subject:"Re\: Qmailt and spam"

Re: Qmailt and spam

2001-06-21 Thread Charles Cazabon


Michael Grier [EMAIL PROTECTED] wrote:
 Yesterday I got about 100 failure notices bounced to me as postmaster.
 Today I got an abuse notice from my server provider. So this spammer
 must be able to relay through me somehow. Qmail has been working for me
 for over a year. Is anybody else having this problem? Where should I
 look for answers?

In your logs and your configuration.  If qmail is an open relay on your
system, you've configured it incorrectly.  Give us the output of
`qmail-showctl`, along with the script you start qmail-smtpd with, and copies
of any tcprules files you use controlling access to qmail-smtpd.  If you use
inetd/xinetd, give us the appropriate control files for that.

 The spammer seems to somehow be using the user qmailt as the originator.
 A copy follows. uid 12355 is the user qmailt.

There is no such user in a normal qmail install.

Are you sure they didn't get into your system another way?  A broken formmail
CGI, or something else?

Charles
-- 
---
Charles Cazabon[EMAIL PROTECTED]
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
Any opinions expressed are just that -- my opinions.
---

Re: Qmailt and spam

2001-06-21 Thread Michael Grier

- Original Message -
From: Charles Cazabon [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, June 21, 2001 5:39 PM
Subject: Re: Qmailt and spam

 Michael Grier [EMAIL PROTECTED] wrote:
  Yesterday I got about 100 failure notices bounced to me as
postmaster.
  Today I got an abuse notice from my server provider. So this spammer
  must be able to relay through me somehow. Qmail has been working for
me
  for over a year. Is anybody else having this problem? Where should I
  look for answers?

 In your logs

all logs are full of lines like this:
@40003b326259244df3f4 alert: cannot start: unable to open mutex

I rebooted.

and your configuration.  If qmail is an open relay on your
 system, you've configured it incorrectly.  Give us the output of
 `qmail-showctl`,

[root@server1 qmail]# bin/qmail-showctl
qmail home directory: /var/qmail.
user-ext delimiter: -.
paternalism (in decimal): 2.
silent concurrency limit: 120.
subdirectory split: 23.
user ids: 12346, 12347, 12348, 0, 12349, 12350, 12351, 12352.
group ids: 12347, 12348.

badmailfrom: (Default.) Any MAIL FROM is allowed.

bouncefrom: (Default.) Bounce user name is MAILER-DAEMON.

bouncehost: (Default.) Bounce host name is e1city.com.

concurrencylocal: (Default.) Local concurrency is 10.

concurrencyremote: (Default.) Remote concurrency is 20.

databytes: (Default.) SMTP DATA limit is 0 bytes.

defaultdomain: Default domain name is e1city.com.

defaulthost: (Default.) Default host name is e1city.com.

doublebouncehost: (Default.) 2B recipient host: e1city.com.

doublebounceto: (Default.) 2B recipient user: postmaster.

envnoathost: (Default.) Presumed domain name is e1city.com.

helohost: (Default.) SMTP client HELO host name is e1city.com.

idhost: (Default.) Message-ID host name is e1city.com.

localiphost: (Default.) Local IP address becomes e1city.com.

locals:
Messages for localhost are delivered locally.

me: My name is e1city.com.

percenthack: (Default.) The percent hack is not allowed.

plusdomain: Plus domain name is e1city.com.

qmqpservers: (Default.) No QMQP servers.

queuelifetime: (Default.) Message lifetime in the queue is 604800
seconds.

