Hi there list,
i have been under heavy traffic since sunday, and its been using all my
inbound connections.
I have a QMT updated box, running the latest spamdyke:
# qtp-whatami
/qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011
DISTRO=CentOS
OSVER=5.5
QTARCH=x86_64
QTKERN=2.6.18-194.32.1.el5
BUILD_DIST=cnt5064
BUILD_DIR=/usr/src/redhat
This machine's OS is supported and has been tested/
Even though spamdyke does not let the spammers relay the mail, i still
get all the connections used, making it very hard for authenticated
users to send mail.
For now I stopped smtpd, but i wanna see if you guys have some other
thoughts to solve this.
If I see the maillog, i see LOTS of entries like these:
/Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip:
201.0.152.106 rbl:
zen.spamhaus.org
Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass:
'luckymi') lucianos...@domain.com:190.158.93.231
Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201
rbl:
zen.spamhaus.org
Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip:
187.106.1.158 file:
/var/qmail/control/ip-blacklist(75)
Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass:
'jdorm253') jorgerodrig...@domain.com:201.250.40.202
Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149
rbl:
zen.spamhaus.org
Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass:
'edos1kd9') eduardos...@domain.com:201.82.74.70
Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip:
189.106.88.244 rdns:
189106088244.user.veloxzone.com.br
Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass:
'luckymi') lucianos...@domain.com:201.43.79.201
Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass:
'luckymi') lucianos...@domain.com:189.106.88.244
Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip:
200.105.97.83 rdns:
rev.97.83-telecablecr.com
Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass:
'jdorm253') jorgerodrig...@domain.com:187.106.1.158
Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass:
'luckymi') lucianos...@domain.com:201.0.152.106
Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8
rbl:
zen.spamhaus.org
Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass:
'luckymi') lucianos...@domain.com:200.45.73.226
Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip:
189.54.236.113 rbl: zen.spamhaus.org
Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip:
187.119.172.80 file: /var/qmail/control/ip-blacklist(75)
Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass:
'luckymi') lucianos...@domain.com:189.114.176.151
Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass:
'luckymi') lucianos...@domain.com:190.158.93.231
Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass:
'edos1kd9') eduardos...@domain.com:93.39.224.8/
So i guess some botnet is trying to relay mail guessing a specific
domain user's passwords. Most of the attempts are blocked by RBL
checking, but that still create a connection.
Looking at # cat /var/log/qmail/smtp/current | tai64nlocal
/2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from
189.6.164.77
2011-03-01 20:54:01.906030500 tcpserver: ok 4879
mail.myhost.com.ar:11.22.33.44:25
:189.6.164.77::37629
2011-03-01 20:54:02.157286500 tcpserver: end 4797 status
0
2011-03-01 20:54:02.157289500 tcpserver: status:
24/25
2011-03-01 20:54:02.157290500 tcpserver: status:
25/25
2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from
190.172.129.24
2011-03-01 20:54:02.157530500 tcpserver: ok 4881
mail.myhost.com.ar:11.22.33.44:25
:190.172.129.24::14782
2011-03-01 20:54:05.433208500 tcpserver: end 4857 status
0
2011-03-01 20:54:05.433211500 tcpserver: status:
24/25
2011-03-01 20:54:05.433212500 tcpserver: status:
25/25
2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from
189.78.49.139
2011-03-01 20:54:05.433215500 tcpserver: ok 4903
mail.myhost.com.ar:11.22.33.44:25
:189.78.49.139::36877
2011-03-01 20:54:06.075161500 tcpserver: end 4800 status
0
2011-03-01 20:54:06.075164500 tcpserver: status:
24/25
2011-03-01 20:54:06.075165500 tcpserver: status:
25/25
2011-03-01 20:54:06.075166500 tcpserver: pid 4908 from
186.114.65.254
2011-03-01 20:54:06.075168500 tcpserver: ok 4908
mail.myhost.com.ar:11.22.33.44:25
:186.114.65.254::13026
2011-03-01 20:54:06.441699500 tcpserver: end 4821 status
0
2011-03-01 20:54:06.441702500 tcpserver: status:
24/25
2011-03-01 20:54:06.441735500 tcpserver: status:
25/25 /
You see how it got clogged with incoming connections.
so, any ideas or tips to help me solve this?
As for now smtpd is stopped.
thanks a lot!
-Sergio
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com