qmail Digest 6 Jun 1999 10:00:01 -0000 Issue 663
Topics (messages 26356 through 26365):
Messages reinjected to this mailing list
26356 by: "D. J. Bernstein" <[EMAIL PROTECTED]>
26361 by: Dave Teske <[EMAIL PROTECTED]>
qmailanalog - get sender and recipient?
26357 by: Eric Dahnke <[EMAIL PROTECTED]>
ETRN in qmail
26358 by: Ranjan Koirala <[EMAIL PROTECTED]>
LOTS of Orbs hits
26359 by: [EMAIL PROTECTED]
26360 by: "Adam D. McKenna" <[EMAIL PROTECTED]>
26362 by: [EMAIL PROTECTED]
26363 by: Russ Allbery <[EMAIL PROTECTED]>
26365 by: Bruce Guenter <[EMAIL PROTECTED]>
Qmail Qs
26364 by: "Scott D. Yelich" <[EMAIL PROTECTED]>
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To bug my human owner, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
Last night, [EMAIL PROTECTED] reinjected thirty old messages from
various authors to [EMAIL PROTECTED]
This sort of idiocy happens much more often than most subscribers know,
thanks to a broken piece of software by Eric Raymond called fetchmail.
Fortunately, qmail and ezmlm have loop-prevention mechanisms that stop
these messages before they are distributed to subscribers. The messages
end up bouncing to the wrong place, thanks to another fetchmail bug, but
at least the mailing list is protected.
However, in this case, [EMAIL PROTECTED] eliminated all the fields
that could possibly stop a loop---Delivered-To, Mailing-List, Received,
Message-ID, even Date---before reinjecting the messages. Neither qmail
nor ezmlm realized that these weren't valid new messages.
---Dan
Dan and everyone else,
Please accept my apology for this screw up on my part. This was of course
unintentional and I regret and probelms this may have caused. I was forced
to switch pop/imap servers (from the UW patched one to cryus ) and was left
with a bunch of mail sitting in users maildirs. Of course cyrus doesn't use
maildirs so the only way I could think to "move" them was to "remail" them.
I spent hours combing the mailing list archives and found several
soultions. It appears that a few of my attempts failed badly.
Again I apologize to Dan and anyone else that was inconvienced by my stupidity.
--Dave
At 03:02 PM 6/5/99 , D. J. Bernstein wrote:
>Last night, [EMAIL PROTECTED] reinjected thirty old messages from
>various authors to [EMAIL PROTECTED]
>
>This sort of idiocy happens much more often than most subscribers know,
>thanks to a broken piece of software by Eric Raymond called fetchmail.
>Fortunately, qmail and ezmlm have loop-prevention mechanisms that stop
>these messages before they are distributed to subscribers. The messages
>end up bouncing to the wrong place, thanks to another fetchmail bug, but
>at least the mailing list is protected.
>
>However, in this case, [EMAIL PROTECTED] eliminated all the fields
>that could possibly stop a loop---Delivered-To, Mailing-List, Received,
>Message-ID, even Date---before reinjecting the messages. Neither qmail
>nor ezmlm realized that these weren't valid new messages.
>
>---Dan
Hello Qmailers,
I currently use qmailanalog in conjunction with some zscripts. Works
fine, but was wondering if it is possible to get sender and recipient on
a per msg basis. Perhaps something like this?
[EMAIL PROTECTED] ==>>> [EMAIL PROTECTED]
[EMAIL PROTECTED] ==>>> [EMAIL PROTECTED]
[EMAIL PROTECTED] ==>>> [EMAIL PROTECTED]
out of some combination of x and z scripts?
I see in the qmailanalog documentation the following statement "You can
feed the x* output through the z* scripts" I belive this would be the
way to accomplish what I want, but haven't been able to get any results.
thx - eric
Hi,
Whats this ETRN stands for and does qmail supports this. Is there any
sites, reference where I can look at.
Thanx
ran
I'm getting LOTS of ORBS hits suddenly, like this:
Jun 5 22:41:00 gw smtpd: 928640460.637397 rblsmtpd: pid 4196: 451 See
http://www.orbs.org/blocked.cgi. Your mailserver is in the ORBS database as an
insecure email relay. This is a generic text message.
Jun 5 22:41:02 gw smtpd: 928640462.642219 rblsmtpd: pid 4198: 451 See
http://www.orbs.org/blocked.cgi. Your mailserver is in the ORBS database as an
insecure email relay. This is a generic text message.
Jun 5 22:41:03 gw smtpd: 928640463.555417 rblsmtpd: pid 4199: 451 See
http://www.orbs.org/blocked.cgi. Your mailserver is in the ORBS database as an
insecure email relay. This is a generic text message.
