Re: unauthorized relay :-(
On Thu, May 17, 2001 at 08:47:46PM -0400, Todd Finney wrote: At 08:55 PM 5/17/01, Roger Walker wrote: :allow Doesn't that last allow line cause an open relay? NO! The last :allow is needed for other Mailservers delivering mail to your domains listed in rcpthosts. Unless RELAYCLIENT is set qmail does not relay to foreign domains. -- * Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de * * Roedingsmarkt 14, 20459 Hamburg, Germany * Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: unauthorized relay :-(
At 04:47 AM 5/18/01, Henning Brauer wrote: On Thu, May 17, 2001 at 08:47:46PM -0400, Todd Finney wrote: At 08:55 PM 5/17/01, Roger Walker wrote: :allow Doesn't that last allow line cause an open relay? NO! The last :allow is needed for other Mailservers delivering mail to your domains listed in rcpthosts. Unless RELAYCLIENT is set qmail does not relay to foreign domains. No need to shout there, Henning. Please note the question mark at the end of my sentence; I wasn't sure. If you must use caps, please save them for the idiots that can't figure out how to unsubscribe. cheers, Todd
Re: unauthorized relay :-(
On Fri, May 18, 2001 at 06:53:30AM -0400, Todd Finney wrote: At 04:47 AM 5/18/01, Henning Brauer wrote: On Thu, May 17, 2001 at 08:47:46PM -0400, Todd Finney wrote: At 08:55 PM 5/17/01, Roger Walker wrote: :allow Doesn't that last allow line cause an open relay? NO! The last :allow is needed for other Mailservers delivering mail to your domains listed in rcpthosts. Unless RELAYCLIENT is set qmail does not relay to foreign domains. No need to shout there, Henning. No offense intended, Todd. Just meant as clarification. -- * Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de * * Roedingsmarkt 14, 20459 Hamburg, Germany * Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: unauthorized relay :-(
On 18 May 2001, Mark Delany wrote: So you are saying that you've checked the qmail-send logs and there is no injection that matches the headers of the bounce? Are you sure? If you found a match, then the uid trail will tell you who did it. The log portion I supplied is indicative of all of the stuff related to the aol mail. The PID associated with those messages was not there when I became aware of what was happening, so I can't definitively trace it. Well, if you showed us the headers and corresponding log entries from qmail-send and tcpserver, we wouldn't have to speculate would we now? Surely as a person who administer[s] mail servers for a major ISP you realise the value that concrete data has in reducing speculation. All of the logs for qmail I have go to a single file. I do not have headers, or I would probably have been able to definitely say that this was a relay (or generated directly from my system by a cracker). -- Roger Walker http://www.rat-hole.com Voice/Fax 1-780-440-2685 http://www.man-from-linux.com HIS Pain; YOUR Gainhttp://www.rope.net http://www.rope.net/signature.html
Re: unauthorized relay :-(
On 18 May 2001, John R. Levine wrote: Any chance it's coming from formmail.pl or a similar insecure CGI? That seems a lot more likely than spam sneaking in via SMTP. Actually, that thought just occured to me this morning. I was talking with the other person who has access to the system and he mentioned that the only anonymous address he ever saw was from a formmail script. I have an altered one that allows those I've blocked to contact me (i.e. relays, spammers, scanners) when their email won't otherwise get through. Since the form creates email on the system, qmail would not block the outbound relay. Unfortunately, I might not be able to get to this until next week. Fortunately, it seems to have been a one time occurance. However, I now have something to go on that sounds reasonable, and it's a good idea for others to check their setups, too. Thanks. -- Roger Walker http://www.rat-hole.com Voice/Fax 1-780-440-2685 http://www.man-from-linux.com HIS Pain; YOUR Gainhttp://www.rope.net http://www.rope.net/signature.html
Re: unauthorized relay :-(
On Fri, May 18, 2001 at 06:55:59AM -0600, Roger Walker wrote: On 18 May 2001, Mark Delany wrote: So you are saying that you've checked the qmail-send logs and there is no injection that matches the headers of the bounce? Are you sure? If you found a match, then the uid trail will tell you who did it. The log portion I supplied is indicative of all of the stuff related to the aol mail. The PID associated with those messages was not there when I became aware of what was happening, so I can't definitively trace it. UID != PID And, er, qmail-send (with UID) and (tcpserver with PID) unconditionally log their UID and PID, so what exactly do you mean by was not there? But, AOL doesn't help matters as their bounces don't return any original header information, blah. Regards.