rcpthosts:
SMTP clients may send messages to recipients at localhost.
SMTP clients may send messages to recipients at mgrier.com.
SMTP clients may send messages to recipients at bigmweb.com.
SMTP clients may send messages to recipients at e1city.com.
SMTP clients may send messages to recipients at thecountrymill.com.
SMTP clients may send messages to recipients at countrymill.com.
SMTP clients may send messages to recipients at
cherryjuiceconcentrate.com.
SMTP clients may send messages to recipients at tartcherryjuice.com.
SMTP clients may send messages to recipients at doccherry.com.
SMTP clients may send messages to recipients at msistudios.com.
SMTP clients may send messages to recipients at msi-studios.com.
SMTP clients may send messages to recipients at tcsom.com.
SMTP clients may send messages to recipients at gospelofthekingdom.org.
SMTP clients may send messages to recipients at midlandfurniture.com.
SMTP clients may send messages to recipients at midlandpiano.com.
SMTP clients may send messages to recipients at michiganpiano.com.
SMTP clients may send messages to recipients at michiganorgan.com.
SMTP clients may send messages to recipients at sweetnita.com.
SMTP clients may send messages to recipients at tennes.com.
SMTP clients may send messages to recipients at j4t.org.
SMTP clients may send messages to recipients at intruderlc.com.
SMTP clients may send messages to recipients at sleepmethods.com.

morercpthosts: (Default.) No effect.

morercpthosts.cdb: (Default.) No effect.

smtpgreeting: (Default.) SMTP greeting: 220 e1city.com.

smtproutes: (Default.) No artificial SMTP routes.

timeoutconnect: (Default.) SMTP client connection timeout is 60 seconds.

timeoutremote: (Default.) SMTP client data timeout is 1200 seconds.

timeoutsmtpd: (Default.) SMTP server data timeout is 1200 seconds.

virtualdomains:
Virtual domain: mgrier.com:mgrier
Virtual domain: bigmweb.com:alias-bigmwebcom
Virtual domain: e1city.com:alias-e1citycom
Virtual domain: thecountrymill.com:mtennes
Virtual domain: countrymill.com:mtennes
Virtual domain: cherryjuiceconcentrate.com:mtennes
Virtual domain: tartcherryjuice.com:mtennes
Virtual domain: doccherry.com:mtennes
Virtual domain: msistudios.com:gjgadwa
Virtual domain: msi-studios.com:gjgadwa
Virtual domain: tcsom.com:alias-tcsomcom
Virtual domain: gospelofthekingdom.org:alias-gospelofthekingdomorg
Virtual domain: midlandfurniture.com:alias-midlandfurniturecom
Virtual domain: midlandpiano.com:alias-michiganpianocom
Virtual domain: michiganpiano.com:alias-michiganpianocom
Virtual domain: michiganorgan.com:alias-michiganpianocom
Virtual domain: sweetnita.com:alias-sweetnitacom
Virtual domain: tennes.com:mtennes
Virtual domain: j4t.org:alias-j4torg
Virtual domain: intruderlc.com:alias-intruderlccom
Virtual domain: sleepmethods.com:alias-sleepmethodscom

Re: Qmailt and spam

2001-06-21 Thread Michael Grier



  The spammer seems to somehow be using the user qmailt as the
originator.
  A copy follows. uid 12355 is the user qmailt.

 There is no such user in a normal qmail install.

 Are you sure they didn't get into your system another way?  A broken
formmail
 CGI, or something else?

I've now found that this user was most likely created yesterday when
this problem started, so now I probably have to figure out how I was
hacked. I've deleted the user.

Re: Qmailt and spam

2001-06-21 Thread Charles Cazabon


Michael Grier [EMAIL PROTECTED] wrote:
 
   The spammer seems to somehow be using the user qmailt as the originator.
   A copy follows. uid 12355 is the user qmailt.
 
  There is no such user in a normal qmail install.
 
  Are you sure they didn't get into your system another way?  A broken
  formmail CGI, or something else?
 
 I've now found that this user was most likely created yesterday when this
 problem started, so now I probably have to figure out how I was hacked. I've
 deleted the user.

I saw the other message you sent to me privately.  Yes, you were hacked.  If
you don't have md5sums of all the files on your system, you should probably
start out fresh -- you don't know what he ftp'd in, but he probably installed
a rootkit and left all kinds of backdoors for him to come back.  Plus, you
still don't know how he gained access in the first place.

Charles
-- 
---
Charles Cazabon[EMAIL PROTECTED]
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
---

Re: Qmailt and spam

Re: Qmailt and spam

Re: Qmailt and spam

Re: Qmailt and spam

4 matches

Site Navigation

Mail list logo

Footer information