Re: looking for a spammer/virii/malware .... on my system
ok su-3.2# tcpdump -nnAvvvw webmail.west.cox.net 'dst host 68.6.19.1 and (dst port 80 or 443)' tcpdump: listening on bce0, link-type EN10MB (Ethernet), capture size 96 bytes Got 0 let's see what I capture... On Mon, Aug 15, 2011 at 6:19 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: --On August 15, 2011 2:04:27 PM -0400 alexus ale...@gmail.com wrote: I personally leaning towards that these headers are being modified and that there is no spam leaving my box (I may be wrong of couse) here is what I did to come up with that thought I sent myself an email The tcpdump command that Chuck gave you is all you need. *If* all traffic exits your network through your box, you will see anything going to port 25 *anywhere*. That should tell you quickly what the problem is, if there is one. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: looking for a spammer/virii/malware .... on my system
On Aug 18, 2011, at 9:36 AM, alexus wrote: su-3.2# tcpdump -nnAvvvw webmail.west.cox.net 'dst host 68.6.19.1 and (dst port 80 or 443)' tcpdump: listening on bce0, link-type EN10MB (Ethernet), capture size 96 bytes Got 0 let's see what I capture... You're going to capture traffic of people reading webmail from Cox.net. However, as much as that might be interesting, it is not useful for detecting outbound spam from a machine or network Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
looking for a spammer/virii/malware .... on my system
I received a SPAM complain from my ISP and we're trying to figure out what/where the problem is... from headers: Received: from 64.237.55.83 by webmail.west.cox.net; Sun, 14 Aug 2011 18:43:41 -0400 64.237.55.83 is an IP that resides on my box, obviously I'm not sending out any spam intentionally, so maybe some of my users do and not necessarily intentionally either could be a virus or malware or whatever doesn't really matter, I just want to stop it. so just for now I did this su-3.2# ipfw add 666 deny ip from any to webmail.west.cox.net via any 00666 deny ip from any to 68.6.19.1 su-3.2# what else can I do to find it on my system who's trying to connect to remote webmail.west.cox.net ? -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: looking for a spammer/virii/malware .... on my system
On Aug 15, 2011, at 10:05 AM, alexus wrote: what else can I do to find it on my system who's trying to connect to remote webmail.west.cox.net ? Monitor your network for SMTP traffic: tcpdump -nA -s 0 port 25 If malware is sending out spam, you'll see it and can then use lsof or whatever to identify the specific user/process. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: looking for a spammer/virii/malware .... on my system
I personally leaning towards that these headers are being modified and that there is no spam leaving my box (I may be wrong of couse) here is what I did to come up with that thought I sent myself an email -bash-3.2# echo $$ | mail ale...@gmail.com -bash-3.2# through google headers I see follwoing: Delivered-To: ale...@gmail.com Received: by 10.68.60.97 with SMTP id g1cs121928pbr; Mon, 15 Aug 2011 10:52:26 -0700 (PDT) Received: from mr.google.com ([10.52.21.70]) by 10.52.21.70 with SMTP id t6mr5504300vde.56.1313430746298 (num_hops = 1); Mon, 15 Aug 2011 10:52:26 -0700 (PDT) Received: by 10.52.21.70 with SMTP id t6mr3999448vde.56.1313430745493; Mon, 15 Aug 2011 10:52:25 -0700 (PDT) Return-Path: r...@alexus.org Received: from alexus.biz ([64.237.55.83]) by mx.google.com with ESMTPS id co6si13861841vdc.76.2011.08.15.10.52.23 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 15 Aug 2011 10:52:24 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning r...@alexus.org does not designate 64.237.55.83 as permitted sender) client-ip=64.237.55.83; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning r...@alexus.org does not designate 64.237.55.83 as permitted sender) smtp.mail=r...@alexus.org Received: from alexus.org (lama [64.237.55.83]) by alexus.biz (8.14.4/8.14.3) with ESMTP id p7FHqNvO049613 for ale...@gmail.com; Mon, 15 Aug 2011 13:52:23 -0400 (EDT) (envelope-from r...@alexus.org) Received: (from root@localhost) by alexus.org (8.14.4/8.14.3/Submit) id p7FHqIl1049612 for ale...@gmail.com; Mon, 15 Aug 2011 13:52:18 -0400 (EDT) (envelope-from root) Date: Mon, 15 Aug 2011 13:52:18 -0400 (EDT) From: Charlie Root r...@alexus.org Message-Id: 201108151752.p7fhqil1049...@alexus.org To: ale...@gmail.com 49609 I see that whenever mail leaves my box (assuming it was left my box in a standard way) I see sendmail involves in the process and I see remote server tried to resolve my IP while the original email that was provided to me by my ISP doesn't have any of that... so that makes me think that nothing ever happened on my box and that my IP in that original email was just manually added there (without any emails ever leaving my box) but then again here is scenario #2 a user connects to a remote server not using standard ways but making a connection to remote webmail.west.cox.net directly (bypassing my sendmail) in that case my firewall rule should prevent this user from doing so ever again then again doing so is not really resolving it (I still dont know where its origin from, and thats what I want/need to find out) I'm running apache httpd, so as far as I see it could be pretty much any site that I host generate that kind of issue so I'm back to square 1, how do I find it? if it's in php could be famous base64_decode();/base64_encode(); and then good luck for locating one of that... any other ideas? On Mon, Aug 15, 2011 at 1:39 PM, Chuck Swiger cswi...