Re: [vchkpw] SMTP Abuse
Rick, Looks to me like someone used your domain(s) as the From address when sending out spam, those messages bounced to who ever the sent them to and now they are being returned (falsely, but what are you going to do about faked From addresses). Happens to us every so often as well, usually keeps up for about 12 hours on our servers, then slows down and stops. Happened Sunday night to us actually. It's very bad. So, in my case this situation is still in progress (2 days) and seems to get worse. Now, I have 1Mb of logs for each 3 minutes. Used to be 6 minutes yesterday. What is the best way to handle this? Currently I just put :deny into the tcp.smtp file, so I have in my log: @4000425e639739b9fa1c tcpserver: end 13905 status 25600 @4000425e639739ba4c24 tcpserver: status: 7/20 @4000425e63973a907074 tcpserver: status: 8/20 @4000425e63973a944104 tcpserver: pid 13907 from 64.178.213.22 @4000425e63973a95cf74 tcpserver: deny 13907 0:69.60.111.86:25 :64.178.213.22::33919 @4000425e63973a98733c tcpserver: end 13907 status 25600 @4000425e63973a98c92c tcpserver: status: 7/20 @4000425e63980081e3f4 tcpserver: status: 8/20 @4000425e639800866c1c tcpserver: pid 13908 from 66.147.182.202 @4000425e63980088507c tcpserver: deny 13908 0:69.60.111.86:25 :66.147.182.202::29926 @4000425e6398008b270c tcpserver: end 13908 status 25600 @4000425e6398008b7914 tcpserver: status: 7/20 @4000425e639804855f1c tcpserver: status: 8/20 @4000425e63980488fce4 tcpserver: pid 13909 from 196.1.107.11 @4000425e6398048a9af4 tcpserver: deny 13909 0:69.60.111.86:25 :196.1.107.11::9580 If I don't deny my server gets so busy that nobody can send a message... I think that situation will go to consume a lot of bandwidth of my server... Regards, -- Walter.
Re: [vchkpw] SMTP Abuse
Hi Rick, I don't know what you can do. What you have done so far is block legitimate email servers from sending your clients email, while reducing your load, it is not a good practice. If you are going to do something like that you might as well just turn off your mail server. I totally agree with you and I know that I'm blocking what I don't want to, but if I don't, my server gets so busy that nobody can send messages cause it's a small machine to handle only two domains, one with 2 and other with 154 accounts, and I only have some load on a business hours. Is this server delivering mail and are you checking for unknown users at smtp time (via the chkuser patch)? Yes. It's all fine. So I think thats the only thing to do is wait... Thanks everybody for your time. Regards, -- Walter.
Re: [vchkpw] rblsmtpd return/bounce message ?!
Hi Marco, /usr/local/bin/rblsmtpd -b -C \ -r list.dsbl.org:Your mail server is listed in DSBL list. \ -r bl.spamcop.net:Your mail server is listed in Spamcop blocklist. \ -r relays.ordb.org:Your mail server is an OPEN RELAY (ORDB list). \ -r sbl.spamhaus.org:Your mail server is listed in SBL-Spamhaus. \ -r blackholes.mail-abuse.org: See http://www.mail-abuse.com/enduserinfo.html \ -r dialups.mail-abuse.org: See http://www.mail-abuse.com/enduserinfo.html \ -t 5 \ /var/qmail/bin/qmail-smtpd \ /var/vpopmail/bin/vchkpw /bin/true 21 I get the idea from the Michael Bowe's toaster: http://www.pipeline.com.au/staff/mbowe/isp/webmail-server.htm Regards, -- Walter.
