qmail Digest 2 Jan 2001 11:00:01 -0000 Issue 1232
Topics (messages 54506 through 54532):
urgent ! how to log Ip addresses with current time with qmail-smtpd /tcpserver
54506 by: Prashant Desai
54508 by: Alex Kramarov
54518 by: Henry Baragar
mailbox format
54507 by: Omer Faruk Sen
Re: No open relay but allowing authorized dynamic IP clients to postanywhere
54509 by: Frederik Vermeulen
from /new to /cur
54510 by: QBA
Qmail and MX records
54511 by: lluisma
54525 by: Greg Owen
54527 by: Mark Delany
Re: thoughts for future qmail
54512 by: Henning Brauer
54519 by: Russell Nelson
54521 by: Mark Delany
54522 by: Roger Merchberger
how do I block this SPAM?
54513 by: cfm.maine.com
54514 by: Mark Delany
54515 by: Piotr Kasztelowicz
54517 by: Roger Merchberger
54520 by: Matthew Patterson
54523 by: Andrew Hill
Re: how do I block this SPAM? Clarification
54516 by: cfm.maine.com
VDomains
54524 by: dharana
54526 by: Matthew Patterson
Virtual Domain Tools
54528 by: Aaron Carr
VDomains problem solved! Thanks
54529 by: dharana
Re: can I use qmail instead of ssmtp?
54530 by: Ryszard Lach
54531 by: Stefan Laudat
dummy Q
54532 by: Yamin Prabudy
Administrivia:
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To bug my human owner, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
hello list
i am running qmail-smtpd under tcpserver, i am using multilog prog for
logging and maintaining qmail logs, but i desperately needs to log Ip
addresses for spam detection , we are running an ISP we need to findout
the guy/customer who is sending lot of junk mails by relating IP
address/time in qmail-smtpd logs with the radius logs ,
i think this is the only way by which i can find out who is sending junk
mails from out mail servers
thanks & Regards
Prashant Desai
Prashant Desai wrote
>hello list
> i am running qmail-smtpd under tcpserver, i am using multilog prog for
>logging and maintaining qmail logs, but i desperately needs to log Ip
>addresses for spam detection , we are running an ISP we need to findout
>the guy/customer who is sending lot of junk mails by relating IP
>address/time in qmail-smtpd logs with the radius logs ,
>i think this is the only way by which i can find out who is sending junk
>mails from out mail servers
I am using standard syslog, and this is my startup line for qmail :
/usr/local/bin/tcpserver -R -H -x/etc/tcp.smtp.cdb -v -u 7770 -g 2108 0 smtp
/var/qmail/bin/tcp-env /usr/sbin/relaylock /var/qmail/bin/qmail-smtpd >>
/var/log/maillog 2>&1 &
on one line.
I am using relaylock, but you can throw away all of this staff, except for
the ending >> /var/log/maillog 2>&1
this is what maked tcpserver put all logs to the main maillog, so the tcp
requests are interleaved with the qmail log lines, and you see the ip
addresses :
this is the result in my maillog :
tcpserver: status: 2/40
tcpserver: pid 15544 from 192.168.5.52
tcpserver: ok 15544 mail.fool.com:212.179.48.82:25 :192.168.5.52::3257
Jan 1 14:46:16 mail qmail: 978353176.564144 new msg 16685
Jan 1 14:46:16 mail qmail: 978353176.564284 info msg 16685: bytes 874 from
<[EMAIL PROTECTED]> qp 15546 uid 7770
Jan 1 14:46:16 mail qmail: 978353176.575647 starting delivery 916: msg
16685 to local [EMAIL PROTECTED]
Jan 1 14:46:16 mail qmail: 978353176.575727 status: local 1/10 remote 1/20
Jan 1 14:46:16 mail qmail: 978353176.575779 starting delivery 917: msg
16685 to remote [EMAIL PROTECTED]
Jan 1 14:46:16 mail qmail: 978353176.575824 status: local 1/10 remote 2/20
tcpserver: end 15544 status 0
tcpserver: status: 1/40
Jan 1 14:46:16 mail qmail: 978353176.670452 delivery 916: success:
did_1+0+0/
Jan 1 14:46:16 mail qmail: 978353176.670555 status: local 0/10 remote 2/20
Hope that it helpes.
Try filtering the logs through "tai64nlocal" or add "!tail64nlocal" to your
multilog invocation.
