Re: [vchkpw] SMTP Abuse

2005-04-14 Thread Rick Macdougall 

Bill Wichers wrote:
I totally agree with you and I know that I'm blocking what I don't want
to, but if I don't, my server gets so busy that nobody can send messages
cause it's a small machine to handle only two domains, one with 2 and
other with 154 accounts, and I only have some load on a business hours.

Is this server delivering mail and are you checking for unknown users at
smtp time (via the chkuser patch)?
Yes. It's all fine. So I think thats the only thing to do is wait...

Just a thought -- if you're just having trouble with misdirected bounces
flooding your server, you might try running the Spamcop rbl since they are
not listing servers that will "misbounce" a message to a forged from:
address.
I'm not sure how that would help, we use the spamcop bl here and it sure 
didn't help us, 50K bounce messages an hour and it killed out spamd machine.

If you are still having problems though and are running simscan, enable 
the regex support and add something like this to your simcontrol file, 
it's what I had to do to reduce the load here.

clam=yes,spam=yes,spam_hits=10,regex=.*failure\snotice.*:.*Delivery\sStatus\sNo
tification.*:.*Mail\sdelivery\sfailed.*:.*Returned\smail.*:.*Undelivered\sMail.*
:.*DELIVERY\sFAILURE.*:.*Message.Delivery.Failed.*:^Subject\x3a\sUndeliverable\x
3a.*:^Subject\x3a.*mail.delivery.status.*:^Subject\x3a.*Undeliverable Mail.*
That's all one line btw and not optimized yet, I'm just bringing it 
on-line now but server load has dropped from qmail-smtp 120/120 to about 
30/120

Regards,
Rick

Re: [vchkpw] SMTP Abuse

2005-04-14 Thread Bill Wichers 
> I totally agree with you and I know that I'm blocking what I don't want
> to, but if I don't, my server gets so busy that nobody can send messages
> cause it's a small machine to handle only two domains, one with 2 and
> other with 154 accounts, and I only have some load on a business hours.
>
>> Is this server delivering mail and are you checking for unknown users at
>> smtp time (via the chkuser patch)?
>
> Yes. It's all fine. So I think thats the only thing to do is wait...

Just a thought -- if you're just having trouble with misdirected bounces
flooding your server, you might try running the Spamcop rbl since they are
not listing servers that will "misbounce" a message to a forged from:
address.

 -Bill


*
Waveform Technology
UNIX Systems Administrator

Re: [vchkpw] SMTP Abuse

2005-04-14 Thread Walter Souto R. Junior 
Hi Rick,
I don't know what you can do.  What you have done so far is block  
legitimate email servers from sending your clients email, while reducing  
your load, it is not a good practice.  If you are going to do something  
like that you might as well just turn off your mail server.
I totally agree with you and I know that I'm blocking what I don't want  
to, but if I don't, my server gets so busy that nobody can send messages  
cause it's a small machine to handle only two domains, one with 2 and  
other with 154 accounts, and I only have some load on a business hours.

Is this server delivering mail and are you checking for unknown users at  
smtp time (via the chkuser patch)?
Yes. It's all fine. So I think thats the only thing to do is wait...
Thanks everybody for your time.
Regards,
--
Walter.

Re: [vchkpw] SMTP Abuse

2005-04-14 Thread Rick Macdougall 

Walter Souto R. Junior wrote:
Rick,
Looks to me like someone used your domain(s) as the From address when  
sending out spam, those messages bounced to who ever the sent them to  
and now they are being returned (falsely, but what are you going to 
do  about faked From addresses).

Happens to us every so often as well, usually keeps up for about 12  
hours on our servers, then slows down and stops.

Happened Sunday night to us actually.
It's very bad. So, in my case this situation is still in progress (2 
days)  and seems to get worse. Now, I have 1Mb of logs for each 3 
minutes. Used  to be 6 minutes yesterday.