@mac.com wrote: On Aug 15, 2011, at 10:05 AM, alexus wrote: what else can I do to find it on my system who's trying to connect to remote webmail.west.cox.net ? Monitor your network for SMTP traffic: tcpdump -nA -s 0 port 25 If malware is sending out spam, you'll see it and can then use lsof or whatever to identify the specific user/process. Regards, -- -Chuck -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: looking for a spammer/virii/malware .... on my system
From owner-freebsd-questi...@freebsd.org Mon Aug 15 12:37:33 2011 Date: Mon, 15 Aug 2011 13:05:15 -0400 From: alexus ale...@gmail.com To: freebsd-questions@freebsd.org Subject: looking for a spammer/virii/malware on my system I received a SPAM complain from my ISP and we're trying to figure out what/where the problem is... from headers: Received: from 64.237.55.83 by webmail.west.cox.net; Sun, 14 Aug 2011 18:43:41 -0400 64.237.55.83 is an IP that resides on my box, obviously I'm not sending out any spam intentionally, so maybe some of my users do and not necessarily intentionally either could be a virus or malware or whatever doesn't really matter, I just want to stop it. so just for now I did this su-3.2# ipfw add 666 deny ip from any to webmail.west.cox.net via any 00666 deny ip from any to 68.6.19.1 su-3.2# what else can I do to find it on my system who's trying to connect to remote webmail.west.cox.net ? -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: looking for a spammer/virii/malware .... on my system
Robert Bonomi: I didn't received anything from you other then part of my own email... On Mon, Aug 15, 2011 at 2:57 PM, Robert Bonomi bon...@mail.r-bonomi.com wrote: From owner-freebsd-questi...@freebsd.org Mon Aug 15 12:37:33 2011 Date: Mon, 15 Aug 2011 13:05:15 -0400 From: alexus ale...@gmail.com To: freebsd-questions@freebsd.org Subject: looking for a spammer/virii/malware on my system I received a SPAM complain from my ISP and we're trying to figure out what/where the problem is... from headers: Received: from 64.237.55.83 by webmail.west.cox.net; Sun, 14 Aug 2011 18:43:41 -0400 64.237.55.83 is an IP that resides on my box, obviously I'm not sending out any spam intentionally, so maybe some of my users do and not necessarily intentionally either could be a virus or malware or whatever doesn't really matter, I just want to stop it. so just for now I did this su-3.2# ipfw add 666 deny ip from any to webmail.west.cox.net via any 00666 deny ip from any to 68.6.19.1 su-3.2# what else can I do to find it on my system who's trying to connect to remote webmail.west.cox.net ? -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: looking for a spammer/virii/malware .... on my system
--On August 15, 2011 2:04:27 PM -0400 alexus ale...@gmail.com wrote: I personally leaning towards that these headers are being modified and that there is no spam leaving my box (I may be wrong of couse) here is what I did to come up with that thought I sent myself an email The tcpdump command that Chuck gave you is all you need. *If* all traffic exits your network through your box, you will see anything going to port 25 *anywhere*. That should tell you quickly what the problem is, if there is one. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Spammer
From: FreeBSD Mailing List freebsd-questions@freebsd.org Subject:Re: enabling the fn-f7 switch monitor functionality Date: August 16, 2010 9:46:06 AM CDT To: Ryan Coleman ryan.cole...@cwis.biz Return-Path:anonym...@dusk.parklogic.com X-Original-To: cwis0...@cwis.biz Delivered-To: cwis0...@cwis.biz Received: from server.cwis.biz (unknown [127.0.0.1]) by server.cwis.biz (Postfix) with ESMTP id BE7E0CF0D12 for cwis0...@cwis.biz; Mon, 16 Aug 2010 09:46:09 -0500 (CDT) Received: from server.cwis.biz ([127.0.0.1]) by server.cwis.biz (server.cwis.biz [127.0.0.1]) (amavisd-new, port 10024) with LMTP id cNXsIsmXFQuZ for cwis0...@cwis.biz; Mon, 16 Aug 2010 09:46:08 -0500 (CDT) Received: from dusk.parklogic.com (allmail.0b2.net [64.38.11.26]) by server.cwis.biz (Postfix) with SMTP id CAFA7CF0D10 for ryan.cole...@cwis.biz; Mon, 16 Aug 2010 09:46:07 -0500 (CDT) Received: (qmail 29964 invoked by uid 511); 16 Aug 2010 14:46:06 - X-Quarantine-Id:cNXsIsmXFQuZ X-Virus-Scanned:amavisd-new at cwis.biz X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: MIME-Version Message-Id: 20100816144606.29963.qm...@dusk.parklogic.com In-Reply-To:4736d993-13af-4a17-b2d8-28aafb39d...@cwis.biz References: aanlktinda7x16utq2+mqo5i-oc8ioko66_9q_i0x+...@mail.gmail.com 4736d993-13af-4a17-b2d8-28aafb39d...@cwis.biz Mime-Version: 1.0 Mime-Version: 1.0 Content-Type: text/html; boundary=1281969966.f2DeBD0.29953; charset=us-ascii Dear Sir/Madam, Your email was unable reach the intended person that you were sending it to. For more information on our business please click on the following link: Click here for our website We look forward to your continued business in the future. Regards, Webmaster [sender's note: don't click the link] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Spammer data mining and www.freebsd.org