Henry
Prashant Desai wrote:
> hello list
>
> i am running qmail-smtpd under tcpserver, i am using multilog prog for
> logging and maintaining qmail logs, but i desperately needs to log Ip
> addresses for spam detection , we are running an ISP we need to findout
> the guy/customer who is sending lot of junk mails by relating IP
> address/time in qmail-smtpd logs with the radius logs ,
> i think this is the only way by which i can find out who is sending junk
> mails from out mail servers
>
> thanks & Regards
> Prashant Desai
begin:vcard
n:Baragar;Henry
tel;cell:416-453-5626
tel;work:416-453-5626
x-mozilla-html:TRUE
url:www.instantiated.on.ca
org:Instantiated Software Inc.
adr:;;130 Banff Road;Toronto;Ontario;M4P 2P5;Canada
version:2.1
email;internet:[EMAIL PROTECTED]
title:Principal
fn:Henry Baragar
end:vcard
How can I find pop3 daemon that supports mailbox format for Mailbox file
that resides user's home dir. LWQ(life with qmail ) says there is a
patch for qpopper but it is for 2.53 (which is old enough ).There is now
qpopper3.1.2.tar.gz version.
Any suggestions are welcome.
Additionally LWQ says if a user has no .qmail file mail bounces to the
owner (one sends mail).But I have managed to send a mailto user that has
no .qmail file.I use Mailbox format by now.I will switchto Maildir
later.Can that makes conflict with LWQ ?
Omer Faruk Sen
Yildiz University
Electronical & Communicational Eng.
Geza I. Mark <[EMAIL PROTECTED]> wrote:
>The users access the
>Internet using their various ISPs where they have
>dynamic IP numbers. They are authenticated by their
>individual SSL certificates.
>
>The requirement would be to allow the users to send
>mail to anywhere and to receive mail from anywhere
>while atill preventing the machine to became an open relay.
>
>My idea is the following. I'd set up two copies of qmail,
It is possible with a single qmail implementing RFC2487 (STARTTLS).
Qmail-smtpd will then relay mail iff the connection is
authenticated with an SSL certificate, otherwise only mail to
local users will be accepted.
I have been experimenting with that and have a patch on
http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch
(server temporarily down, should be back tomorrow).
Regards,
Frederik
Hi,
I'm not sure if my question is appropriate (or maybe I should
mail it to mutt users mailing list - but I'm not subscribed and hope
I won't have to). I'd like mutt to show me only new messages in my
mailbox (which is in Maildir format). I mean now when I get new mail
from localhost it is put to Maildir and other messages are sorted by
procmail and stored in various files. But I'm curious if it is possible
to move read messages from dir /Maildir/new to dir /Maildir/cur.
I'd like to see only really new messages when I start mutt and others
to be placed in /cur dir so I don't see them if they are read.
And of course to do it automatically after reading mail and exiting this
mailbox.
If you have any ideas please let me know.
Thank you in advance,
Qba
I have this problem that when Qmail tried to deliver a message and have this
error:
Connected to 152.x.x.x but greeting failed.
Remote host said: 521 VHAISHEXCI.x.x.gov access denied
I'm not going to try again; this message has been in the queue too long.
I expected Qmail to then attempt delivery to the next priority MX. It doesn't and
eventually sends me a message back that it couldn't deliver the message. My other
sendmail gateway does deliver to the next mail server in line according to MX
priorities. In the case of the above error, is Qmail's behavior the correct one?
That is, are there any error conditions such as the above such that the correct
behavior is to completely stop delivery without attempting connection to a
backup mail server(per MX).
Thanks in advance.
LLU
> I have this problem that when Qmail tried to deliver a
> message and have this
> error:
>
> Connected to 152.x.x.x but greeting failed.
> Remote host said: 521 VHAISHEXCI.x.x.gov access denied
> I'm not going to try again; this message has been in the
> queue too long.
>
...
>
> I expected Qmail to then attempt delivery to the next
> priority MX. It doesn't and eventually sends me a message
Qmail only backs off to the next MX if it is unable to reach the
first MX. In this case, it reached the first MX, started a conversation
with the SMTP server there, and was told to bugger off.
I don't agree with qmail's handling of this case, but it is arguably
fully legal. I think the standard response here runs "If their mail server
isn't willing to accept email, why is it responding to port 25?"
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
SoftLock.com is now DigitalGoods!
On Mon, Jan 01, 2001 at 08:47:39PM -0500, Greg Owen wrote:
> > I have this problem that when Qmail tried to deliver a
> > message and have this
> > error:
> >
> > Connected to 152.x.x.x but greeting failed.
> > Remote host said: 521 VHAISHEXCI.x.x.gov access denied
> > I'm not going to try again; this message has been in the
> > queue too long.
> >
> ...