What is the best way to handle this? Currently I just put :deny into 
the  tcp.smtp file, so I have in my log:

@4000425e639739b9fa1c tcpserver: end 13905 status 25600
@4000425e639739ba4c24 tcpserver: status: 7/20
@4000425e63973a907074 tcpserver: status: 8/20
@4000425e63973a944104 tcpserver: pid 13907 from 64.178.213.22
@4000425e63973a95cf74 tcpserver: deny 13907 0:69.60.111.86:25  
:64.178.213.22::33919
@4000425e63973a98733c tcpserver: end 13907 status 25600
@4000425e63973a98c92c tcpserver: status: 7/20
@4000425e63980081e3f4 tcpserver: status: 8/20
@4000425e639800866c1c tcpserver: pid 13908 from 66.147.182.202
@4000425e63980088507c tcpserver: deny 13908 0:69.60.111.86:25  
:66.147.182.202::29926
@4000425e6398008b270c tcpserver: end 13908 status 25600
@4000425e6398008b7914 tcpserver: status: 7/20
@4000425e639804855f1c tcpserver: status: 8/20
@4000425e63980488fce4 tcpserver: pid 13909 from 196.1.107.11
@4000425e6398048a9af4 tcpserver: deny 13909 0:69.60.111.86:25  
:196.1.107.11::9580

If I don't deny my server gets so busy that nobody can send a message... 
I  think that situation will go to consume a lot of bandwidth of my 
server...
Hi,
I don't know what you can do.  What you have done so far is block 
legitimate email servers from sending your clients email, while reducing 
your load, it is not a good practice.  If you are going to do something 
like that you might as well just turn off your mail server.

As long as you are rejecting invalid/unknown users at the smtp level, 
you really shouldn't have much of a bandwidth issue.

Is this server delivering mail and are you checking for unknown users at 
smtp time (via the chkuser patch)?

Regards,
Rick

Re: [vchkpw] SMTP Abuse

2005-04-14 Thread Walter Souto R. Junior 
Rick,
Looks to me like someone used your domain(s) as the From address when  
sending out spam, those messages bounced to who ever the sent them to  
and now they are being returned (falsely, but what are you going to do  
about faked From addresses).

Happens to us every so often as well, usually keeps up for about 12  
hours on our servers, then slows down and stops.

Happened Sunday night to us actually.
It's very bad. So, in my case this situation is still in progress (2 days)  
and seems to get worse. Now, I have 1Mb of logs for each 3 minutes. Used  
to be 6 minutes yesterday.

What is the best way to handle this? Currently I just put :deny into the  
tcp.smtp file, so I have in my log:

@4000425e639739b9fa1c tcpserver: end 13905 status 25600
@4000425e639739ba4c24 tcpserver: status: 7/20
@4000425e63973a907074 tcpserver: status: 8/20
@4000425e63973a944104 tcpserver: pid 13907 from 64.178.213.22
@4000425e63973a95cf74 tcpserver: deny 13907 0:69.60.111.86:25  
:64.178.213.22::33919
@4000425e63973a98733c tcpserver: end 13907 status 25600
@4000425e63973a98c92c tcpserver: status: 7/20
@4000425e63980081e3f4 tcpserver: status: 8/20
@4000425e639800866c1c tcpserver: pid 13908 from 66.147.182.202
@4000425e63980088507c tcpserver: deny 13908 0:69.60.111.86:25  
:66.147.182.202::29926
@4000425e6398008b270c tcpserver: end 13908 status 25600
@4000425e6398008b7914 tcpserver: status: 7/20
@4000425e639804855f1c tcpserver: status: 8/20
@4000425e63980488fce4 tcpserver: pid 13909 from 196.1.107.11
@4000425e6398048a9af4 tcpserver: deny 13909 0:69.60.111.86:25  
:196.1.107.11::9580

If I don't deny my server gets so busy that nobody can send a message... I  
think that situation will go to consume a lot of bandwidth of my server...

Regards,
--
Walter.