Re: unauthorized relay :-(
On 18 May 2001, Mark Delany wrote: The log portion I supplied is indicative of all of the stuff related to the aol mail. The PID associated with those messages was not there when I became aware of what was happening, so I can't definitively trace it. UID != PID Sorry, I was distracted. The UID was for apache, further evidence that this was done through a formmail script. And, er, qmail-send (with UID) and (tcpserver with PID) unconditionally log their UID and PID, so what exactly do you mean by was not there? I do not seem to have any tcpserver logs, except for my RBL setup. Here's the tcpserver invocation: tcpserver -p -x /etc/tcpserver/tcp.smtp.cdb -u 301 -g 300 0 smtp \ /usr/local/bin/rblsmtpd \ -rrbl.maps.vix.com \ -rinputs.orbs.org \ -routputs.orbs.org \ -rspamsources.orbs.org \ -rspamsource-netblocks.orbs.org \ -runtestable-netblocks.orbs.org \ -rmanual.orbs.org \ -rdialups.mail-abuse.org \ -rrbl.rope.net \ /var/qmail/bin/qmail-smtpd 21 \ | setuidgid qmaill tai64n | setuidgid qmaill tai64nlocal \ | setuidgid qmaill multilog +\* /var/log/rbl But, AOL doesn't help matters as their bounces don't return any original header information, blah. So I've noticed... -- Roger Walker http://www.rat-hole.com Voice/Fax 1-780-440-2685 http://www.man-from-linux.com HIS Pain; YOUR Gainhttp://www.rope.net http://www.rope.net/signature.html
Re: unauthorized relay :-(
On Fri, May 18, 2001 at 08:37:37AM -0600, Roger Walker wrote: UID != PID Sorry, I was distracted. The UID was for apache, further evidence that this was done through a formmail script. Ok... And what did your apache logs say at the time? They are logging IP addresses, right? Here's the tcpserver invocation: tcpserver -p -x /etc/tcpserver/tcp.smtp.cdb -u 301 -g 300 0 smtp \ /usr/local/bin/rblsmtpd \ -rrbl.maps.vix.com \ -rinputs.orbs.org \ -routputs.orbs.org \ -rspamsources.orbs.org \ -rspamsource-netblocks.orbs.org \ -runtestable-netblocks.orbs.org \ -rmanual.orbs.org \ -rdialups.mail-abuse.org \ -rrbl.rope.net \ /var/qmail/bin/qmail-smtpd 21 \ | setuidgid qmaill tai64n | setuidgid qmaill tai64nlocal \ | setuidgid qmaill multilog +\* /var/log/rbl Superficially that looks ok, again kinda different from what one usually sees. So there are not entries in /var/log/rbl/current like: @40003b053761268c7a14 tcpserver: pid 16838 from 131.193.178.181? Regards.
Re: unauthorized relay :-(
On 18 May 2001, Mark Delany wrote: Ok... And what did your apache logs say at the time? They are logging IP addresses, right? I had to disappear for some other commitments, so I was gone for a few hours :-) I've removed the form completely. I'll have to do up another script when I get some time in a few days. I've got another one that I wrote that doesn't do formmail stuff, so I can adapt it. I did check the logs and now I can pursue this further. I'll have to check my RBL and blocks to see if this is in retaliation (which, given the few in number messages, makes sense). Here's an example entry: cc172422-a.union1.nj.home.com - - [17/May/2001:15:38:23 -0600] GET /cgi-bin/formmail.pl?[EMAIL PROTECTED]subject=Someone%20Has%20Sent%20You% 20An%20eCard!=Hello,%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20% 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Someone%20has%20sent%20you%20an%20eCard%20-%20Electronic%20Greeting%20Card!%20%20%20%20%20%20%20 %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20a%20href%3Daol://1223:26260/http://www.wo0tspamma.net/mypics; Click%20Here%20To%20Pick%20It%20Up!/a[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],Cheerbarb [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],Gu [EMAIL PROTECTED], HTTP/1.1 200 1169 - Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Here's the tcpserver invocation: tcpserver -p -x /etc/tcpserver/tcp.smtp.cdb -u 301 -g 300 0 smtp \ /usr/local/bin/rblsmtpd \ -rrbl.maps.vix.com \ -rinputs.orbs.org \ -routputs.orbs.org \ -rspamsources.orbs.org \ -rspamsource-netblocks.orbs.org \ -runtestable-netblocks.orbs.org \ -rmanual.orbs.org \ -rdialups.mail-abuse.org \ -rrbl.rope.net \ /var/qmail/bin/qmail-smtpd 21 \ | setuidgid qmaill tai64n | setuidgid qmaill tai64nlocal \ | setuidgid qmaill multilog +\* /var/log/rbl Superficially that looks ok, again kinda different from what one usually sees. So there are not entries in /var/log/rbl/current like: @40003b053761268c7a14 tcpserver: pid 16838 from 131.193.178.181? No. Now we are onto a different topic, but I would still appreciate some input on this. I noticed when I set this up that I was only getting the RBL stuff logged. Again, I really appreciate the help I've received from everyone on the list. Thanks. -- Roger Walker http://www.rat-hole.com Voice/Fax 1-780-440-2685 http://www.man-from-linux.com HIS Pain; YOUR Gainhttp://www.rope.net http://www.rope.net/signature.html
Re: unauthorized relay :-(