> >
> > I expected Qmail to then attempt delivery to the next
> > priority MX. It doesn't and eventually sends me a message
>
> Qmail only backs off to the next MX if it is unable to reach the
> first MX. In this case, it reached the first MX, started a conversation
> with the SMTP server there, and was told to bugger off.
>
> I don't agree with qmail's handling of this case, but it is arguably
> fully legal. I think the standard response here runs "If their mail server
> isn't willing to accept email, why is it responding to port 25?"
I agree with Greg on the latter point, but not the former. As he says,
if the first preference MX says "bugger off" who is more authoritative
than that?
We all know that secondary MX systems tend to know much less about the
domain than the primary does. Consequently a secondary MX *is* likely
to accept such mail, but largely because it has no clue about what the
ultimate destinate thinks.
I recall that this technique is meant to be an anti-spam measure. Can
someone remind me as to how it works and how effective it is - because
the real benefit escapes me?
Regards.
Am Montag, 1. Januar 2001 02:15 schrieb Dan Peterson:
> As someone else said, it might be better to reply to the list to get other
> people interested in implementing QMTP--I have implemented it for the 7
> domains I control. I hope more people get interested; it would be nice to
> see QMTP widely used.
I've implemented qmtp for all domains we are hosting (a lot), and according
to Russel, I was the first one ;-))
Even with implemneting this in our managemnt system and opening up the ports
in our firewalls it was less than half an hour of work, so qmail admins out
here: do it.
Greetings
Henning
--
Henning Brauer | BS Web Services
Hostmaster BSWS | Roedingsmarkt 14
[EMAIL PROTECTED] | 20459 Hamburg
www.bsws.de | Germany
Henning Brauer writes:
> I've implemented qmtp for all domains we are hosting (a lot), and according
> to Russell, I was the first one ;-))
>
> Even with implemneting this in our managemnt system and opening up the ports
> in our firewalls it was less than half an hour of work, so qmail admins out
> here: do it.
Yup. It *is* terribly easy. And I've got a qmtp-savvy qmail-remote
nearly coded up. Just a matter of figuring out how to report results
back to qmail-rspawn. But I'm not going to release it until I get
another ten qmtpd installation reports. No point, right?
--
-russ nelson <[EMAIL PROTECTED]> http://russnelson.com | A steak, bacon
Crynwr sells support for free software | PGPok | and cheese sandwich is
521 Pleasant Valley Rd. | +1 315 268 1925 voice | offensive to every major
Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | religion.
> Yup. It *is* terribly easy. And I've got a qmtp-savvy qmail-remote
> nearly coded up. Just a matter of figuring out how to report results
> back to qmail-rspawn. But I'm not going to release it until I get
> another ten qmtpd installation reports. No point, right?
What if the first ten did it twice, would that count :>
Regards.
On or about 03:56 PM 1/1/01 -0500, Russell Nelson was caught in a dark
alley speaking these words:
>Henning Brauer writes:
> > I've implemented qmtp for all domains we are hosting (a lot), and
according
> > to Russell, I was the first one ;-))
> >
> > Even with implemneting this in our managemnt system and opening up the
ports
> > in our firewalls it was less than half an hour of work, so qmail admins
out
> > here: do it.
>
>Yup. It *is* terribly easy. And I've got a qmtp-savvy qmail-remote
>nearly coded up. Just a matter of figuring out how to report results
>back to qmail-rspawn. But I'm not going to release it until I get
>another ten qmtpd installation reports. No point, right?
I have your "instruction" email labeled in Eudora, but it may take me a few
days to get running... I *just* got around to installing that netscape
patch that a customer wanted... oh... 9 months ago or so... :-/
I should have it up & running this week, tho...
I'll email you when it's ready. (it make take me longer than the customary
1/2 hour - it seems supervise isn't running on my system, therefore I must
install it...)
Happy New Year,
Roger "Merch" Merchberger
=====
Roger "Merch" Merchberger -- [EMAIL PROTECTED]
SysAdmin - Iceberg Computers
===== Merch's Wild Wisdom of the Moment: =====
Sometimes you know, you just don't know sometimes, you know?
We're getting dozens of these SPAM now every day just on a single
admin account. There is a flood going to user mail boxes too.
I've not been successful blocking it with badmailfrom or
badmailpatterns. procmail yes, but I'd rather push them
back. It's coming from all over the place. We're running
qmail-1.03 with the SPAMCONTROL patch. Can anyone help me
with this please?