Ronald F. Guilmette r...@tristatelogic.com wrote: I just got a spam from some numbnuts spammer who said (in the spam), and I quote: Why would anyone still pay recruitment agency fees? Wouldn't you prefer to RECRUIT AS MANY PEOPLE/strong per campaign for $499? Your contact details were on 'http://www.ca.freebsd.org/doc/en/articles/contributors/article.html#STAFF-COMMITTERS' and we thought you should know that, during November, you can RECRUIT AS MANY PEOPLE per campaign... Jeezze Louise! In the first place, I didn't even know that my name or e-mail address were listed on that page, and I was really rather surprised to find that they were. Why the bleep am _I_ on there? Yea, I've hacked free software from time to time in my career... more than just a little... but I really can't recall having ever ``contributed'' to FreeBSD in any significant or meaningful way. I mean I'm honored to be listed in with such illustrious company, but in all modesty, I don't deserve to be. But anyway, regardless of that, I have to ask: (1) Why the bleep are so many e-mail addresses listed on that page in plain text, and without any sort of spammer harvesting protection whatsoever? And (2) who should I gripe to about this sorry state of affairs? webmaster(at)freebsd.org? I don't expect the email addresses to be protected by captchas or anything that convoluted, but the webmaster certainly could have at least replaced `@' with `(at)' or some such thing. You do realize that this email is being archived on any number of online archives that the FreeBSD project has no control over, and that any of them may list your email address unobfuscated. While I can't speak for the project, I feel that obfuscating email addresses is a weak and obsolete protection from harvesting. It's trivial to make a screen-scraper translate at to @, and even if the method of obfuscating is more clever than that, if it's consistent and a larger number of email addresses are available after breaking it, well ... you get the idea. Far better to complain to the ISP where the email originated. That's someone who can actually do something about the problem. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Spammer data mining and www.freebsd.org
I just got a spam from some numbnuts spammer who said (in the spam), and I quote: Why would anyone still pay recruitment agency fees? Wouldn't you prefer to RECRUIT AS MANY PEOPLE/strong per campaign for $499? Your contact details were on 'http://www.ca.freebsd.org/doc/en/articles/contributors/article.html#STAFF-COMMITTERS' and we thought you should know that, during November, you can RECRUIT AS MANY PEOPLE per campaign... Jeezze Louise! In the first place, I didn't even know that my name or e-mail address were listed on that page, and I was really rather surprised to find that they were. Why the bleep am _I_ on there? Yea, I've hacked free software from time to time in my career... more than just a little... but I really can't recall having ever ``contributed'' to FreeBSD in any significant or meaningful way. I mean I'm honored to be listed in with such illustrious company, but in all modesty, I don't deserve to be. But anyway, regardless of that, I have to ask: (1) Why the bleep are so many e-mail addresses listed on that page in plain text, and without any sort of spammer harvesting protection whatsoever? And (2) who should I gripe to about this sorry state of affairs? webmaster(at)freebsd.org? I don't expect the email addresses to be protected by captchas or anything that convoluted, but the webmaster certainly could have at least replaced `@' with `(at)' or some such thing. So did anybody else get that same spam? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
locating origin of spammer
I got up this morning and discovered that someone sent some spam through one of my servers. The messages were sent from the 'www' user on localhost, which is leading me to think somewhere someone has an insecure php or perl script that is allowing someone to designate the recipient, the subject, body, etc. I know the machine is not open-relay (I tested it to double check) and I checked to make sure no one had actually logged in. I grepped all of apache's log files looking for sites that received hits about the same time the mail started going out. What else can I do to find how the mail is being sent? Thanks, Joe ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: locating origin of spammer
Right after I posted this I did locate an old version of formmail.pl and disabled it until the customer can replace it with a more secure version. Thanks. I got up this morning and discovered that someone sent some spam through one of my servers. The messages were sent from the 'www' user on localhost, which is leading me to think somewhere someone has an insecure php or perl script that is allowing someone to designate the recipient, the subject, body, etc. I know the machine is not open-relay (I tested it to double check) and I checked to make sure no one had actually logged in. I grepped all of apache's log files looking for sites that received hits about the same time the mail started going out. What else can I do to find how the mail is being sent? Thanks, Joe ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: locating origin of spammer