Jun 5 22:41:04 gw smtpd: 928640464.110713 rblsmtpd: pid 4200: 451 See
http://www.orbs.org/blocked.cgi. Your mailserver is in the ORBS database as an
insecure email relay. This is a generic text message.
Every second or two, on for hours. Normal mail traffic seems to be
working okay. I upgraded ezmlm+idx today, and I applied the
qmail-verh patch, so I *could* have knocked something over; but the
ORBS hits at least have been going on all day in the log-file (must
have been going yesterday too, they start immediately on log rollover
today), well before I touched any software, so I don't *think* I
caused this problem myself.
The frequency is too low to be a deliberate DOS attack, I'd think --
one connect every second or so, while it's making the logs grow, isn't
really hurting me, and looks more like persistence than malice.
Unfortunately rblsmtpd fails to log anything useful; it just gives the
TXT record from ORBS, and ORBS has chosen not to have them say
anything meaningful / useful. What I want, of course, is the IP
address the connect was from. Has anybody patched rblsmtpd to log
that already? It looks darned easy -- except that I don't speak Dan's
non-stdio library. I'll probably tackle it eventually anyway if
nobody has done the deed.
Am I overlooking some other reasonable way to find out where this is
coming from easily?
--
David Dyer-Bennet [EMAIL PROTECTED]
http://www.ddb.com/~ddb (photos, sf) Minicon: http://www.mnstf.org/minicon
http://ouroboros.demesne.com/ The Ouroboros Bookworms
Join the 20th century before it's too late!
You might try using the -b flag with rblsmtpd, this will send 553 error code
(permanent) instead of 451 (temporary)..
--Adam
On Sat, Jun 05, 1999 at 10:49:26PM -0500, [EMAIL PROTECTED] wrote:
> I'm getting LOTS of ORBS hits suddenly, like this:
>
> Jun 5 22:41:00 gw smtpd: 928640460.637397 rblsmtpd: pid 4196: 451 See
>http://www.orbs.org/blocked.cgi. Your mailserver is in the ORBS database as an
>insecure email relay. This is a generic text message.
> Jun 5 22:41:02 gw smtpd: 928640462.642219 rblsmtpd: pid 4198: 451 See
>http://www.orbs.org/blocked.cgi. Your mailserver is in the ORBS database as an
>insecure email relay. This is a generic text message.
> Jun 5 22:41:03 gw smtpd: 928640463.555417 rblsmtpd: pid 4199: 451 See
>http://www.orbs.org/blocked.cgi. Your mailserver is in the ORBS database as an
>insecure email relay. This is a generic text message.
> Jun 5 22:41:04 gw smtpd: 928640464.110713 rblsmtpd: pid 4200: 451 See
>http://www.orbs.org/blocked.cgi. Your mailserver is in the ORBS database as an
>insecure email relay. This is a generic text message.
>
> Every second or two, on for hours. Normal mail traffic seems to be
> working okay. I upgraded ezmlm+idx today, and I applied the
> qmail-verh patch, so I *could* have knocked something over; but the
> ORBS hits at least have been going on all day in the log-file (must
> have been going yesterday too, they start immediately on log rollover
> today), well before I touched any software, so I don't *think* I
> caused this problem myself.
>
> The frequency is too low to be a deliberate DOS attack, I'd think --
> one connect every second or so, while it's making the logs grow, isn't
> really hurting me, and looks more like persistence than malice.
> Unfortunately rblsmtpd fails to log anything useful; it just gives the
> TXT record from ORBS, and ORBS has chosen not to have them say
> anything meaningful / useful. What I want, of course, is the IP
> address the connect was from. Has anybody patched rblsmtpd to log
> that already? It looks darned easy -- except that I don't speak Dan's
> non-stdio library. I'll probably tackle it eventually anyway if
> nobody has done the deed.
>
> Am I overlooking some other reasonable way to find out where this is
> coming from easily?
> --
> David Dyer-Bennet [EMAIL PROTECTED]
> http://www.ddb.com/~ddb (photos, sf) Minicon: http://www.mnstf.org/minicon
> http://ouroboros.demesne.com/ The Ouroboros Bookworms
> Join the 20th century before it's too late!
Adam D. McKenna <[EMAIL PROTECTED]> writes on 5 June 1999 at 23:51:49 -0400
> You might try using the -b flag with rblsmtpd, this will send 553 error code
>(permanent) instead of 451 (temporary)..
Yes, that would cure the problem I guess. 1 second seems awfully fast
retry, I didn't think of it being just normal message retry.
Also wouldn't tell me where it was coming from, and I was curious. As
so often happens in real life, shortly after posting my query I got
energetic and actually wrote the patch; turned out to be easy to do,
of course. Found out what system, made a temporary hole, got the
email (innocuous), closed the hole again.