Re: [vchkpw] SMTP Abuse

2005-04-14 Thread tonix (Antonio Nati) 
Hi Walter,
At 20.10 13/04/2005, you wrote:
Hi Tonix,
If remote user is sending using an authenticated SMTP session, you would
find his name within chkuser logging.
Look at these entries from my smtpd log:
@4000425d6a992de7abbc.s:@4000425d6a2c106b451c CHKUSER rejected
rcpt: from <::> remote  rcpt
<[EMAIL PROTECTED]> : not existing recipient
@4000425d6a992de7abbc.s:@4000425d6a250b7faffc CHKUSER rejected
rcpt: from <::> remote 
rcpt <[EMAIL PROTECTED]> : not existing recipient
rcpt: from <::> have no user name. Is that the right place for this
information.
Right, where you read from <::>, you could read 
<[EMAIL PROTECTED]:[EMAIL PROTECTED]:relayclientvalue> (see 
http://www.interazioni.it/opensource/chkuser/documentation/logging_format.html 
for more info on chkuser logging format).

Also the other indication may be important, as 
 means that remote host 
declares itself as mx03.scottish-southern.co.uk, but its real address 
161.12.6.161 has no reverse. Usually I put them in black list when I see a 
dial-up or ADSL connection. It's up to you to give a value to such 
informations.

What I'm missing?
All these message are sent with "From: <>", as they could be sent you by 
mail-daemons sending back e-mails for not existing recipients .

As someone else is writing in other messages, probably someone sent spam 
messages using as senders fake addresses on your domains. So, if original 
recipients systems act like normal qmail systems, they accept every message 
and later send back a reply to all fake senders. So you receive all these 
messages back from smtp servers.

Ciao,
Tonino

Thanks,
--
Walter.

Re: [vchkpw] SMTP Abuse

2005-04-13 Thread Rick Macdougall 
Walter Souto R. Junior wrote:
Hi Tonix,
If remote user is sending using an authenticated SMTP session, you 
would  find his name within chkuser logging.

Look at these entries from my smtpd log:
@4000425d6a992de7abbc.s:@4000425d6a2c106b451c CHKUSER rejected  
rcpt: from <::> remote  
rcpt  <[EMAIL PROTECTED]> : not existing recipient

@4000425d6a992de7abbc.s:@4000425d6a250b7faffc CHKUSER rejected  
rcpt: from <::> remote 
  rcpt 
<[EMAIL PROTECTED]> : not existing recipient

rcpt: from <::> have no user name. Is that the right place for this  
information.

What I'm missing?
Hi,
Looks to me like someone used your domain(s) as the From address when 
sending out spam, those messages bounced to who ever the sent them to 
and now they are being returned (falsely, but what are you going to do 
about faked From addresses).

Happens to us every so often as well, usually keeps up for about 12 
hours on our servers, then slows down and stops.

Happened Sunday night to us actually.
Regards,
Rick

Re: [vchkpw] SMTP Abuse

2005-04-13 Thread Walter Souto R. Junior 
Hi Tonix,
If remote user is sending using an authenticated SMTP session, you would  
find his name within chkuser logging.
Look at these entries from my smtpd log:
@4000425d6a992de7abbc.s:@4000425d6a2c106b451c CHKUSER rejected  
rcpt: from <::> remote  rcpt  
<[EMAIL PROTECTED]> : not existing recipient

@4000425d6a992de7abbc.s:@4000425d6a250b7faffc CHKUSER rejected  
rcpt: from <::> remote   
rcpt <[EMAIL PROTECTED]> : not existing recipient

rcpt: from <::> have no user name. Is that the right place for this  
information.

What I'm missing?
Thanks,
--
Walter.

Re: [vchkpw] SMTP Abuse

2005-04-13 Thread Walter Souto R. Junior 
Hi Tonix,
If remote user is sending using an authenticated SMTP session, you would  
find his name within chkuser logging.
I setup this server using Shupp toaster. I don't know where chkuser are  
logging this information. Please, can you point me to the right direction?  
Anyway I'll go to re-read chkuser docs. I did that when I setup the  
toaster a few months ago.

Probably, as Ken is saying, are simply some viruses trying to guess  
recipients on your MX hosted domains.
Probably. But I getting this "attack" form several diferent IP's like:
82.148.41.149
202.56.230.13
62.210.190.2
67.104.181.51
205.211.164.226
131.211.194.57
and so many others...
Multilog is rotating 1 Mb logs in a few minutes, but I get them all  
blocked.