Joseph Koening (jWeb) wrote: I got up this morning and discovered that someone sent some spam through one of my servers. The messages were sent from the 'www' user on localhost, which is leading me to think somewhere someone has an insecure php or perl script that is allowing someone to designate the recipient, the subject, body, etc. I know the machine is not open-relay (I tested it to double check) and I checked to make sure no one had actually logged in. I grepped all of apache's log files looking for sites that received hits about the same time the mail started going out. What else can I do to find how the mail is being sent? Thanks, My first act would be to search for formail.pl or variations thereof in users' cgi-bins. There have been some hideous holes in some versions of this Matt's Script Archive script. Peter. -- the circle squared network systems and software http://www.circlesquared.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: locating origin of spammer
Joseph Koening (jWeb) wrote: I got up this morning and discovered that someone sent some spam through one of my servers. The messages were sent from the 'www' user on localhost, which is leading me to think somewhere someone has an insecure php or perl script that is allowing someone to designate the recipient, the subject, body, etc. I know the machine is not open-relay (I tested it to double check) and I checked to make sure no one had actually logged in. I grepped all of apache's log files looking for sites that received hits about the same time the mail started going out. What else can I do to find how the mail is being sent? Thanks, While this has been resolved for the original poster, for the next guy who has this problem... For PHP, one could do something like: grep mail.*\( /path/to/htdocs and find mostly all of the places somebody is using PHP's internal http://php.net/mail function. I did that soon after the formmail alert, and made sure that I was cleaning all the input. Of course, if some user is doing this maliciously rather than from ignorance, they could use mail\n( and this grep wouldn't find it... A grep expert could probably suggest a better expression to use. -- Like Music? http://l-i-e.com/artists.htm ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
global lists virus spammer
There is a lame virus (probably written in VB judging by the size of the file) who keeps hitting the smtp servers, and I noticed it in the freebsd lists. It has attachments like .pif and .scr. I also noticed it filled my e-mail box with 67.5 Mb in just 3-4 days. Now that was nice. It spreads using impersonated fake e-mail addresses but I noticed it is always being sent by the very same IP: The original message was received on Tue, 09 Sep 2003 23:45:15 +0300 from KLAUS (pD9E8A85B.dip.t-dialin.net [217.232.168.91] After more then 2 weeks, it still keeps pushing out junk smtp data, so I blocked any SMTP coming from that server (via ipfw hammer tool). I hope this message will be helpfull to all of us. Cheers. Alin. smime.p7s Description: S/MIME Cryptographic Signature
System abused by spammer?
Hi list, I have a vague feeling that some spammer is abusing my sendmail system. My installation is FreeBSD-CURRENT. Postmaster received some email saying, that some kind of mail cannot be delivered due configuration errors. I looked into the mail queue and found this, what definitely does not belong there! bsdsi# mailq -v /var/spool/mqueue (4 requests) -Q-ID- --Size-- -Priority- ---Q-Time--- Sender/Recipient h2RGCDrC001502 1993876 Mar 27 17:13 MAILER-DAEMON (Deferred: Connection refused by mail.craz-man.com.) [EMAIL PROTECTED] (Deferred: Connection refused by mail.craz-man.com.) h2RC1iZw004629 2251920349+Mar 27 13:01 [EMAIL PROTECTED] (Deferred: Operation timed out with myvzw.com.) [EMAIL PROTECTED] (Deferred: Operation timed out with myvzw.com.) h2RBpSZw004575 19031951602 Mar 27 12:51 MAILER-DAEMON (Deferred: Connection refused by mail.craz-man.com.) [EMAIL PROTECTED] (Deferred: Connection refused by mail.craz-man.com.) h2RBefZw004533 18612041596 Mar 27 12:40 MAILER-DAEMON (Deferred: Connection refused by mail.craz-man.com.) [EMAIL PROTECTED] (Deferred: Connection refused by mail.craz-man.com.) Total requests: 4 /var/log/maillog also shows some strange entries: Mar 28 09:39:59 bsdsi sm-mta[1189]: h2RGCDrC001502: to=[EMAIL PROTECTED], delay=16:26:30, xdelay=0 Mar 28 09:41:15 bsdsi sm-mta[1189]: h2RC1iZw004629: to=[EMAIL PROTECTED], delay=20:39:30, xdelay=00:01 Mar 28 09:41:15 bsdsi sm-mta[1189]: h2RBpSZw004575: to=[EMAIL PROTECTED], delay=20:49:47, xdelay=0 Mar 28 09:41:15 bsdsi sm-mta[1189]: h2RBefZw004533: to=[EMAIL PROTECTED], delay=21:00:34, xdelay=0 etc. I thought, sendmail rejects relaying per default. What can I do? (HELP!!! (!!!) ) Regards, Martin -- Martin Möller mm at bsdsi.comhttp://www.bsdsi.com/ GnuPG/PGP DSA ID: 0x3C979285 ICQ # 82221572 I do not accept unsolicited commercial mail. Do not spam me! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: System abused by spammer?