At 08:55 PM 5/17/01, Roger Walker wrote: My admin mailbox has been filling up with bounces from aol.com - obvious SPAM that appears to have originated from my qmail system (running ucspi-tcp-0.88 and daemontools-0.70. Here's my rather simple config for tcpserver: 127.0.0.1:allow,RELAYCLIENT= 206.75.255.:allow,RELAYCLIENT= 10.:allow,RELAYCLIENT= :allow The first line is for localhost, the second for my class 'C', the third for private network stuff behind a firewall and through a VPN. I presume the last is to allow anyone to connect to allow them to send to my hosted domains. Doesn't that last allow line cause an open relay? http://cr.yp.to/ucspi-tcp/tcprules.html The instructions in a rule must begin with either allow or deny. deny tells tcpserver to drop the connection without running anything. For example, the rule :deny tells tcpserver to drop all connections that aren't handled by more specific rules. The fact that your local domains appear in the control files is what allows the host to receive mail for the domains, not tcpserver. Todd
Re: unauthorized relay :-(
No, the last line :allow allows people to send mail to you if the line said :allow,RELAYCLIENT= then you would allow relay mail to anyone. a :deny would deny any attempts to connect to the tcpserver connection that were not specifically allowed. A better idea would be for the original poster to post the logs as proof that there is a relay happening, and if were lucky some headers and the smtp logs too. -- Tim - Original Message - From: Todd Finney [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 17, 2001 8:47 PM Subject: Re: unauthorized relay :-( At 08:55 PM 5/17/01, Roger Walker wrote: My admin mailbox has been filling up with bounces from aol.com - obvious SPAM that appears to have originated from my qmail system (running ucspi-tcp-0.88 and daemontools-0.70. Here's my rather simple config for tcpserver: 127.0.0.1:allow,RELAYCLIENT= 206.75.255.:allow,RELAYCLIENT= 10.:allow,RELAYCLIENT= :allow The first line is for localhost, the second for my class 'C', the third for private network stuff behind a firewall and through a VPN. I presume the last is to allow anyone to connect to allow them to send to my hosted domains. Doesn't that last allow line cause an open relay? http://cr.yp.to/ucspi-tcp/tcprules.html The instructions in a rule must begin with either allow or deny. deny tells tcpserver to drop the connection without running anything. For example, the rule :deny tells tcpserver to drop all connections that aren't handled by more specific rules. The fact that your local domains appear in the control files is what allows the host to receive mail for the domains, not tcpserver. Todd
Re: unauthorized relay :-(
Roger Walker wrote: My admin mailbox has been filling up with bounces from aol.com - obvious SPAM that appears to have originated from my qmail system I am curious about that because recently I got a bounce from aol that said that they don't accept mails anymore from mailservers with dynamically assigned ip numbers. Therefore: who did say that it was spam, aol or you? But that's a bit off topic :-)) Here's my rather simple config for tcpserver: 127.0.0.1:allow,RELAYCLIENT= 206.75.255.:allow,RELAYCLIENT= 10.:allow,RELAYCLIENT= :allow This seems to be right. Did you compile it? Is your start-script ok? Did you restart qmail? My qmail logs simply show a message generated by [EMAIL PROTECTED] and being sent to an aol.com account. Then another one. Then the third one and subsequent ones go out to variable numbers to aol.com accounts. Total about 550. So someone from your domain tried to send mail to another host. That is normal behaviour of qmail, as described in the pictures ( http://cr.yp.to/qmail/pictures.html ). With this information I am not able to help you further for that anonymous could have been anyone. There must be more information about anonymous and the way he got his mail through your system. Do you have the headers of the bounced mails? Did they say anything about anonymous' ip or the way the mail got through your server? Can you send one of those bounced mails' headers? In case I wasn't clear enough, just the headers from the mail that was sent by your system to aol, not the header of the bounce mail itself. Do you have qmqpd running on your server? Did you install that properly? That means: some ip numbers that are allowed and a :deny as last line? If not, anybody could send mail through your system. As I am not an expert I don't know of other possibilities. hth, caspar
Re: unauthorized relay :-(