So now I'm back to giving a permanent error (I've flip-flopped on this
a few times), AND I'm logging the IP that RBLSMTPD refuses connections
from.
So now the log lines look like this (here):
Jun 5 23:23:20 gw smtpd: 928643000.144593 rblsmtpd: pid 7320: ip 24.2.7.66: 553 See
http://www.orbs.org/blocked.cgi. Your mailserver is in the ORBS database as an
insecure email relay. This is a generic text message.
(That's the TXT record from ORBS at the end; on an RBL connect, it'd
show the IP twice, once from my patch and once embedded in the TXT
record.)
One of the reasons this is useful to me is that I do sometimes need to
make a hole; this makes it easier to find the IP I need to make the
hole for (especially since the inbound MXs aren't the systems sending
outbound for some domains).
Here's the patch, for anybody that's interested. This could go on
qmail.org if you think it's of general interest, Russel.
--- rblsmtpd.c.orig Wed May 12 21:56:04 1999
+++ rblsmtpd.c Sun Jun 6 04:07:05 1999
@@ -48,7 +48,9 @@
{
int i;
char *x;
+ char *remip;
+ remip = 0;
x = env_get("RBLSMTPD");
if (x) {
if (!*x) return;
@@ -65,6 +67,7 @@
if (!x) return;
if (!*x) return;
if (x[ip_scan(x,&ip)]) return;
+ remip = x;
switch(txt(&rbltext,&ip,rbldomain)) {
case 0:
@@ -86,6 +89,11 @@
substdio_puts(subfderr,"rblsmtpd: pid ");
substdio_put(subfderr,strnum,fmt_ulong(strnum,(unsigned long) getpid()));
substdio_puts(subfderr,": ");
+ if (remip) {
+ substdio_puts(subfderr,"ip ");
+ substdio_puts(subfderr,remip);
+ substdio_puts(subfderr,": ");
+ }
substdio_put(subfderr,message.s,message.len);
substdio_puts(subfderr,"\n");
substdio_flush(subfderr);
--
David Dyer-Bennet [EMAIL PROTECTED]
http://www.ddb.com/~ddb (photos, sf) Minicon: http://www.mnstf.org/minicon
http://ouroboros.demesne.com/ The Ouroboros Bookworms
Join the 20th century before it's too late!
As a side note, I'd strongly recommend dumping ORBS in favor of a more
ethical blackhole list. The maintainer of ORBS has gone on public record
as blocking hosts because he "doesn't like their attitude," even if spam
has never gone anywhere near them.
I've heard good things about RRSS (<URL:http://relays.radparker.com/>) and
the person running it certainly seems to be much calmer and more
professional about it.
--
Russ Allbery ([EMAIL PROTECTED]) <URL:http://www.eyrie.org/~eagle/>
On Sat, Jun 05, 1999 at 11:27:48PM -0500, [EMAIL PROTECTED] wrote:
> Yes, that would cure the problem I guess. 1 second seems awfully fast
> retry, I didn't think of it being just normal message retry.
I seem to recall there being a bug in MSexchange that would cause it to
immediately retry if it was handed a 400 response.
> Also wouldn't tell me where it was coming from, and I was curious. As
> so often happens in real life, shortly after posting my query I got
> energetic and actually wrote the patch; turned out to be easy to do,
> of course. Found out what system, made a temporary hole, got the
> email (innocuous), closed the hole again.
Um, could you not just run tcpserver with "-v" which will log the
connection?
--
Bruce Guenter, QCC Communications Corp. EMail: [EMAIL PROTECTED]
Phone: (306)249-0220 WWW: http://www.qcc.sk.ca/~bguenter/
-----BEGIN PGP SIGNED MESSAGE-----
Any help would be appreciated:
(1) Does anyone have a setup where sendwhale is on a client machine
and needs to forward/relay through a qmail machine? I can't seem to
get Dj and DM to make sendwhale happy. I either get MX goes back to
DM or Dj or I get Dj in the outgoing mail (and the host doesn't
exist to the world, so other sites refuse to accept the from address).
(2) Does anyone have a reference on how to make Qmail dump all
"Received" headers? I'm trying to hide an internal machine.
Scott
ps: thanks!
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBN1n/BB4PLs9vCOqdAQGKvQP8DdrEx6Jxcrpgybopx/QXsiPK26auOiaB
WuXq1NVBDtoHQCtABcEYuzqjPFWtG9e0BXD80j6/mdPHnXmKhGiCz7qJGsmBJfsC
OBSLeMRLdl1djNKCLMqMU+wNLt7HUaBQ6EtsRleHXi2wxTPdDaf1xfcAqrGqlwTx
GaVrMPqvJ6g=
=ynXR
-----END PGP SIGNATURE-----