[vchkpw] SMTP Abuse
Hi, Today I start to get something like that in my qmail-smtpd log: @4000425d5b4710447784 CHKUSER rejected rcpt: from :: remote mailstep.com: unknown:128.241.88.105 rcpt [EMAIL PROTECTED] : not existing recipient @4000425d5b47106c75cc tcpserver: status: 3/20 @4000425d5ba019eb855c CHKUSER rejected rcpt: from :: remote mail.7cv.com: unknown:221.122.46.226 rcpt [EMAIL PROTECTED] : not existing recipient It's clear that someone are trying to use my server to send SPAM. Thanks to CHKUSER to block this attempts. So, It's drive me crazy cause I can't figure how it happen. In a desperate attempt to stop this I simple block a few hundreds of IPs in tcp.smtp file, but it's not a solution. My log now got this: @4000425d5b3300cf1994 tcpserver: end 24918 status 25600 @4000425d5b3300cf6b9c tcpserver: status: 2/20 @4000425d5b331f231f6c tcpserver: status: 3/20 @4000425d5b331f2336dc tcpserver: pid 24920 from 66.160.106.130 @4000425d5b331f234294 tcpserver: deny 24920 0:x.x.x.x:25 :66.160.106.13 0::32301 And I know that the IP's used can change... I think that somebody with some user password for smtp is making this, but I can't determine from where or which account he is using. I have no logs for smpt-auth user success or failed... Please, somebody could give me some light to stop that? Cheers, -- Walter.
Re: [vchkpw] SMTP Abuse
Ken, Thanks for your help. You probably are receiving a dictionary scan from infected PC's. Be sure to use rblsmtpd against one or more of the good rbl sites. I have tried this before write here. So maybe too much rbl's, look: #!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver \ -v -H -R -l 0 \ -x /etc/tcprules/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /usr/local/bin/rblsmtpd -b -C \ -r list.dsbl.org:Your mail server is listed in DSBL list. \ -r bl.spamcop.net:Your mail server is listed in Spamcop blocklist. \ -r relays.ordb.org:Your mail server is an OPEN RELAY (ORDB list). \ -r sbl.spamhaus.org:Your mail server is listed in SBL-Spamhaus. \ -r blackholes.mail-abuse.org: See http://www.mail-abuse.com/enduserinfo.html \ -r dialups.mail-abuse.org: See http://www.mail-abuse.com/enduserinfo.html \ -t 5 \ /var/qmail/bin/qmail-smtpd \ /var/vpopmail/bin/vchkpw /bin/true 21 Another thing you can do is scan for frequent IP's to bad users in the smtp log files and build new tcp.smtp deny lines. Yes. That what I'm doing: 4.:deny 12.:deny 130-159.:deny 80-89.:deny and so on... But there is a way to determine if the spammer are using an account on my server, with password, to do that? So I can change the password and block him. Thanks, -- Walter.
Re: [vchkpw] SMTP Abuse
Hi Tonix, If remote user is sending using an authenticated SMTP session, you would find his name within chkuser logging. I setup this server using Shupp toaster. I don't know where chkuser are logging this information. Please, can you point me to the right direction? Anyway I'll go to re-read chkuser docs. I did that when I setup the toaster a few months ago. Probably, as Ken is saying, are simply some viruses trying to guess recipients on your MX hosted domains. Probably. But I getting this attack form several diferent IP's like: 82.148.41.149 202.56.230.13 62.210.190.2 67.104.181.51 205.211.164.226 131.211.194.57 and so many others... Multilog is rotating 1 Mb logs in a few minutes, but I get them all blocked. Thanks, -- Walter Souto R. Junior Bayweb Internet Consulting Tel/Fax: +55 (21) 2226-3625 Celular: +55 (21) 9323-7283
Re: [vchkpw] SMTP Abuse
Hi Tonix, If remote user is sending using an authenticated SMTP session, you would find his name within chkuser logging. Look at these entries from my smtpd log: @4000425d6a992de7abbc.s:@4000425d6a2c106b451c CHKUSER rejected rcpt: from :: remote fusion.fast-servers.net:unknown:72.9.240.14 rcpt [EMAIL PROTECTED] : not existing recipient @4000425d6a992de7abbc.s:@4000425d6a250b7faffc CHKUSER rejected rcpt: from :: remote mx03.scottish-southern.co.uk:unknown:161.12.6.161 rcpt [EMAIL PROTECTED] : not existing recipient rcpt: from :: have no user name. Is that the right place for this information. What I'm missing? Thanks, -- Walter.