Thanks,
cfm
>From MAILER-DAEMON Mon Jan 01 18:30:53 2001
Return-Path: <>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 6035 invoked from network); 1 Jan 2001 18:30:52 -0000
Received: from gray.maine.com (204.176.0.13)
by sooshi.maine.com with SMTP; 1 Jan 2001 18:30:52 -0000
Received: (qmail 13886 invoked by uid 64010); 1 Jan 2001 18:19:29 -0000
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 13883 invoked from network); 1 Jan 2001 18:19:28 -0000
Received: from rly-ip02.mx.aol.com (152.163.225.160)
by gray.maine.com with SMTP; 1 Jan 2001 18:19:28 -0000
Received: from tot-tg1-th.proxy.aol.com (tot-tg1-th.proxy.aol.com [152.163.213.3])
by rly-ip02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
with ESMTP id NAA12608 for <[EMAIL PROTECTED]>;
Mon, 1 Jan 2001 13:18:49 -0500 (EST)
Received: from oemcomputer (AC928F2E.ipt.aol.com [172.146.143.46])
by tot-tg1-th.proxy.aol.com (8.10.0/8.10.0) with SMTP id f01IIR421070
for <[EMAIL PROTECTED]>; Mon, 1 Jan 2001 13:18:27 -0500 (EST)
Date: Mon, 1 Jan 2001 13:18:27 -0500 (EST)
Message-Id: <[EMAIL PROTECTED]>
From: Hahaha <[EMAIL PROTECTED]>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VER0HE7WPQVW9YB0567WDEZOLYVKLM3S1"
X-Apparently-From: [EMAIL PROTECTED]
--
Jan 1 13:19:28 gray qmail: 978373168.993475 new msg 217092
Jan 1 13:19:28 gray qmail: 978373168.995066 info msg 217092: bytes 35410 from <> qp
13883 uid 71
Jan 1 13:19:29 gray qmail: 978373169.065436 starting delivery 14530: msg 217092 to
local [EMAIL PROTECTED]
Jan 1 13:19:29 gray qmail: 978373169.066836 status: local 2/10 remote 0/20
--
Christopher F. Miller, Publisher [EMAIL PROTECTED]
MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039
1.207.657.5078 http://www.maine.com/
Content management, electronic commerce, internet integration, Debian linux
badmailfrom won't work on this. See the archives for discussions on
why not (it checks Return-Path).
Perhaps speak to [EMAIL PROTECTED] as it looks to be originating in there.
Regards.
On Mon, Jan 01, 2001 at 02:21:58PM -0500, [EMAIL PROTECTED] wrote:
>
> We're getting dozens of these SPAM now every day just on a single
> admin account. There is a flood going to user mail boxes too.
>
> I've not been successful blocking it with badmailfrom or
> badmailpatterns. procmail yes, but I'd rather push them
> back. It's coming from all over the place. We're running
> qmail-1.03 with the SPAMCONTROL patch. Can anyone help me
> with this please?
>
> Thanks,
> cfm
>
>
> From MAILER-DAEMON Mon Jan 01 18:30:53 2001
> Return-Path: <>
> Delivered-To: [EMAIL PROTECTED]
> Received: (qmail 6035 invoked from network); 1 Jan 2001 18:30:52 -0000
> Received: from gray.maine.com (204.176.0.13)
> by sooshi.maine.com with SMTP; 1 Jan 2001 18:30:52 -0000
> Received: (qmail 13886 invoked by uid 64010); 1 Jan 2001 18:19:29 -0000
> Delivered-To: [EMAIL PROTECTED]
> Received: (qmail 13883 invoked from network); 1 Jan 2001 18:19:28 -0000
> Received: from rly-ip02.mx.aol.com (152.163.225.160)
> by gray.maine.com with SMTP; 1 Jan 2001 18:19:28 -0000
> Received: from tot-tg1-th.proxy.aol.com (tot-tg1-th.proxy.aol.com [152.163.213.3])
> by rly-ip02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
> with ESMTP id NAA12608 for <[EMAIL PROTECTED]>;
> Mon, 1 Jan 2001 13:18:49 -0500 (EST)
> Received: from oemcomputer (AC928F2E.ipt.aol.com [172.146.143.46])
> by tot-tg1-th.proxy.aol.com (8.10.0/8.10.0) with SMTP id f01IIR421070
> for <[EMAIL PROTECTED]>; Mon, 1 Jan 2001 13:18:27 -0500 (EST)
> Date: Mon, 1 Jan 2001 13:18:27 -0500 (EST)
> Message-Id: <[EMAIL PROTECTED]>
> From: Hahaha <[EMAIL PROTECTED]>
> Subject: Snowhite and the Seven Dwarfs - The REAL story!
