Thats the way I want it.. only incoming, scanning, valid user, then forward. Nothing is to be sent out. I wold assume that IF it was an open relay, that anything accepted to be replayed out woudl be in the qmail-send/current file. Of which I do not have one because nothign gets sent out through the toaster servers thanks in advance. Nitch. Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited
Re: [toaster] Mailing List question
Nitchi DaMon wrote: Ok, here is an update... the server clamed down for the last few days after blocking more and ore of APNIC addresses and LACNIC addresses. But I have seena huge increase in .ca sites now and all doign the same things... RCPT to to an invalid user. While the front end toasters are coming back invalid user and rejecting it, the frequency has dramatically increased. I was running for a few days here about 60/1600 now, its back full all day again. Its nuts! I read all I coudl about open relays and have tested the servers and they came back clean BUT I noticed I did not have the host names int eh RUN file as shown. Ok that done, I reran the abuse.net tests and I failed??? Huh? Hunh ? You put host names in the run file ?? What exactly do you mean by that ? Regards, Rick
Re: [toaster] Mailing List question
there are references to adding the hostname all over the mailing list otherwise its an open relay. So I added it to the qmail-smtp run file as such: /var/qmail/bin/qmail-smtpd [HOSTNAME] \ /home/vpopmail/bin/vchkpw /bin/true 21 [HOSTNAME] is hte actual name of the host its running on. Why? in the later version does it NOT need to be here? tia. --- Rick Macdougall [EMAIL PROTECTED] wrote: Nitchi DaMon wrote: Ok, here is an update... the server clamed down for the last few days after blocking more and ore of APNIC addresses and LACNIC addresses. But I have seena huge increase in .ca sites now and all doign the same things... RCPT to to an invalid user. While the front end toasters are coming back invalid user and rejecting it, the frequency has dramatically increased. I was running for a few days here about 60/1600 now, its back full all day again. Its nuts! I read all I coudl about open relays and have tested the servers and they came back clean BUT I noticed I did not have the host names int eh RUN file as shown. Ok that done, I reran the abuse.net tests and I failed??? Huh? Hunh ? You put host names in the run file ?? What exactly do you mean by that ? Regards, Rick Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com
[toaster] Mailing List question
I wanted to search through the mailing list to see if someone was experiencing what I am. I noticed that on the www.shupp.org website the link to the list which is how I got onto the list in the first place) and its searchable. I also that the most recent emails onto this list are as of 05/20/2006 am I looking at this right or is there a glitch that the newer emails are not making it into the list? Great product and mods! My problem is more of questions with the null sender. It seems that I am getting slammed with tons of spam as of nov 1,2006 and installed the toaster as the front end to the mail mail mailserver. the toaster is getting slammed hard and 99% of the emails are from null sender. I'd love to just drop the connection for the null sender. My concurrencyincoming is set to 600 and it fills up (600 out of 600) within seconds and stays there. With the connections tapped out, legitimate emails do not get through because the server is is almost constantly at 600/600. I've thrown a second MX server in line and that too fills up almost instantly. (700/700... thats 1300 connections in a blink of an eye!) I've blocked as much as I can of overseas (RIPE, APNIC, etc) But I believe that the rise is due to the BOT NET garbage going on. The blocking lowered the connections for less than 1 day. Now most of the connections are coming in from legitimate companies... or so I think. I've been tracking all of the connections for the last week and while some look like IP attacks ( example: xxx.xxx.xxx.1, .2, .56, .90 etc.) I can block those ranges easily. But the killer is that the majority use an IP address only once or twice in a week. Sure I can take all of the IPs and put them into the tcp.smtp but thats NUTS if you ask me. Any ideas ? tia Nitch. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [toaster] Mailing List question
