[qmailtoaster] Re: Attack?

2010-06-23 Thread Eric Shubert 

Natalio Gatti wrote:
>
> On Wed, Jun 23, 2010 at 4:27 PM, Rafael Andrade
> mailto:raf...@riosulense.com.br>> wrote:
>
> My last msg, i will send a new thread
> qmHandle -l
>
> 2450210 (20, R)
>  Return-path: anonym...@metalservice.ind.br
> 
>  From: Itau Informa Todos erros corrigidos
>  >
>  To: pappen@terra.com.br 
>  Subject: Atualização do seu aparelho Itoken versão Final sem erros
>  Date: 23 Jun 2010 17:56:45 -
>  Size: 1785 bytes
>
>
> I had a similar problem. The best way to obtain information is to see
> the headers of the spam mail. You can see them with qmqtool or qmHandle.
> In that header you can see if the mails are using an authenticated 
account.


Good idea, Natalio.

Rafael,
(In order to start a new thread, you need to choose 'write'. Choosing 
'reply' continues the same thread.


It looks as though we had the wrote 'from' address before.
Once again, I would:

# qmlog -nl -g comunicacaodigi...@itau-unibanco smtp \
> | grep "CHKUSER accepted sender" | head -n10

This will show you the first 10 occurrences of messages that were 
submitted with that address. You should see something like:
06-23 02:58:23 CHKUSER accepted sender: from 
 ...


The ??...@??? part is the account name that was used to 
authenticate. Change that password, and you should no longer get more 
spam messages from this spammer.


If there's no account name in the message, then the message was 
submitted with no authentication. We'll need to look again at your 
tcp.smtp file if that's the case.


--
-Eric 'shubes'


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Attack?

2010-06-23 Thread Natalio Gatti 
On Wed, Jun 23, 2010 at 4:27 PM, Rafael Andrade wrote:

> My last msg, i will send a new thread
> qmHandle -l
>
> 2450210 (20, R)
>  Return-path: anonym...@metalservice.ind.br
>  From: Itau Informa Todos erros corrigidos <
> comunicacaodigi...@itau-unibanco.com.br>
>  To: pappen@terra.com.br
>  Subject: Atualização do seu aparelho Itoken versão Final sem erros
>  Date: 23 Jun 2010 17:56:45 -
>  Size: 1785 bytes
>
>
I had a similar problem. The best way to obtain information is to see the
headers of the spam mail. You can see them with qmqtool or qmHandle.
In that header you can see if the mails are using an authenticated account.

Re: [qmailtoaster] Re: Attack?

2010-06-23 Thread Rafael Andrade 

My last msg, i will send a new thread
qmHandle -l

2450210 (20, R)
 Return-path: anonym...@metalservice.ind.br
 From: Itau Informa Todos erros corrigidos 


 To: pappen@terra.com.br
 Subject: Atualização do seu aparelho Itoken versão Final sem erros
 Date: 23 Jun 2010 17:56:45 -
 Size: 1785 bytes

2471922 (20, R)
 Return-path: anonym...@metalservice.ind.br
 From: Itau Informa Todos erros corrigidos 


 To: para.t...@zipmail.com.br
 Subject: Atualização do seu aparelho Itoken versão Final sem erros
 Date: 23 Jun 2010 18:14:16 -
 Size: 1786 bytes

2464033 (20, R)
 Return-path: anonym...@metalservice.ind.br
 From: Itau Informa Todos erros corrigidos 


 To: paramot...@paraflying.com
 Subject: Atualização do seu aparelho Itoken versão Final sem erros
 Date: 23 Jun 2010 18:07:01 -
 Size: 1787 bytes

2458375 (20, R)
 Return-path: anonym...@metalservice.ind.br
 From: Itau Informa Todos erros corrigidos 


 To: parkg...@gita.it
 Subject: Atualização do seu aparelho Itoken versão Final sem erros
 Date: 23 Jun 2010 18:03:25 -
 Size: 1778 bytes

2466862 (20, R)
 Return-path: anonym...@metalservice.ind.br
 From: Itau Informa Todos erros corrigidos 


 To: paragrafamode...@terra.com.br
 Subject: Atualização do seu aparelho Itoken versão Final sem erros
 Date: 23 Jun 2010 18:10:00 -
 Size: 1789 bytes



Eric Shubert escreveu:
There's a lot of irrelevant information here. The DENIED messages in 
the smtp log are normal, and a good thing. They have absolutely 
nothing to do with your problem.