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="--VER0HE7WPQVW9YB0567WDEZOLYVKLM3S1"
> X-Apparently-From: [EMAIL PROTECTED]
>
> --
>
> Jan 1 13:19:28 gray qmail: 978373168.993475 new msg 217092
> Jan 1 13:19:28 gray qmail: 978373168.995066 info msg 217092: bytes 35410 from <> qp
>13883 uid 71
> Jan 1 13:19:29 gray qmail: 978373169.065436 starting delivery 14530: msg 217092 to
>local [EMAIL PROTECTED]
> Jan 1 13:19:29 gray qmail: 978373169.066836 status: local 2/10 remote 0/20
>
>
>
> --
>
> Christopher F. Miller, Publisher [EMAIL PROTECTED]
> MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039
> 1.207.657.5078 http://www.maine.com/
> Content management, electronic commerce, internet integration, Debian linux
On 1 Jan 2001, Mark Delany wrote:
> badmailfrom won't work on this. See the archives for discussions on
> why not (it checks Return-Path).
Not good idea on ORBS spamer's list can be found peoples, who
don't write spam - for instace I.
Each admin or groups of admin should made their own "blacklis".
- for me - this is best method. The host, which relay spams
should be listed in tcpserver control file as deny. (if smtp
were use with tcpserver, what is recommended) in each (the
secondary MX too) mailserver in domain.
For instance file tcp.smtp can be seen as:
my.host:allow;RELAYCLIENT=""
bad.host:deny
:allow
Piotr
---
Piotr Kasztelowicz <[EMAIL PROTECTED]>
[http://www.am.torun.pl/~pekasz]
On or about 08:50 PM 1/1/01 +0100, Piotr Kasztelowicz was caught in a dark
alley speaking these words:
>On 1 Jan 2001, Mark Delany wrote:
>
>> badmailfrom won't work on this. See the archives for discussions on
>> why not (it checks Return-Path).
>
>Not good idea on ORBS spamer's list can be found peoples, who
>don't write spam - for instace I.
The problem is, this isn't spam -- it's a virus. If you start blocking IP's
from wherever you get this, you will start blocking a *lot* of non-relaying
sites. This isn't relaying. This is a case of honest (albeit IMNSHO
clueless) people sending out a copy of a virus they don't know they have.
The virus sending out copies of itself to known good email addresses isn't
my major problem, tho. The virus also sends itself to godawful strings of
non-Internet related characters (like "<a>slkjjsdl@#.jskd") which is
causing a very high load of double-bounces - with me being the postmaster,
I'm getting a very large (to the order of 2-5 every *second*) number of
these in my mailbox.
One bad thing about this virus is it wipes out (almost) every piece of
useful data that you could use to track down the person who has the virus.
The only useful stuff is what qmail logs - namely the HELO string, the
originating IP address & time. (And the HELO string is useless if the user
doesn't change the "Host" DNS setting from "oemcomputer" to the user's real
ID.)
Now, a .qmail file which filters on that idiot "[EMAIL PROTECTED]" and
either a) sends that mail to the bit-bucket (which is by now overflowing...
:-) or b) filters out the Received: header with the HELO line in it and
stuffs it into a separate file would be a great boon...
If I have a chance I'll bone up on .qmail files (one thing I don't like
about qmail is it doesn't crash. "Set it and forget it" which is what
usually happens... ;-) and write it myself, but I don't have the time just
yet.
I do have a perl script somewhere that does the HELO filter in (b) above,
but it's a separate proggie - not an inline filter. (Oh, on larger files,
it won't run under NT's perl, either. Hope you have a *nix box handy...)
HTH,
Roger "Merch" Merchberger
=====
Roger "Merch" Merchberger -- [EMAIL PROTECTED]
SysAdmin - Iceberg Computers
===== Merch's Wild Wisdom of the Moment: =====
Sometimes you know, you just don't know sometimes, you know?
The .qmail file idea is a good one, but has to be moved to everyone's .qmail
file on the system. what i would actually recommend is to apply bruce's
queue-var patch
(http://em.ca/~bruceg/qmail+patches/sources/qmail-1.03-queuevar.patch), apply
the patch and recompile qmail. get the latest version of the maildrop package
for the courier imap server (http://download.sourceforge.net/courier) and the
qmail-scanner package
(ftp://qmail-scanner.sourceforge.net/pub/qmail-scanner/qmail-scanner-0.94.tgz).
You will also need Perl 5.005_03+ and the Perl modules Time::HiRes and DB_File
I know this sounds like a lot of trouble but it is worth your time in my
opinion. I have implemented this setup on my server and currently it only
filters *.vbs attachments but I am looking for some other virus software to
plug into there (if anyone knows of any good Unix esp. Linux virus scanners to
filter Win virii, please let me know) and it saved my you-know-what every time
we hear about companies like lucent getting killed by I-Love-You and the like.