On Thu, 17 May 2001, Todd Finney wrote: At 08:55 PM 5/17/01, Roger Walker wrote: tcpserver: 127.0.0.1:allow,RELAYCLIENT= 206.75.255.:allow,RELAYCLIENT= 10.:allow,RELAYCLIENT= :allow The first line is for localhost, the second for my class 'C', the third for private network stuff behind a firewall and through a VPN. I presume the last is to allow anyone to connect to allow them to send to my hosted domains. Doesn't that last allow line cause an open relay? It shouldn't. As I indicated, I tested for relay - I telnetted to port 25 from a 24. address, and if the rcpt to: address was not one of the domains in control/rcpthosts, then it was rejected. The last statement should merely allow anyone to connect - this is a mail server, after all, and it wouldn't accomplish much if I put a :deny in there and disallowed any connection. It's the RELAYCLIENT entry on each of the first three lines that allows specific hosts to be able to relay to other than what's in the control/rcpthosts file - to override it. Feel free to try it - 206.75.255.50. If you find a way to relay, please let us know what you did. Maybe I'll set up an experiment where I replace the :allow with a :deny and see if a remote host can still send me mail (but I doubt it would be able to). -- Roger Walker http://www.rat-hole.com Voice/Fax 1-780-440-2685 http://www.man-from-linux.com HIS Pain; YOUR Gainhttp://www.rope.net http://www.rope.net/signature.html
Re: unauthorized relay :-(
On Fri, 18 May 2001, Caspar Bothmer wrote: Roger Walker wrote: My admin mailbox has been filling up with bounces from aol.com - obvious SPAM that appears to have originated from my qmail system I am curious about that because recently I got a bounce from aol that said that they don't accept mails anymore from mailservers with dynamically assigned ip numbers. Therefore: who did say that it was spam, aol or you? But that's a bit off topic :-)) It's SPAM because I saw the content of the message from AOL's bounces (which are still trickling in). Also because of the illegitimate way it is being sent and the fact that many of the addresses are invalid. AOL simply bounced the messages for accounts that didn't exist. As far as they knew, they were receiving mail from me and to them. I wish they had bounced back all of the headers, too (because if they did, there appears to be nothing to go on). Here's my rather simple config for tcpserver: 127.0.0.1:allow,RELAYCLIENT= 206.75.255.:allow,RELAYCLIENT= 10.:allow,RELAYCLIENT= :allow This seems to be right. Did you compile it? Is your start-script ok? Did you restart qmail? This has been running for about a half year this way, including through one reboot due to a power failure. So someone from your domain tried to send mail to another host. That is normal behaviour of qmail, as described in the pictures ( http://cr.yp.to/qmail/pictures.html ). With this information I am not able to help you further for that anonymous could have been anyone. There must be more information about anonymous and the way he got his mail through your system. I've only seen the anonymous address in email generated by cron, but the crontab looks fine. Do you have the headers of the bounced mails? Did they say anything about anonymous' ip or the way the mail got through your server? Can you send one of those bounced mails' headers? In case I wasn't clear enough, just the headers from the mail that was sent by your system to aol, not the header of the bounce mail itself. I understand completely. I administer mail servers for a major ISP, so the principles are not a problem. I run qmail on my own servers, but there could always be something that I'm overlooking in the config. I know it sure looks as if the message originated locally, but I have my doubts - I've been checking the system over very carefully for intrusions and have gone over the log files, but I don't see anything out of the ordinary to suggest that someone has gotten access to a shell. Do you have qmqpd running on your server? Did you install that properly? That means: some ip numbers that are allowed and a :deny as last line? If not, anybody could send mail through your system. I do not run qmqpd. (I'm not sure, at this point, what it is.) It's certainly not on my system. Thanks, all, for your speculations so far... -- Roger Walker http://www.rat-hole.com Voice/Fax 1-780-440-2685 http://www.man-from-linux.com HIS Pain; YOUR Gainhttp://www.rope.net http://www.rope.net/signature.html
Re: unauthorized relay :-(
On Thu, May 17, 2001 at 10:32:41PM -0600, Roger Walker wrote: I understand completely. I administer mail servers for a major ISP, so the principles are not a problem. I run qmail on my own servers, but there could always be something that I'm overlooking in the config. I know it sure looks as if the message originated locally, but I have my doubts - I've been checking the system over very carefully for intrusions and have gone over the log files, but I don't see anything out of the ordinary to suggest that someone has gotten access to a shell. So you are saying that you've checked the qmail-send logs and there is no injection that matches the headers of the bounce? Are you sure? If you found a match, then the uid trail will tell you who did it. Thanks, all, for your speculations so far... Well, if you showed us the headers and corresponding log entries from qmail-send and tcpserver, we wouldn't have to speculate would we now? Surely as a person who administer[s] mail servers for a major ISP you realise the value that concrete data has in reducing speculation. Regards.