* Andrey Simonenko [EMAIL PROTECTED] [28.03.03 10:37]: There is relay_based_on_MX feature in Sendmail. Check if your Sendmail has this feature off, also check if that spammer specified your system as MX for his/her domain. Hi, Andrey! Thanks for your response. I've taken a look into my sendmail 'mc' file and found this: - BEGIN SNIP - divert(0) VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.27 2002/10/16 22:52:56 keramida Exp $') OSTYPE(freebsd5) DOMAIN(generic) FEATURE(access_db, `hash -o -TTMPF /etc/mail/access') FEATURE(blacklist_recipients) FEATURE(local_lmtp) FEATURE(mailertable, `hash -o /etc/mail/mailertable') FEATURE(virtusertable, `hash -o /etc/mail/virtusertable') dnl Uncomment to allow relaying based on your MX records. dnl NOTE: This can allow sites to use your server as a backup MX without dnl your permission. dnl FEATURE(relay_based_on_MX) - END SNIP - Looks as if it's disabled. newbie_question() { BTW, how can I check if somebody specifies me as his MX? ;-) } Regards, Martin -- Martin Möller mm at bsdsi.comhttp://www.bsdsi.com/ GnuPG/PGP DSA ID: 0x3C979285 ICQ # 82221572 I do not accept unsolicited commercial mail. Do not spam me! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: System abused by spammer?
On Fri, Mar 28, 2003 at 10:51:06AM +0100, Martin Moeller wrote: BTW, how can I check if somebody specifies me as his MX? ;-) $ host -t mx theirdomainname.com Will give you a list of the MX's they specified for their domain. Of course getting the spammers real domain is a bit more involved. If you're still not sure if someone is relaying through your mail server: http://www.geocities.com/spamresources/tools.htm#relay Victor -- [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: System abused by spammer?
On Fri, 28 Mar 2003 09:06:21 + (UTC) in lucky.freebsd.questions, Martin Moeller wrote: I thought, sendmail rejects relaying per default. What can I do? (HELP!!! (!!!) ) There is relay_based_on_MX feature in Sendmail. Check if your Sendmail has this feature off, also check if that spammer specified your system as MX for his/her domain. Hope this will help. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to stop SPAMMER??!
At 09:00 11/11/2002, Joan Picanyol i Puig wrote: * W. D. [EMAIL PROTECTED] [20021110 14:00]: lrwxr-xr-x 1 root wheel33 Dec 10 2001 sendmail - /usr/local/psa/qmail/bin/sendmail Using qmail. How to configure to avoid spam? What is the name of configuration file? You did _NOT_ install qmail following the instructions. You are right. I didn't install it at all! It was installed as per Plesk Server Administrator: http://www.Google.com/search?q=qmail+site%3APlesk.com I'll check deeper into this. qmail is to be installed in /var/qmail. qmail's standard install instructions do not configure an open relay, you have done it yourself. Please: 1.- close port 25 while reconfiguring qmail How? 2.- reinstall qmail. The Way To Go instructions are found at http://www.lifewithqmail.org. Follow this instructions _to the letter_ Thanks for this link! 3.- open port 25 for a safe and reliable email server qvb -- pica To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message Start Here to Find It Fast!© - http://www.US-Webmasters.com/best-start-page/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: How to stop SPAMMER??!
1.- close port 25 while reconfiguring qmail How? It depends. Find out who is listening in port 25 (lsof). Kill it. Make sure it doesn't restart. qvb -- pica To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: How to stop SPAMMER??!