--
***********************************
Matthew H Patterson
Unix Systems Administrator
National Support Center, LLC
Naperville, Illinois, USA
***********************************
---------- Forwarded Message ----------
Subject: Re: how do I block this SPAM?
Date: Mon, 01 Jan 2001 15:30:04 -0500
From: Roger Merchberger <[EMAIL PROTECTED]>
On or about 08:50 PM 1/1/01 +0100, Piotr Kasztelowicz was caught in a dark
alley speaking these words:
>On 1 Jan 2001, Mark Delany wrote:
>
>> badmailfrom won't work on this. See the archives for discussions on
>> why not (it checks Return-Path).
>
>Not good idea on ORBS spamer's list can be found peoples, who
>don't write spam - for instace I.
The problem is, this isn't spam -- it's a virus. If you start blocking IP's
from wherever you get this, you will start blocking a *lot* of non-relaying
sites. This isn't relaying. This is a case of honest (albeit IMNSHO
clueless) people sending out a copy of a virus they don't know they have.
The virus sending out copies of itself to known good email addresses isn't
my major problem, tho. The virus also sends itself to godawful strings of
non-Internet related characters (like "<a>slkjjsdl@#.jskd") which is
causing a very high load of double-bounces - with me being the postmaster,
I'm getting a very large (to the order of 2-5 every *second*) number of
these in my mailbox.
One bad thing about this virus is it wipes out (almost) every piece of
useful data that you could use to track down the person who has the virus.
The only useful stuff is what qmail logs - namely the HELO string, the
originating IP address & time. (And the HELO string is useless if the user
doesn't change the "Host" DNS setting from "oemcomputer" to the user's real
ID.)
Now, a .qmail file which filters on that idiot "[EMAIL PROTECTED]" and
either a) sends that mail to the bit-bucket (which is by now overflowing...
:-) or b) filters out the Received: header with the HELO line in it and
stuffs it into a separate file would be a great boon...
If I have a chance I'll bone up on .qmail files (one thing I don't like
about qmail is it doesn't crash. "Set it and forget it" which is what
usually happens... ;-) and write it myself, but I don't have the time just
yet.
I do have a perl script somewhere that does the HELO filter in (b) above,
but it's a separate proggie - not an inline filter. (Oh, on larger files,
it won't run under NT's perl, either. Hope you have a *nix box handy...)
HTH,
Roger "Merch" Merchberger
=====
Roger "Merch" Merchberger -- [EMAIL PROTECTED]
SysAdmin - Iceberg Computers
===== Merch's Wild Wisdom of the Moment: =====
Sometimes you know, you just don't know sometimes, you know?
-------------------------------------------------------
[EMAIL PROTECTED] wrote:
> We're getting dozens of these SPAM now every day just on a single
> admin account. There is a flood going to user mail boxes too.
>
> I've not been successful blocking it with badmailfrom or
> badmailpatterns. procmail yes, but I'd rather push them
> back. It's coming from all over the place. We're running
> qmail-1.03 with the SPAMCONTROL patch. Can anyone help me
> with this please?
Note that as mentioned before, this is not SPAM, it's a virus. See
http://www.vet.com.au/html/zoo/descriptions/hybris.htm for more
information.
You can block this quite effectively with qmail-scanner. See
http://qmail-scanner.sourceforge.net/ for more information.
An entry in quarantine-attachments.txt of:
Hahaha <[EMAIL PROTECTED]> Virus-From: Win32.Hybris
would be effective without your having to purchase a virus scanner for
your system.
Cheers,
--
Andrew Hill
"Right now, I'd happily snort gunk from the sink if it would take
my brain somewhere away from here...." - JB
On Mon, Jan 01, 2001 at 07:25:49PM +0000, Mark Delany wrote:
> badmailfrom won't work on this. See the archives for discussions on
> why not (it checks Return-Path).
>
> Perhaps speak to [EMAIL PROTECTED] as it looks to be originating in there.
>
My mistake, I was unclear. These are coming to us from all over
the net, presumably from legitimate accounts. Looks to me like
they - oemcomputer (AC928F2E.ipt.aol.com) in this case - have a
virus of some sort. But it is not just that one user. Below is
another one just in. Is this just a local "maine" thing or
has anyone else seen it?