Re: [vchkpw] Problems to get e-mail when domain names are capitalized
Hi Alex, this error message is not in vanilla qmail. So I guess, you are using some kind of badrcptto-patch (qregex?). Please show us this patch and the contents of it's config file (control/badrcptto?) I just look into it moments before I get your message. Yes I'm using some kind of regex patch. Currently I have one file named badmailto. Follow it's contents: # must not contain invalid characters, # brakets or multiple @'s [\W\D!%#:\*\^] [\(\)] [\{\}] @.*@ I setup this server almost based on Shupp's toaster version 0.5. So I'm using his patch that contains qregex.patch-20020129, but the code is blended with another patches. I see that this patch is really old, but says on the readm file that qregex is case insentive. I found this version of the patch here: http://alex.zeitform.de/qmail/qmail_single_patches/qregex.patch-20020129 Thanks for any help, -- Walter.
Re: [vchkpw] Problems to get e-mail when domain names are capitalized
Hi Alex, Drop or fix the first non-comment line. It does not work. Explanation: Your regex.h does not support \W and \D (see regex(7), GNU regex manual). That means, the regex code drops connections with recipient domains containing uppercase W and D chars (see your example smtp session). Ok! Now I have: [!%#:*^(){}] [\(\)] [\{\}] @.*@ And everything works fine! I found this version of the patch here: http://alex.zeitform.de/qmail/qmail_single_patches/qregex.patch-20020129 Funny, this is my little site. :-) Wow! I just google for that! Thanks a lot. []s, -- Walter.
[vchkpw] Problems to get e-mail when domain names are capitalized
Hi, My regitrar always capitalize the name of domains for the contacts (e.g. name@DOMAIN.TLD and the messages he send to me never comes. I try to change the the e-mail and I get the message normally, but after the confirmation, the system of the registrar capitalizes the domain again... I also try to log in my server and send message with capitalized domain name using mail command. The message has arrived normally. I don't know what can be happen. The logs says: @400041daaca439475a5c tcpserver: pid 26232 from 200.160.2.3 @400041daaca4394a5414 tcpserver: ok 26232 0:69.0.231.11:25 :200.160.2.3::3192 But this messages never reach the queue or the Clamav/SpamAssassim. I can't figure where this kind of messages is got blocked or reject. My system uses vpopmail 5.3.20 with qmailscanner 1.24 and old chkuser. I think that somebody here in Brazil already have this problem with regsitro.br, so I apreciate any help. Thanks in advance, -- Walter Souto R. Junior Bayweb Internet Consulting Tel/Fax: +55 (21) 2226-3625 Celular: +55 (21) 9323-7283
Re: [vchkpw] Problems to get e-mail when domain names are capitalized
Hi Jeremy, try connecting to your smtp server with telnet or netcat or similar and doing this: helo bob mail from: [EMAIL PROTECTED] rcpt to: [EMAIL PROTECTED] rcpt to: [EMAIL PROTECTED] rcpt to: [EMAIL PROTECTED] etc, and see what happens. Ok. Now I get confused... Look that: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 alonso.bayweb.biz ESMTP helo bob 250 alonso.bayweb.biz mail from [EMAIL PROTECTED] 250 ok rcpt to: [EMAIL PROTECTED] 250 ok rcpt to: [EMAIL PROTECTED] 250 ok rcpt to: [EMAIL PROTECTED] 533 sorry, your envelope recipient has been denied (#5.7.1) rcpt to: [EMAIL PROTECTED] 250 ok rcpt to: [EMAIL PROTECTED] 250 ok rcpt to: [EMAIL PROTECTED] 533 sorry, your envelope recipient has been denied (#5.7.1) rcpt to: [EMAIL PROTECTED] 533 sorry, your envelope recipient has been denied (#5.7.1) rcpt to: [EMAIL PROTECTED] 533 sorry, your envelope recipient has been denied (#5.7.1) Any ideas? Thanks, -- Walter.
Re: [vchkpw] just noticed something with chkuser ....
Perhaps the code could be split up into chkuser, which does its purpose in validating local recipients, and another patch that attempts to perform some checks on the envelope sender. I agree with that. chkuser is great, but in some particular cases the only desirable feature is to validating local recipients. Thanks Tonix for the good work. Regards, -- Walter.
Re: [vchkpw] How can I identify a spammer?
Jeremy, It's a REALLY BAD IDEA to leave your system as an open relay. Please, for the sake of yourself, and the rest of the internet, shut your open relay down. -Jeremy Yes! I shut my open relay off. Now I do relay only for myself and my clients. I figure out the problem with my run file for qmail-smtd (with your help of course) and now everything is ok. You can see for yourself! Thank you and Tom for the help and sorry for the time that I contribute with the spammer that uses my server to disturb everybody, and you must know that it's will never happen again. Regards, -- Walter.