At 12:16 AM 11.10.2002 -0600, W. D. wrote: At 21:17 11/9/2002, Jack L. Stone wrote: At 03:04 AM 11.10.2002 +0100, Gustaf Sjoberg wrote: On Sat, 09 Nov 2002 15:13:09 -0600 W. D. [EMAIL PROTECTED] wrote: either block incomming port 25 connections or set the smtserver to require authentication. ipfw entry could look something like: add rule# deny log tcp from any to yourip 25 in recv interface This would completely block SMTP wouldn't it? I do have clients on this server using email. Hi folks, I've got some bozo from: SpaWeb1.spaelegance.com..auth doing all kinds of SMTP activity on my FreeBSD server. Does anyone know how to stop this? What kind of entry would I add to ipfw? Does anyone know what vulnerability this might be? How to stop permanently? Get the IP of the spammer if possible. I've had to use a total block like this: # DENY INTRUDER through external interface #${fwcmd} add deny all from 66.000.00.000 to any via ${oif} Where is ${oif} defined? When I run a command like this it doesn't understand 'fwcmd'. usw2# {fwcmd} add deny log all from 168.93.100.59/16 to any in via ${oif} oif: Undefined variable. usw2# {fwcmd} add deny log all from 168.93.100.59/16 to any in via lo0 fwcmd: Command not found. Sorry, that was a defined variable in my script: # Firewall program fwcmd=/sbin/ipfw Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: How to stop SPAMMER??!
On Sat, 9 Nov 2002, W. D. wrote: At 19:49 11/9/2002, Steve Wingate wrote: 2. Are you the recipient of spam or is your box being used as a relay? Relay. If your system is an open relay, close it. I have no idea how to do that with qmail--a web search will help. In fact, if your system is an open relay, you should disconnect it from the net until you have it closed. There are two reasons for that. The first is to stop the abuse of your system. The second is to keep your system from being added to lists of open relays or spam sources. -Warren Block * Rapid City, South Dakota USA To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: How to stop SPAMMER??!
-Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd-questions;FreeBSD.ORG] On Behalf Of Warren Block Sent: Sunday, November 10, 2002 10:50 AM To: W. D. Cc: [EMAIL PROTECTED] Subject: Re: How to stop SPAMMER??! On Sat, 9 Nov 2002, W. D. wrote: At 19:49 11/9/2002, Steve Wingate wrote: 2. Are you the recipient of spam or is your box being used as a relay? Relay. http://logicsquad.net/freebsd/qmail-how-to.html That is the site I used to get a basic qmail system up and running. The file which determines who can use qmail to relay is /etc/tcp.smtp 127.0.0.1:allow,RELAYCLIENT= 192.168.1.:allow,RELAYCLIENT= :allow The first two lines allow localhost and local network to relay using the box, the third line I believe allows anyone to send mail to the box. If the people using your qmail have fairly static ip addys, then just added them to this file with the relayclient option. Ranges of ips are enabled via dropping the last octet as shown in line two above. After modifying tcp.smtp, you need to run this line for tcpserver /usr/local/bin/tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp /etc/tcp.smtp Hope this helps. In fact, if your system is an open relay, you should disconnect it from the net until you have it closed. There are two reasons for that. The first is to stop the abuse of your system. The second is to keep your system from being added to lists of open relays or spam sources. -Warren Block * Rapid City, South Dakota USA To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: How to stop SPAMMER??!
