Hi,
FWIIW I have some scripts that you can download
from my ftp server in the pub/qtp folder. They are
not all documented but they are reasonably simple
scripts that can be understood easily.
goto
ftp.ycs.com.au
cd /pub/qtp
qtp user are welcome to them but please use
anonymous and your email address to login.
The scripts are "as is" and work for me. They may need
changes to suit your needs.
If anyone improves on them I would appreciate knowing.
On 02/03/2011 12:58 PM, Cecil Yother, Jr. wrote:
Tony,
Does this append the existing iptable with the offending IP?
I use fail2ban and it works great. OSSEC HIDS is a good tool too. I
use them both actually.
CJ
On 03/01/2011 05:14 PM, Tony White wrote:
Try this at the command line and as root!
iptables -I INPUT -s 11.22.33.44 -j DROP
This will stop him dead in his tracks.
You can use this command for any ip address that gives
you a problem.
On 02/03/2011 11:25 AM, Sergio M wrote:
Hi there list,
i have been under heavy traffic since sunday, and its been using all
my inbound connections.
I have a QMT updated box, running the latest spamdyke:
# qtp-whatami
/qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011
DISTRO=CentOS
OSVER=5.5
QTARCH=x86_64
QTKERN=2.6.18-194.32.1.el5
BUILD_DIST=cnt5064
BUILD_DIR=/usr/src/redhat
This machine's OS is supported and has been tested/
Even though spamdyke does not let the spammers relay the mail, i
still get all the connections used, making it very hard for
authenticated users to send mail.
For now I stopped smtpd, but i wanna see if you guys have some other
thoughts to solve this.
If I see the maillog, i see LOTS of entries like these:
/Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip:
201.0.152.106 rbl:
zen.spamhaus.org
Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail
(pass: 'luckymi')
lucianos...@domain.com:190.158.93.231 Feb 27
14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201
rbl:
zen.spamhaus.org
Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip:
187.106.1.158 file:
/var/qmail/control/ip-blacklist(75) Feb
27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass:
'jdorm253')
jorgerodrig...@domain.com:201.250.40.202 Feb 27
14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149
rbl:
zen.spamhaus.org
Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail
(pass: 'edos1kd9')
eduardos...@domain.com:201.82.74.70 Feb 27
14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244
rdns:
189106088244.user.veloxzone.com.br
Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail
(pass: 'luckymi')
lucianos...@domain.com:201.43.79.201 Feb 27
14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass:
'luckymi')
lucianos...@domain.com:189.106.88.244 Feb 27
14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83
rdns:
rev.97.83-telecablecr.com Feb
27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass:
'jdorm253')
jorgerodrig...@domain.com:187.106.1.158 Feb 27
14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass:
'luckymi')
lucianos...@domain.com:201.0.152.106 Feb 27
14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl:
zen.spamhaus.org
Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail
(pass: 'luckymi')
lucianos...@domain.com:200.45.73.226 Feb 27
14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113
rbl: zen.spamhaus.org
Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip:
187.119.172.80 file: /var/qmail/control/ip-blacklist(75)
Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail
(pass: 'luckymi') lucianos...@domain.com:189.114.176.151
Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail
(pass: 'luckymi') lucianos...@domain.com:190.158.93.231
Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail
(pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/
So i guess some botnet is trying to relay mail guessing a specific
domain user's passwords. Most of the attempts are blocked by RBL
checking, but that still create a connection.
Looking at # cat /var/log/qmail/smtp/current | tai64nlocal
/2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77
2011-03-01 20:54:01.906030500 tcpserver: ok 4879
mail.myhost.com.ar:11.22.33.44:25
:189.6.164.77::37629
2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0
2011-03-01 20:54:02.157289500 tcpserver: status: 24/25
2011-03-01 20:54:02.157290500 tcpserver: status: 25/25
2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24
2011-03-01 20:54:02.157530500 tcpserver: ok 4881
mail.myhost.com.ar:11.22.33.44:25
:190.172.129.24::14782
2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0
2011-03-01 20:54:05.433211500 tcpserver: status: 24/25
2011-03-01 20:54:05.433212500 tcpserver: status: 25/25
2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139
2011-03-01 20:54:05.433215500 tcpserver: ok 4903
mail.myhost.com.ar:11.22.33.44:25
:189.78.49.139::36877
2011-03-01 20:54:06.075161500 tcpserver: end 4800 status 0
2011-03-01 20:54:06.075164500 tcpserver: status: 24/25
2011-03-01 20:54:06.075165500 tcpserver: status: 25/25
2011-03-01 20:54:06.075166500 tcpserver: pid 4908 from 186.114.65.254
2011-03-01 20:54:06.075168500 tcpserver: ok 4908
mail.myhost.com.ar:11.22.33.44:25
:186.114.65.254::13026
2011-03-01 20:54:06.441699500 tcpserver: end 4821 status 0
2011-03-01 20:54:06.441702500 tcpserver: status: 24/25
2011-03-01 20:54:06.441735500 tcpserver: status:
25/25 /
You see how it got clogged with incoming connections.
so, any ideas or tips to help me solve this?
As for now smtpd is stopped.
thanks a lot!
-Sergio
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and
installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and
packages.
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
--
best wishes
Tony White
Yea Computing Services
http://www.ycs.com.au
4 The Crescent
Yea
Victoria
Australia 3717
Telephone No's
VIC : 03 9008 5614
FAX : 03 9008 5610 (FAX2Email)
IMPORTANT NOTICE
This communication including any file attachments is intended solely for
the use of the individual or entity to whom it is addressed. If you are
not the intended recipient, or the person responsible for delivering
this communication to the intended recipient, please immediately notify
the sender by email and delete the original transmission and its
contents. Any unauthorised use, dissemination, forwarding, printing or
copying of this communication including file attachments is prohibited.
It is your responsibility to scan this communication including any file
attachments for viruses and other defects. To the extent permitted by
law, Yea Computing Services and its associates will not be liable for
any loss or damage arising in any way from this communication including
any file attachments.
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