Can we please start a new thread for this? Let's back up a bit.

I'd like to see the results from:
# qmHandle -l | head -n20



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Attack?

2010-06-23 Thread Eric Shubert 
There's a lot of irrelevant information here. The DENIED messages in the 
smtp log are normal, and a good thing. They have absolutely nothing to 
do with your problem.


Can we please start a new thread for this? Let's back up a bit.

I'd like to see the results from:
# qmHandle -l | head -n20

--
-Eric 'shubes'

Rafael Andrade wrote:

See more information... the problem continues :(

Jun 23 08:10:41 net spamdyke[29090]: DENIED_OTHER from: (unknown) to: 
anonym...@metalservice.ind.br origin_ip: 64.20.61.10 origin_rdns: 
ip10.njs0.srv.infoex.com auth: (unknown)
Jun 23 08:10:45 net spamdyke[29179]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.20.171.117 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:11:14 net spamdyke[29237]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 189.2.134.108 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:11:30 net spamdyke[29269]: DENIED_RDNS_RESOLVE from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.182.224.2 origin_rdns: 
kmcdcsrv.kmcasa.com.br auth: (unknown)
Jun 23 08:11:31 net spamdyke[29263]: DENIED_RDNS_RESOLVE from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 68.93.216.4 origin_rdns: 
68-93-216-4.ded.swbell.net auth: (unknown)
Jun 23 08:11:39 net spamdyke[29293]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.20.171.117 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:11:39 net spamdyke[29295]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.20.171.117 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:11:48 net spamdyke[29314]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.228.168.2 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:11:56 net spamdyke[29333]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.228.168.2 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:12:02 net spamdyke[29301]: DENIED_OTHER from: (unknown) to: 
anonym...@metalservice.ind.br origin_ip: 64.20.61.10 origin_rdns: 
ip10.njs0.srv.infoex.com auth: (unknown)
Jun 23 08:25:52 net spamdyke[31546]: DENIED_OTHER from: (unknown) to: 
anonym...@metalservice.ind.br origin_ip: 64.20.61.10 origin_rdns: 
ip10.njs0.srv.infoex.com auth: (unknown)
Jun 23 08:25:55 net spamdyke[31598]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.228.168.2 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:25:56 net spamdyke[31600]: DENIED_RDNS_RESOLVE from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 168.243.205.138 
origin_rdns: ip-cust-sv14138.telefonica-ca.net auth: (unknown)
Jun 23 08:26:31 net spamdyke[31670]: DENIED_RDNS_RESOLVE from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.182.224.2 origin_rdns: 
kmcdcsrv.kmcasa.com.br auth: (unknown)
Jun 23 08:26:42 net spamdyke[31688]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.20.171.117 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:27:17 net spamdyke[31726]: DENIED_OTHER from: (unknown) to: 
anonym...@metalservice.ind.br origin_ip: 64.20.61.10 origin_rdns: 
ip10.njs0.srv.infoex.com auth: (unknown)
Jun 23 08:27:32 net spamdyke[31792]: DENIED_RDNS_MISSING from: 
comprascomp...@metalservice.ind.br to: 
comprascomp...@metalservice.ind.br origin_ip: 112.197.96.115 
origin_rdns: (unknown) auth: (unknown)
Jun 23 08:27:42 net spamdyke[31814]: DENIED_RDNS_RESOLVE from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 216.86.220.107 origin_rdns: 
216-86-220-107.mminternet.com auth: (unknown)
Jun 23 08:27:43 net spamdyke[31824]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.228.168.2 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:28:09 net spamdyke[31875]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.228.168.2 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:28:16 net spamdyke[31893]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.203.100.7 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:28:42 net spamdyke[31907]: DENIED_OTHER from: (unknown) to: 
anonym...@metalservice.ind.br origin_ip: 64.20.61.10 origin_rdns: 
ip10.njs0.srv.infoex.com auth: (unknown)
Jun 23 08:29:28 net spamdyke[32021]: DENIED_OTHER from: (unknown) to: 
anonym...@metalservice.ind.br origin_ip: 66.7.201.228 origin_rdns: 
uranio.alanet.com.br auth: (unknown)
Jun 23 08:29:30 net spamdyke[32030]: DENIED_RDNS_RESOLVE from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 67.143.28.226 origin_rdns: 
host671430022628.direcway.com auth: (unknown)
Jun 23 08:29:35 net spamdyke[32045]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.14.68.55 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:29:43 net spamdyke[32071]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br or