Best,
cfm
>From MAILER-DAEMON Mon Jan 01 19:32:31 2001
Return-Path: <>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 6104 invoked from network); 1 Jan 2001 19:32:30 -0000
Received: from gray.maine.com (204.176.0.13)
by sooshi.maine.com with SMTP; 1 Jan 2001 19:32:30 -0000
Received: (qmail 14946 invoked by alias); 1 Jan 2001 19:21:05 -0000
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 14943 invoked from network); 1 Jan 2001 19:20:56 -0000
Received: from 1087-maine-56k.ime.net (HELO pavilion) (209.90.240.137)
by gray.maine.com with SMTP; 1 Jan 2001 19:20:56 -0000
From: Hahaha <[EMAIL PROTECTED]>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VE7K1EZWPU3"
Status: RO
Content-Length: 31628
Lines: 421
----VE7K1EZWPU3
Content-Type: text/plain; charset="us-ascii"
Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and
polite with Snowhite. When they go out work at mornign, they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven
Dwarfs enter...
----VE7K1EZWPU3
Content-Type: application/octet-stream; name="sexy virgin.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="sexy virgin.scr"
>
> Regards.
>
>
> On Mon, Jan 01, 2001 at 02:21:58PM -0500, [EMAIL PROTECTED] wrote:
> >
> > We're getting dozens of these SPAM now every day just on a single
> > admin account. There is a flood going to user mail boxes too.
> >
> > I've not been successful blocking it with badmailfrom or
> > badmailpatterns. procmail yes, but I'd rather push them
> > back. It's coming from all over the place. We're running
> > qmail-1.03 with the SPAMCONTROL patch. Can anyone help me
> > with this please?
> >
> > Thanks,
> > cfm
> >
> >
> > From MAILER-DAEMON Mon Jan 01 18:30:53 2001
> > Return-Path: <>
> > Delivered-To: [EMAIL PROTECTED]
> > Received: (qmail 6035 invoked from network); 1 Jan 2001 18:30:52 -0000
> > Received: from gray.maine.com (204.176.0.13)
> > by sooshi.maine.com with SMTP; 1 Jan 2001 18:30:52 -0000
> > Received: (qmail 13886 invoked by uid 64010); 1 Jan 2001 18:19:29 -0000
> > Delivered-To: [EMAIL PROTECTED]
> > Received: (qmail 13883 invoked from network); 1 Jan 2001 18:19:28 -0000
> > Received: from rly-ip02.mx.aol.com (152.163.225.160)
> > by gray.maine.com with SMTP; 1 Jan 2001 18:19:28 -0000
> > Received: from tot-tg1-th.proxy.aol.com (tot-tg1-th.proxy.aol.com [152.163.213.3])
> > by rly-ip02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
> > with ESMTP id NAA12608 for <[EMAIL PROTECTED]>;
> > Mon, 1 Jan 2001 13:18:49 -0500 (EST)
> > Received: from oemcomputer (AC928F2E.ipt.aol.com [172.146.143.46])
> > by tot-tg1-th.proxy.aol.com (8.10.0/8.10.0) with SMTP id f01IIR421070
> > for <[EMAIL PROTECTED]>; Mon, 1 Jan 2001 13:18:27 -0500 (EST)
> > Date: Mon, 1 Jan 2001 13:18:27 -0500 (EST)
> > Message-Id: <[EMAIL PROTECTED]>
> > From: Hahaha <[EMAIL PROTECTED]>
> > Subject: Snowhite and the Seven Dwarfs - The REAL story!
> > MIME-Version: 1.0
> > Content-Type: multipart/mixed; boundary="--VER0HE7WPQVW9YB0567WDEZOLYVKLM3S1"
> > X-Apparently-From: [EMAIL PROTECTED]
> >
> > --
> >
> > Jan 1 13:19:28 gray qmail: 978373168.993475 new msg 217092
> > Jan 1 13:19:28 gray qmail: 978373168.995066 info msg 217092: bytes 35410 from <>
>qp 13883 uid 71
> > Jan 1 13:19:29 gray qmail: 978373169.065436 starting delivery 14530: msg 217092
>to local [EMAIL PROTECTED]
> > Jan 1 13:19:29 gray qmail: 978373169.066836 status: local 2/10 remote 0/20
> >
> >
> >
> > --
> >
> > Christopher F. Miller, Publisher [EMAIL PROTECTED]
> > MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039
> > 1.207.657.5078 http://www.maine.com/
> > Content management, electronic commerce, internet integration, Debian linux
--
Christopher F. Miller, Publisher [EMAIL PROTECTED]
MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039
1.207.657.5078 http://www.maine.com/
Content management, electronic commerce, internet integration, Debian linux
----- Original Message -----
From: "dharana" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, January 02, 2001 2:10 AM
Subject: VDomains
Hi:
I just wondered how should i set up a server which hosts several virtual
domains. I mean: how can i have qmail handle [EMAIL PROTECTED] and
[EMAIL PROTECTED] diferently.