Re: [vchkpw] How can I identify a spammer?
On Sat, 23 Oct 2004 10:22:19 -0500, Jeremy Kitchen [EMAIL PROTECTED] wrote: On Fri, 2004-10-22 at 18:57 -0300, Walter Souto R. Junior wrote: Thanks Tom and Jeremy, I do fix my run file for smtp, but now I have a 501 malformed auth input (#5.5.4) using telnet. I'm also trying with Opera with plain, auth and cram-md5 without success. My run file looks like: #!/bin/sh LOCAL=`head -1 /var/qmail/control/me` QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` Can the qmaild user read your vpopmail information? I certainly hope not. This is why you are unabled to authenticate. Now, go fix this and disable your open relay. -Jeremy Ok. I already fix that. I answer to you a few minutes ago... The message don't arrive. I'm thinking I will have some trouble with my IP into RBL's. Regards -- Walter.
[vchkpw] How can I identify a spammer?
Hi, I have one of my users using my server to send spam (I think). The messages came from 200.78.38.103. When I figure that out, I just block him and bring my server back... So how can I see what account on vpopmail did used to do this kind of thing? I have only auth-smtp, and just accept messages from one of my domains, that are about six and nothing more. I'm afraid that I don't have vpopmail logs, perhaps I did install vpopmail without them, so... Thanks for any help, -- Walter.
Re: [vchkpw] How can I identify a spammer?
Install this http://www.enderunix.org/isoqlog/ Don't forget the cron job to update it's webpages. It reads from qmail logs, so hopefully qmail is logging properly on your box. =) Best Regards, Jeremy Eder Hi-Tek Data, Corp. V: 516-797-8800 F: 516-797-8892 Thanks Jeremy, but the spammer changes your IP every time I block it. So, how can I efectively block this guy since his IP always changes? I can't figure how they get access to my server. Thanks, -- Walter.
Re: [vchkpw] How can I identify a spammer?
Hi Jeremy, the smtp auth patch you use should be putting a header in the email saying who sent it.. check for that header, and shut the guy off. This is the first thing that I did try. My server was set 2 years ago and vpopmail version is 5.3.20. I use the toaster guide from Bill Shup and his large patch. I never get a problem like that. The version of smtp-auth patch does not put the information into the headers. The message bellow is what the spammer sends out. The IP listed always change. I test my server right now and it isn't an open relay. So when I identify the vpopmail user that was used to do that I can take the properly action, but how? -- MESSAGE NUMBER 32964920 -- Received: (qmail 5098 invoked by uid 1010); 22 Oct 2004 11:46:22 -0200 Received: from [EMAIL PROTECTED] by alonso.bayweb.biz by uid 0 with qmail-scanner-1.22 (clamdscan: 0.74. spamassassin: 2.63. Clear:RC:0(218.61.42.211):SA:1(7.4/4.0):. Processed in 5.793772 secs); 22 Oct 2004 13:46:22 - Received: from unknown (HELO meals) ([EMAIL PROTECTED]) by alonso.bayweb.biz with SMTP; 22 Oct 2004 11:46:16 -0200 From: Michael Sapanna[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [SPAM] ARE YOU HAPP1lIY? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Qmail-Scanner-Message-ID: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on alonso.bayweb.biz X-Spam-Report: * 1.9 DATE_MISSING Missing Date: header * 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 0.1 RCVD_IN_RFCI RBL: Sent via a relay in ipwhois.rfc-ignorant.org * [218.61.42.211 has inaccurate or missing WHOIS] [data at the RIR] * 0.0 UPPERCASE_25_50 message body is 25-50% uppercase X-Spam-Status: Yes, hits=7.4 required=4.0 tests=BAYES_99,DATE_MISSING, RCVD_IN_RFCI,UPPERCASE_25_50 autolearn=no version=2.63 X-Spam-Level: *** http://VI1aggar_C000O0delne_Xana|x_Va||um_...and___mO000Ore http://VI1aggar_C0O000delne_Xana|x_Va||um_CIa1lis_...and___mO0O00re http://C1aI|is_Vl|aggar_...and___m0O0O0re V|SIT 0UR S1TE AND 0RDER HERE http://sear.cndbvsa.com/as#boathouse Thanks in advance, -- Walter.