Re: [qmailtoaster] Re: Attack?

2010-06-23 Thread Rafael Andrade 

See more information... the problem continues :(

Jun 23 08:10:41 net spamdyke[29090]: DENIED_OTHER from: (unknown) to: 
anonym...@metalservice.ind.br origin_ip: 64.20.61.10 origin_rdns: 
ip10.njs0.srv.infoex.com auth: (unknown)
Jun 23 08:10:45 net spamdyke[29179]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.20.171.117 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:11:14 net spamdyke[29237]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 189.2.134.108 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:11:30 net spamdyke[29269]: DENIED_RDNS_RESOLVE from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.182.224.2 origin_rdns: 
kmcdcsrv.kmcasa.com.br auth: (unknown)
Jun 23 08:11:31 net spamdyke[29263]: DENIED_RDNS_RESOLVE from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 68.93.216.4 origin_rdns: 
68-93-216-4.ded.swbell.net auth: (unknown)
Jun 23 08:11:39 net spamdyke[29293]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.20.171.117 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:11:39 net spamdyke[29295]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.20.171.117 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:11:48 net spamdyke[29314]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.228.168.2 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:11:56 net spamdyke[29333]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.228.168.2 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:12:02 net spamdyke[29301]: DENIED_OTHER from: (unknown) to: 
anonym...@metalservice.ind.br origin_ip: 64.20.61.10 origin_rdns: 
ip10.njs0.srv.infoex.com auth: (unknown)
Jun 23 08:25:52 net spamdyke[31546]: DENIED_OTHER from: (unknown) to: 
anonym...@metalservice.ind.br origin_ip: 64.20.61.10 origin_rdns: 
ip10.njs0.srv.infoex.com auth: (unknown)
Jun 23 08:25:55 net spamdyke[31598]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.228.168.2 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:25:56 net spamdyke[31600]: DENIED_RDNS_RESOLVE from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 168.243.205.138 
origin_rdns: ip-cust-sv14138.telefonica-ca.net auth: (unknown)
Jun 23 08:26:31 net spamdyke[31670]: DENIED_RDNS_RESOLVE from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.182.224.2 origin_rdns: 
kmcdcsrv.kmcasa.com.br auth: (unknown)
Jun 23 08:26:42 net spamdyke[31688]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.20.171.117 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:27:17 net spamdyke[31726]: DENIED_OTHER from: (unknown) to: 
anonym...@metalservice.ind.br origin_ip: 64.20.61.10 origin_rdns: 
ip10.njs0.srv.infoex.com auth: (unknown)
Jun 23 08:27:32 net spamdyke[31792]: DENIED_RDNS_MISSING from: 
comprascomp...@metalservice.ind.br to: 
comprascomp...@metalservice.ind.br origin_ip: 112.197.96.115 
origin_rdns: (unknown) auth: (unknown)
Jun 23 08:27:42 net spamdyke[31814]: DENIED_RDNS_RESOLVE from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 216.86.220.107 origin_rdns: 
216-86-220-107.mminternet.com auth: (unknown)
Jun 23 08:27:43 net spamdyke[31824]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.228.168.2 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:28:09 net spamdyke[31875]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.228.168.2 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:28:16 net spamdyke[31893]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.203.100.7 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:28:42 net spamdyke[31907]: DENIED_OTHER from: (unknown) to: 
anonym...@metalservice.ind.br origin_ip: 64.20.61.10 origin_rdns: 
ip10.njs0.srv.infoex.com auth: (unknown)
Jun 23 08:29:28 net spamdyke[32021]: DENIED_OTHER from: (unknown) to: 
anonym...@metalservice.ind.br origin_ip: 66.7.201.228 origin_rdns: 
uranio.alanet.com.br auth: (unknown)
Jun 23 08:29:30 net spamdyke[32030]: DENIED_RDNS_RESOLVE from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 67.143.28.226 origin_rdns: 
host671430022628.direcway.com auth: (unknown)
Jun 23 08:29:35 net spamdyke[32045]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.14.68.55 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:29:43 net spamdyke[32071]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 200.228.168.2 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:29:51 net spamdyke[32086]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@metalservice.ind.br origin_ip: 218.247.148.13 origin_rdns: 
(unknown) auth: (unknown)
Jun 23 08:29:59 net spamdyke[32092]: ALLOWED from: 
boun...@mx2.dtdlistas.com.br to: comp...@metalse