Thanks,
--
Walter Souto R. Junior
Bayweb Internet Consulting
Tel/Fax: +55 (21) 2226-3625
Celular: +55 (21) 9323-7283

Re: [vchkpw] SMTP Abuse

2005-04-13 Thread tonix (Antonio Nati) 
If remote user is sending using an authenticated SMTP session, you would 
find his name within chkuser logging.

Probably, as Ken is saying, are simply some viruses trying to guess 
recipients on your MX hosted domains.

Tonino
At 19.24 13/04/2005, you wrote:
Ken,
Thanks for your help.
You probably are receiving a dictionary scan from infected PC's.
Be sure to use rblsmtpd against one or more of the good rbl sites.
I have tried this before write here. So maybe too much rbl's, look:
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 1000 \
/usr/local/bin/tcpserver \
-v -H -R -l 0 \
-x /etc/tcprules/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/usr/local/bin/rblsmtpd -b -C \
-r "list.dsbl.org:Your mail server is listed in DSBL list." \
-r "bl.spamcop.net:Your mail server is listed in Spamcop
blocklist." \
-r "relays.ordb.org:Your mail server is an OPEN RELAY (ORDB
list)." \
-r "sbl.spamhaus.org:Your mail server is listed in SBL-Spamhaus." \
-r "blackholes.mail-abuse.org: See
" \
-r "dialups.mail-abuse.org: See
" \
-t 5 \
/var/qmail/bin/qmail-smtpd \
/var/vpopmail/bin/vchkpw /bin/true 2>&1
Another thing you can do is scan for frequent IP's to bad users
in the smtp log files and build new tcp.smtp deny lines.
Yes. That what I'm doing:
4.:deny
12.:deny
130-159.:deny
80-89.:deny
and so on...
But there is a way to determine if the spammer are using an account on my
server, with password, to do that? So I can change the password and block
him.
Thanks,
--
Walter.

Re: [vchkpw] SMTP Abuse

2005-04-13 Thread Walter Souto R. Junior 
Ken,
Thanks for your help.
You probably are receiving a dictionary scan from infected PC's.
Be sure to use rblsmtpd against one or more of the good rbl sites.
I have tried this before write here. So maybe too much rbl's, look:
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 1000 \
/usr/local/bin/tcpserver \
-v -H -R -l 0 \
-x /etc/tcprules/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/usr/local/bin/rblsmtpd -b -C \
-r "list.dsbl.org:Your mail server is listed in DSBL list." \
-r "bl.spamcop.net:Your mail server is listed in Spamcop  
blocklist." \
-r "relays.ordb.org:Your mail server is an OPEN RELAY (ORDB  
list)." \
-r "sbl.spamhaus.org:Your mail server is listed in SBL-Spamhaus." \
-r "blackholes.mail-abuse.org: See  
" \
-r "dialups.mail-abuse.org: See  
" \
-t 5 \
/var/qmail/bin/qmail-smtpd \
/var/vpopmail/bin/vchkpw /bin/true 2>&1

Another thing you can do is scan for frequent IP's to bad users
in the smtp log files and build new tcp.smtp deny lines.
Yes. That what I'm doing:
4.:deny
12.:deny
130-159.:deny
80-89.:deny
and so on...
But there is a way to determine if the spammer are using an account on my  
server, with password, to do that? So I can change the password and block  
him.

Thanks,
--
Walter.

Re: [vchkpw] SMTP Abuse

2005-04-13 Thread Ken Jones 
On Wednesday 13 April 2005 1:01 pm, you wrote:
> Hi,
> Today I start to get something like that in my qmail-smtpd log:

>snip>

> And I know that the IP's used can change...
> I think that somebody with some user password for smtp is making this, but
> I can't determine from where or which account he is using. I have no logs
> for smpt-auth user success or failed...
>
> Please, somebody could give me some light to stop that?

You probably are receiving a dictionary scan from infected PC's.
Be sure to use rblsmtpd against one or more of the good rbl sites.

Another thing you can do is scan for frequent IP's to bad users
in the smtp log files and build new tcp.smtp deny lines.

Ken Jones