Nitchi DaMon wrote: I wanted to search through the mailing list to see if someone was experiencing what I am. I noticed that on the www.shupp.org website the link to the list which is how I got onto the list in the first place) and its searchable. I also that the most recent emails onto this list are as of 05/20/2006 am I looking at this right or is there a glitch that the newer emails are not making it into the list? Great product and mods! My problem is more of questions with the null sender. It seems that I am getting slammed with tons of spam as of nov 1,2006 and installed the toaster as the front end to the mail mail mailserver. the toaster is getting slammed hard and 99% of the emails are from null sender. Is it spam or bounces ? Is addressed to valid users or unknown users ? Are you rejecting mail to unknown users ? I'm going to guess, since you didn't tell us, that it's bounces and mail to unknown users and you aren't rejecting unknown users for some reason. Here's a nice regex for simscan to reject those. :clam=yes,spam=yes,regex=^Subject.*failure\snotice.*:^Subject.*Delivery\sStatus\ sNotification.*:^Subject.*Mail\sdelivery\sfailed.*:^Subject.*Returned\smail.*:^S ubject.*Undelivered\sMail.*:^Subject.*DELIVERY\sFAILURE.*:^Subject.*Message.Deli very.Failed.*:^Subject.*Undeliverable.*:^Subject.*mail.delivery.status.*:^Subjec t.*Undeliverable\sMail.*:^Subject.*Mail\sSystem\sError.*:^Subject.*Returned\sMai l.*:^Subject.*[D|d]elivery\s[F|f]ail.*:^Subject.*Undelivered\smail.*:^Subject.*f ailure\snotice.*:^Subject.*Envio\sde\scorreo\sfallido.*:^Subject.*Delivery\sNoti fication.*:^Subject.*Notificaci.*:^Subject.*Benachrichtung.*:^Subject.*BULK\sEMA IL\sfrom\syou.*:^Subject.*Delivery_failure.*:^Subject.*bulk\semail\sfilter.*:^Su bject.*Non\sdelivery\sreport.*:^Subject.*Information Response from listserver.* Happens here all the time, and we aren't rejecting unknown users because we are in the middle of a mail server migration that hasn't been completed yet so the forward facing MX servers don't know which users are valid. Regards, Rick
Re: [toaster] Mailing List question
My problem is more of questions with the null sender. It seems that I am getting slammed with tons of spam as of nov 1,2006 and installed the toaster as the front end to the mail mail mailserver. the toaster is getting slammed hard and 99% of the emails are from null sender. I'd love to just drop the connection for the null sender. Sure, different ways you could do it. However, you are going against the RFC (http://www.faqs.org/rfcs/rfc821.html). In other words, you will be breaking the NDR's. Dont look at dropping the NDR's but look at what these NDR's are, why are you getting so many of them? Have you set your domain to bounce messages for non-exsitant users? This way chkuser can do its job properly. NDR's are the by products of SMTP, and spammers are now using them as the last resort to deliver spam in form of NDR's. My concurrencyincoming is set to 600 and it fills up (600 out of 600) within seconds and stays there. With the connections tapped out, legitimate emails do not get through because the server is is almost constantly at 600/600. I've thrown a second MX server in line and that too fills up almost instantly. (700/700... thats 1300 connections in a blink of an eye!) Well you have a serious problem there, agreed. But again look at the connections, look at the logs, what and where are these connections from? Null sender is your least of worries. You sure you havent opened up your server for relay? What's in /home/vpopmail/etc/tcp.smtp? HTH Harman
Re: [toaster] Mailing List question
Is it spam or bounces ? RCPT bounces it looks like to unknown users. Is addressed to valid users or unknown users ? invalid users on each domain that this cluster (mini) is accepting. Are you rejecting mail to unknown users ? Yes. I'm going to guess, since you didn't tell us, that it's bounces and mail to unknown users and you aren't rejecting unknown users for some reason. Here's a nice regex for simscan to reject those. :clam=yes,spam=yes,regex=^Subject.*failure\snotice.*:^Subject.*Delivery\sStatus\ sNotification.*:^Subject.*Mail\sdelivery\sfailed.*:^Subject.*Returned\smail.*:^S ubject.*Undelivered\sMail.*:^Subject.*DELIVERY\sFAILURE.*:^Subject.*Message.Deli very.Failed.*:^Subject.*Undeliverable.*:^Subject.*mail.delivery.status.*:^Subjec t.*Undeliverable\sMail.*:^Subject.*Mail\sSystem\sError.*:^Subject.*Returned\sMai l.*:^Subject.*[D|d]elivery\s[F|f]ail.*:^Subject.*Undelivered\smail.*:^Subject.*f ailure\snotice.*:^Subject.*Envio\sde\scorreo\sfallido.