Re: [vchkpw] How can I identify a spammer?
Thanks Tom and Jeremy, I do fix my run file for smtp, but now I have a 501 malformed auth input (#5.5.4) using telnet. I'm also trying with Opera with plain, auth and cram-md5 without success. My run file looks like: #!/bin/sh LOCAL=`head -1 /var/qmail/control/me` QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`/bin/cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 1500 \ /usr/local/bin/tcpserver \ -H -l $LOCAL \ -v -x /etc/tcp.smtp.cdb \ -c $MAXSMTPD -R -u $QMAILDUID -g $NOFILESGID 0 smtp \ /var/qmail/bin/qmail-smtpd $LOCAL /home/vpopmail/bin/vchkpw /bin/true 21 On Fri, 22 Oct 2004 12:04:04 -0500, Jeremy Kitchen [EMAIL PROTECTED] wrote: On Friday 22 October 2004 10:33 am, Walter Souto R. Junior wrote: Received: (qmail 5098 invoked by uid 1010); 22 Oct 2004 11:46:22 -0200 Received: from [EMAIL PROTECTED] by alonso.bayweb.biz by uid 0 with qmail-scanner-1.22 (clamdscan: 0.74. spamassassin: 2.63. as Tom pointed out, you are an open relay: [EMAIL PROTECTED] ~ $ telnet alonso.bayweb.biz 25 Trying 69.0.231.11... Connected to ns1.bayweb.biz. Escape character is '^]'. 220 alonso.bayweb.biz ESMTP ehlo bob 250-alonso.bayweb.biz 250-AUTH LOGIN CRAM-MD5 PLAIN 250-AUTH=LOGIN CRAM-MD5 PLAIN 250-STARTTLS 250-PIPELINING 250 8BITMIME auth login 334 VXNlcm5hbWU6 jkflds 334 UGFzc3dvcmQ6 jlfds 235 ok, go ahead (#2.0.0) quit 221 alonso.bayweb.biz Connection closed by foreign host. http://homepages.tesco.net/~J.deBoynePollard/FGA/qmail-promiscuous-smtp-auth-misconfiguration.html -Jeremy Thanks, -- Walter.
Re: [vchkpw] How can I identify a spammer?
Hi Tom, On Oct 22, 2004, at 2:57 PM, Walter Souto R. Junior wrote: I do fix my run file for smtp, but now I have a 501 malformed auth input (#5.5.4) using telnet. I'm also trying with Opera with plain, auth and cram-md5 without success. My run file looks like: Well, you need to enter a properly formatted request. Jeremy's example used bogus input. I just tried your server with 'AUTH PLAIN MTIzADEyMwAxMjM=' and it worked. When you set up Opera, you need to set the complete email address as the username -- perhaps that's your problem? Yes, I'm always use the complete e-mail address as the username. I'm a reader - until now I'm just read - of this list about 3 years, and I can say that is my first thread. Currently I'm keeping my server open, without the hostname as a parameter to qmail-smtpd. Thats the reason that it worked. If I put the hostaname, nobody can suscefully login and send e-mail, independs on the method used. I think thats the solution is upgrade vpopmail and use the more recente smtp-auth patch. To be short: If I put the hostname as a parameter, nobody logins, if I don't, everybody logins, so, I'm missing something, maybe trivial, but in that moment I can't see... So, have something that I can do now without upgrade my entire system? Thanks, -- Walter.
Re: [vchkpw] IMAP
Is there any other IMAP server that can work with vpopmail the way courier-imap does? You bet! See www.bincimap.org. And read http://www.differentpla.net/node/view/165. You can take some hints from here. Cheers, -- Walter
[vchkpw] Bind for Lua.
Hi all, Just for curious, so... Does anybody has made a vpopmail bind to Lua (www.lua.org)? I think that is safe to ask before I start the work... Thanks, -- Walter Souto R. Junior Bayweb Consultoria em Internet Rua do Catete, 347 sobreloja 218 Catete - Rio de Janeiro - RJ www.bayweb.com.br Tel: +55 (21) 3826-7472 Fax: +55 (21) 3826-7237 Cel: +55 (21) 9323-7283