Re: [qmailtoaster] Re: Attack?

2010-06-22 Thread David Milholen 



On 6/22/2010 5:02 PM, Eric Shubert wrote:
You need to track a message back to the smtp log, and see which user 
account was used to submit it. Then change that password.


If you're having trouble with that, show us some of the queue again, 
and we'll go from there.


Rafael Andrade wrote:

The problem continues :(

The queue is full of messages again


Rafael Andrade escreveu:

Now my new tcp.smtp  and qmailctl cdb done.
192.168.1.:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUEUE 

="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1" 

189.72.77.72:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUE 

UE="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1" 

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan",DKSIG 


N="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1"

I disable my roundcube ( yes, is up-to-date, and now disabled my 
users dont use webmail, but to access webmail page need htpasswd in 
apache ).


Thanks so much Eric




Eric Shubert escreveu:
Your 192.168.1. subnet is an open relay. I'd shut that down, at 
least for the time being. What's coming from there?


What's in your smtp log that corresponds to the messages in the 
queue? That should give an indication of where they're coming from.


Roundcube had some security issues at one point some time ago. Is 
your roundcube up to date?


This happened to my production machine several months back and it was my 
account that I used for Imap, which stayed up and connected at all times 
24/7 so all it took was a traffic watch on my public network to see what 
the passwd was being used in the clear(bad idea).  The server was at its 
knees and calls were coming in from all over the network. I could barely 
read a log file.
 isolate the address in your maillog files. I always do a tail -f  
/var/log/qmail/smtp/current |grep address in que> this will tell you where its coming from and to.
look at times and dates in the que when it was sent. If they are within 
seconds or minutes of each other then that would be a suspect. If it is 
suspect then by reviewing a snapshot of those logs the from 
 should be revealed. This is what you are looking for. 
Then do what Eric is saying about the account.
 One more step I would take is to do a netstat -an |grep CONNECTED 
|grep :25 to see how many connections are made with the same ip to your 
machine. If more than 3 or 4 then it would be the suspect for triggering 
the attack. Do a lookup on  the ip and see if it is listed on any RBLs. 
If so block it with an iptables drop rule.

--Dave



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Attack?

2010-06-22 Thread Eric Shubert 
You need to track a message back to the smtp log, and see which user 
account was used to submit it. Then change that password.