Hi Stephen, I hope you don't mind, I've CC'd the list as well: Guys: I locked myself out of my server using the hosts.allow script below. I couldn't get in with SSH, FTP, and *ALL* email was blocked. I changed back to the old hosts.allow and I can get back in, but so are the slimy spammers. It seems that hosts.allow is very powerfull--perhaps the way to go. However, I can't shut off FTP and email for all the other users. Does anyone have ready-to-go hosts.allow file? At 08:39 11/10/2002, Stephen Hovey, wrote: Its a tuffy - why do you have both a sendmail and a qmail entry? you run both? Nope. Nor EXIM. I just wanted them there for the time being. I was going to delete them once I was sure the script worked. the only thing I can think of is that ALL: paranoid line if you tried to connect from an ip with bad in-addr.arpa/ident - and I dont think this is correct form: ALL : 209.152.117.190192.0.2.35 : allow What would work? On Sun, 10 Nov 2002, W. D. wrote: At 01:14 11/10/2002, Stephen Hovey, wrote: Put an entry in /etc/hosts.allow with that domain and DENY.. it will give them a 550 denied no matter what they try, and/or an entry in /etc/mail/access Hi Stephen, Well, I tried the 'hosts.allow' route. It seems I've disallowed SSH FTP for myself now! Assuming I can get into the ISP tomorrow, which are the offending lines below? How can I get back into my own server I had to go to the colo and switch back to the old hosts.allow # # hosts.allow access control file for tcp wrapped applications. # $FreeBSD: src/etc/hosts.allow,v 1.8.2.5 2001/08/30 16:02:37 dwmalone Exp $ # # NOTE: The hosts.deny file is deprecated. # Place both 'allow' and 'deny' rules in the hosts.allow file. #See hosts_options(5) for the format of this file. #hosts_access(5) no longer fully applies. #_ _ _ #| | __ __ __ _ _ __ ____ __ | | ___ | | #| _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | #| |___ | (_| | | | | | | | | |_) | | | | __/ |_| #|_| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) # |_| # !!! This is an example! You will need to modify it for your specific # !!! requirements! # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a First match wins basis. # Commented out 2002 Nov 10 - WD: # ALL : ALL : allow # Wrapping sshd(8) is not normally a good idea, but if you # need to do it, here's how #sshd : .evil.cracker.example.com : deny # Protect against simple DNS spoofing attacks by checking that the # forward and reverse records for the remote host match. If a mismatch # occurs, access is denied, and any positive ident response within # 20 seconds is logged. No protection is afforded against DNS poisoning, # IP spoofing or more complicated attacks. Hosts with no reverse DNS # pass this rule. ALL : PARANOID : RFC931 20 : deny # Allow anything from localhost. Note that an IP address (not a host # name) *MUST* be specified for portmap(8). ALL : localhost 127.0.0.1 : allow #ALL : my.machine.example.com 192.0.2.35 : allow # Added 2002 Nov. 10 - WD: ALL : 209.152.117.190192.0.2.35 : allow # To use IPv6 addresses you must enclose them in []'s ALL : [fe80::%fxp0]/10 : allow ALL : [fe80::]/10 : deny ALL : [3ffe:fffe:2:1:2:3:4:3fe1] : deny ALL : [3ffe:fffe:2:1::]/64 : allow # Added 2002 Nov. 10 - WD: # Qmail qmail : localhost : allow #qmail : .nice.guy.example.com : allow #qmail : .evil.cracker.example.com : deny # Added 2002 Nov. 10 - WD qmail : .spaelegance.com : deny qmail : .SpaWeb1.spaelegance.com : deny qmail : .testargeted.com : deny qmail : .tesdaily.com : deny qmail : ALL : allow # Sendmail can help protect you against spammers and relay-rapers sendmail : localhost : allow sendmail : .nice.guy.example.com : allow sendmail : .evil.cracker.example.com : deny # Added 2002 Nov. 10 - WD sendmail : .spaelegance.com : deny sendmail : .SpaWeb1.spaelegance.com : deny sendmail : .testargeted.com : deny sendmail : .tesdaily.com : deny sendmail : ALL : allow # Exim is an alternative to sendmail, available in the ports tree exim : localhost : allow # exim : .nice.guy.example.com : allow # exim : .evil.cracker.example.com : deny # Added 2002 Nov. 10 - WD exim : .spaelegance.com : deny exim : .SpaWeb1.spaelegance.com : deny exim : .testargeted.com : deny exim : .tesdaily.com : deny exim : ALL : allow # Portmapper is used for all RPC services; protect your NFS! # (IP addresses rather than hostnames *MUST* be used here) portmap : 192.0.2.32/255.255.255.224 : allow portmap : 192.0.2.96/255.255.255.224 :
Re: How to stop SPAMMER??!
From: Kevin D. Kinsey, DaleCo, S.P. [EMAIL PROTECTED] From: W. D. [EMAIL PROTECTED] Subject: Re: How to stop SPAMMER??! Well, now we see why the file comments suggest that wrapping sshd is *not* such a good idea.. Get the IP block of the system(s) from which you are remotely adminning the server into hosts.allow with something like this at the top: all: 192.168.0.0/255.255.255.0 : allow This is a sample netblock that makes sure hosts on my/the* LAN have access to the machinefigure out the netblock of your ISP at the home, office, or home office, and try, try, again. HTH, Kevin Kinsey DaleCo, S.P. *Your LAN may differ, of course. And, FWIW, hosts.allow is pretty 'ready to go' straight from 'the box.' Lots of examples.. Also, if I remember the O.P., you're running 4.4 or 4.5are you keeping up with patches? Surely an upgrade would be in order to address any issues that appeared over the summer... My $.02 Kevin Kinsey To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: How to stop SPAMMER??!