Thanks, and happy new year!
Dharana
I would recommend the vchkpw package at www.inter7.com. It lets you manage
several virtual domains on one machine by using an authentication mechanism
that uses the username and the domain as opposed to just the username.
--
***********************************
Matthew H Patterson
Unix Systems Administrator
National Support Center, LLC
Naperville, Illinois, USA
***********************************
On Mon, 01 Jan 2001, dharana wrote:
----- Original Message -----
From: "dharana" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, January 02, 2001 2:10 AM
Subject: VDomains
Hi:
I just wondered how should i set up a server which hosts several virtual
domains. I mean: how can i have qmail handle [EMAIL PROTECTED] and
[EMAIL PROTECTED] diferently.
Thanks, and happy new year!
Dharana
Does anyone know anywhere to find or happen to have any RPMs for the Inter7
programs QmailAdmin, and vpopmail? I have an RH 7 server, and the Inter7
programs don't seem to want to install in their current format. I keep
getting the error no acceptable cc found in $PATH
Thanks in advance.
Aaron
That's it. Problem solved. Thanks.
dharana
On Sat, Dec 30, 2000 at 02:10:21PM +0200, Christoph Bugel wrote:
> Hi,
> I am using Mutt as my MUA, and I have trouble sending mail. Mutt
> uses an external program (by default sendmail) to send mail. The
> problem is that sendmail isn't good enough, I think, because I
> can't convince it to *change* my From: line to whatever I like. I
> I have to do this, because myuser@mybox is not a valid address.
> sendmail has an -f option to rewrite the from: line, but it can
> only be used by 'trusted users'. So what I did was to install
> ssmtp. this program is very simplistic: it reads stdin, and sends
> mail to a preconfigured smtp server, using (if desired) the from:
> line, as supplied. so far so good, but I noticed that ssmtp only
> sends to recipients specified on the commandline. CC: and BCC:
> in the mail are ingnored. except for that, ssmtp is just what I
> need: SIMPLE. I don't want to install smtp deamons, mail
> queues, etc, just to be able to *send* mail.
This is not qmail problem set
send-hook .* 'my_hdr From: Real Name <email@domain>'
in your .muttrc file.
--
Ryszard Łach, Internet Designers s.c., Przedmiejska 6-10, 54-201 Wrocław
'echo "" |mail -s "send key pub" [EMAIL PROTECTED]' for my public GPG key
or try
set sendmail="/var/qmail/bin/qmail-inject [EMAIL PROTECTED]"
in your .muttrc :)
On Tue, Jan 02, 2001 at 08:36:27AM +0100, Ryszard Lach wrote:
> On Sat, Dec 30, 2000 at 02:10:21PM +0200, Christoph Bugel wrote:
> > Hi,
> > I am using Mutt as my MUA, and I have trouble sending mail. Mutt
> > uses an external program (by default sendmail) to send mail. The
> > problem is that sendmail isn't good enough, I think, because I
> > can't convince it to *change* my From: line to whatever I like. I
> > I have to do this, because myuser@mybox is not a valid address.
> > sendmail has an -f option to rewrite the from: line, but it can
> > only be used by 'trusted users'. So what I did was to install
> > ssmtp. this program is very simplistic: it reads stdin, and sends
> > mail to a preconfigured smtp server, using (if desired) the from:
> > line, as supplied. so far so good, but I noticed that ssmtp only
> > sends to recipients specified on the commandline. CC: and BCC:
> > in the mail are ingnored. except for that, ssmtp is just what I
> > need: SIMPLE. I don't want to install smtp deamons, mail
> > queues, etc, just to be able to *send* mail.
>
> This is not qmail problem set
>
> send-hook .* 'my_hdr From: Real Name <email@domain>'
>
> in your .muttrc file.
>
> --
> Ryszard Łach, Internet Designers s.c., Przedmiejska 6-10, 54-201 Wrocław
> 'echo "" |mail -s "send key pub" [EMAIL PROTECTED]' for my public GPG key
--
Stefan Laudat
-------------
If rabbits feet are so lucky, what happened to the rabbit?
Hi there
I have a situation here....my server been flood by some jurk
the jurk send an email to invailed user in my system and as a postmaster I
recieved all the 2000 junk mail.
Is there a way to restrict incoming mail ?
I mean only 1 mail can get in my sistem the other (with a same header and
same size) are rejected ?
Yamin