*:^Subject.*Delivery\sNoti fication.*:^Subject.*Notificaci.*:^Subject.*Benachrichtung.*:^Subject.*BULK\sEMA IL\sfrom\syou.*:^Subject.*Delivery_failure.*:^Subject.*bulk\semail\sfilter.*:^Su bject.*Non\sdelivery\sreport.*:^Subject.*Information Response from listserver.* kewl.. thanks! Happens here all the time, and we aren't rejecting unknown users because we are in the middle of a mail server migration that hasn't been completed yet so the forward facing MX servers don't know which users are valid. The original problem is the continuation of whats happening now and WHY I put in the toaster as a front end to another qmail server (running Qmail Rocks, which both have good points, but I really like the simplicity set up of Bills toaster.) the main mx server was swamped the first week of december and I quickly acertained its time to split functions (pop/smtp). Small domains with under 500 users total, but still... 1300+ connections continuous is nuts! The problem was that the QMR server needed to be updated with the CHKUSER patch but I also wanted to split things up and put in a cluster where I could easily add more pop or mx servers as needed. Thus I looked at and chose the toaster. VERY happy I did this. Immediately upon moving the old MX server out of the loop, the new MX server (running the toaster) stopped accepting the invalid users via chkuser. (should be noted that I built it with MYsql. I don;t think the instructions shows the requirements for mysql, but thats not a problem.) its been running good stopping things and the more I place blocks on RIPE, APNIC, lacnic sites it calms down. Case in point right now its running on average 36/600 but its after hours and night, in the morning it takes off again. thanks for the response! Nitch. Regards, Rick __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [toaster] Mailing List question
--- Harman Nagra [EMAIL PROTECTED] wrote: Sure, different ways you could do it. However, you are going against the RFC (http://www.faqs.org/rfcs/rfc821.html). In other words, you will be breaking the NDR's. Dont look at dropping the NDR's but look at what these NDR's are, why are you getting so many of them? most are invalid users, looks like bounces and the invalid user is a rcpt. Have you set your domain to bounce messages for non-exsitant users? This way chkuser can do its job properly. yes. NDR's are the by products of SMTP, and spammers are now using them as the last resort to deliver spam in form of NDR's. So I've noticed. Well you have a serious problem there, agreed. But again look at the connections, look at the logs, what and where are these connections from? The majority were from RIPE and APNIC. As I put blocks in place in the tcp.smtp and also runing iptables so I put in place acls to DROP the connection for the ip blocks. As I continue to watch this, I've noticed they moved to LACNIC and certain IPs that are in north america (inclding canada). I've blocked some others by adding in tcp.smtp entries with a bounce message to email me at an external address if this is in error. A great deal came from within road runner and.. earthlink. So I blocked these servers for a period of time until it calmed down and they moved off. yes, I've already notified both providers, but I believe that its due to the botnets. Null sender is your least of worries. You sure you havent opened up your server for relay? I checked that once I set up the server. It was tested and passed as NOT an open relay. What's in /home/vpopmail/etc/tcp.smtp? tons of things... here is a sample: 127.:allow,RELAYCLIENT= :allow,QMAILQUEUE=/var/qmail/bin/simscan 195.:allow,RBLSMTPD=-Connections from this IP have been banned If this is en error, please send an email to [ external address at yahoo.com ] .ch:allow,RBLSMTPD=-Connections from this IP have been banned If this is en error, please send an email to [ external address at yahoo.com ] I'm using IPtables for blocks of IPs, example: -A RH-Firewall-1-INPUT -s 150.1.0.0/16 -m state --state NEW -m tcp -p tcp --dport ! 80 -j DROP -A RH-Firewall-1-INPUT -s 150.2.0.0/15 -m state --state NEW -m tcp -p tcp --dport ! 80 -j DROP This drops connections before tcp.smtp and can log them as well. In the samples, I do not show the LOGging. I am using the tcp.smtp for those ips and addresses that possibly could be reopened and the iptables acl for those I knw I permantly do not want. thanks for the reply. Nitch. HTH Harman __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