You don't mention several important things someone would need to answer this question fully. 1. Are you running a real mailserver that needs to send/receive mail to the outside world? If not then just block port 25 incoming. If yes, then configure some UCE (unsolicited commercial email) rules on sendmail (assuming this what you have since you didn't say) and/or consider using another mailserver with easier configured security (since you're probably not a sendmail wizard). I suggest qmail or Postfix, which I use. 2. Are you the recipient of spam or is your box being used as a relay? This shouldn't happen in the default configuration any longer I believe. Either check the Handbook online for sendmail configuration. 3. Dunno +-+ |Steve Wingate [EMAIL PROTECTED] |MCSE, CCNA Sat Nov 9 16:59:00 PST 2002 +-+ |FreeBSD 4.7-RC | 4:59PM up 21 days, 17:31, 2 users, load averages: 0.00, 0.00, 0.00 +-+ On Sat, 9 Nov 2002, W. D. wrote: Hi folks, I've got some bozo from: SpaWeb1.spaelegance.com..auth doing all kinds of SMTP activity on my FreeBSD server. Does anyone know how to stop this? What kind of entry would I add to ipfw? Does anyone know what vulnerability this might be? How to stop permanently? Here's what I am running: FreeBSD 4.4-RELEASE Apache/1.3.27 (Unix) mod_perl/1.26 mod_throttle/3.1.2 PHP/4.2.2 FrontPage/4.0.4.3 mod_ssl/2.8.11 OpenSSL/0.9.6f Start Here to Find It Fast!© - http://www.US-Webmasters.com/best-start-page/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: How to stop SPAMMER??!
Hey Steve, Thanks for the reply. At 19:49 11/9/2002, Steve Wingate wrote: You don't mention several important things someone would need to answer this question fully. 1. Are you running a real mailserver that needs to send/receive mail to the outside world? Yep. If not then just block port 25 incoming. If yes, then configure some UCE (unsolicited commercial email) rules on sendmail (assuming this what you have since you didn't say) and/or consider using another mailserver with easier configured security (since you're probably not a sendmail wizard). I suggest qmail lrwxr-xr-x 1 root wheel33 Dec 10 2001 sendmail - /usr/local/psa/qmail/bin/sendmail Using qmail. How to configure to avoid spam? What is the name of configuration file? or Postfix, which I use. 2. Are you the recipient of spam or is your box being used as a relay? Relay. This shouldn't happen in the default configuration any longer I believe. Either check the Handbook online for sendmail configuration. 3. Dunno I tried to block using IPFW but no luck using this line: add deny log all from 168.93.100.0/24 to any in via fxp0 (http://www.SamSpade.org/t/lookat?a=SpaWeb1.spaelegance.com - SpaWeb1.spaelegance.com resolves to 168.93.100.59) +-+ |Steve Wingate [EMAIL PROTECTED] |MCSE, CCNASat Nov 9 16:59:00 PST 2002 +-+ |FreeBSD 4.7-RC | 4:59PM up 21 days, 17:31, 2 users, load averages: 0.00, 0.00, 0.00 +-+ On Sat, 9 Nov 2002, W. D. wrote: Hi folks, I've got some bozo from: SpaWeb1.spaelegance.com..auth doing all kinds of SMTP activity on my FreeBSD server. Does anyone know how to stop this? What kind of entry would I add to ipfw? Does anyone know what vulnerability this might be? How to stop permanently? Here's what I am running: FreeBSD 4.4-RELEASE Apache/1.3.27 (Unix) mod_perl/1.26 mod_throttle/3.1.2 PHP/4.2.2 FrontPage/4.0.4.3 mod_ssl/2.8.11 OpenSSL/0.9.6f Start Here to Find It Fast!© - http://www.US-Webmasters.com/best-start-page/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message Start Here to Find It Fast!© - http://www.US-Webmasters.com/best-start-page/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: How to stop SPAMMER??!
At 20:04 11/9/2002, Gustaf Sjoberg, wrote: On Sat, 09 Nov 2002 15:13:09 -0600 W. D. [EMAIL PROTECTED] wrote: either block incomming port 25 connections or set the smtp server to require authentication. How to do this? ipfw entry could look something like: add rule# deny log tcp from any to yourip 25 in recv interface Hi folks, I've got some bozo from: SpaWeb1.spaelegance.com..auth doing all kinds of SMTP activity on my FreeBSD server. Does anyone know how to stop this? What kind of entry would I add to ipfw? Does anyone know what vulnerability this might be? How to stop permanently? Here's what I am running: FreeBSD 4.4-RELEASE Apache/1.3.27 (Unix) mod_perl/1.26 mod_throttle/3.1.2 PHP/4.2.2 FrontPage/4.0.4.3 mod_ssl/2.8.11 OpenSSL/0.9.6f Start Here to Find It Fast!© - http://www.US-Webmasters.com/best-start-page/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message Start Here to Find It Fast!© - http://www.US-Webmasters.com/best-start-page/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message