If you're having trouble with that, show us some of the queue again, and 
we'll go from there.


Rafael Andrade wrote:

The problem continues :(

The queue is full of messages again


Rafael Andrade escreveu:

Now my new tcp.smtp  and qmailctl cdb done.
192.168.1.:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUEUE 

="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1" 

189.72.77.72:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUE 

UE="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1" 

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan",DKSIG 


N="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1"

I disable my roundcube ( yes, is up-to-date, and now disabled my users 
dont use webmail, but to access webmail page need htpasswd in apache ).


Thanks so much Eric




Eric Shubert escreveu:
Your 192.168.1. subnet is an open relay. I'd shut that down, at least 
for the time being. What's coming from there?


What's in your smtp log that corresponds to the messages in the 
queue? That should give an indication of where they're coming from.


Roundcube had some security issues at one point some time ago. Is 
your roundcube up to date?




- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and 
installations.

 If you need professional help with your setup, contact them today!
- 

Please visit qmailtoaster.com for the latest news, updates, and 
packages.
 To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com





- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)

   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!



--
-Eric 'shubes'


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Attack?

2010-06-22 Thread Rafael Andrade 

The problem continues :(

The queue is full of messages again


Rafael Andrade escreveu:

Now my new tcp.smtp  and qmailctl cdb done.
192.168.1.:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUEUE 

="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1" 

189.72.77.72:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUE 

UE="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1" 

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan",DKSIG 


N="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1"

I disable my roundcube ( yes, is up-to-date, and now disabled my users 
dont use webmail, but to access webmail page need htpasswd in apache ).


Thanks so much Eric




Eric Shubert escreveu:
Your 192.168.1. subnet is an open relay. I'd shut that down, at least 
for the time being. What's coming from there?


What's in your smtp log that corresponds to the messages in the 
queue? That should give an indication of where they're coming from.


Roundcube had some security issues at one point some time ago. Is 
your roundcube up to date?




- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and 
installations.

 If you need professional help with your setup, contact them today!
- 

Please visit qmailtoaster.com for the latest news, updates, and 
packages.
 To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com





-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Attack?

2010-06-22 Thread David Milholen 




On 06/22/2010 01:43 PM, Eric Shubert wrote:
I'm
guessing then that they call came from a single submission. ?
  
What are the rest of the messages in the smtp log right after that one?
  
# qmlog -lc anonym...@metalservice smtp
  
will take you right to it in the smtp log.
  
  
Also, they came from 127.0.0.2. That looks suspicious. Perhaps your
apache server has been cracked.
  
  
I would get rid of the 127.: line in /etc/tcprules.d/tcp.smtp, then
  
# qmailctl cdb
  
  
Then, in order for squirrelmail to be able to submit, change SM
configuration to use authentication by adding this to your
/etc/squirrelmail/config_local.php file:
  
$smtpServerAddress  = 'localhost';
  
$smtpPort   = 587;
  
$smtp_auth_mech = 'login';
  
  
then restart apache:
  
# service httpd restart
  
  

Eric,
 thanks for this one to remind me to do this on the new machine I have.
I am still taking notes so if I have to build out again I will not have
to rely on my brain LOL
 --Dave


-- 

David Milholen
Project Engineer
501-318-1300
Wireless Etc

Re: [qmailtoaster] Re: Attack?

2010-06-22 Thread Rafael Andrade 

Now my new tcp.smtp  and qmailctl cdb done.
192.168.1.:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUEUE
="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1"
189.72.77.72:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUE
UE="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1"
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan",DKSIG
N="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1"

I disable my roundcube ( yes, is up-to-date, and now disabled my users 
dont use webmail, but to access webmail page need htpasswd in apache ).


Thanks so much Eric




Eric Shubert escreveu:
Your 192.168.1. subnet is an open relay. I'd shut that down, at least 
for the time being. What's coming from there?


What's in your smtp log that corresponds to the messages in the queue? 
That should give an indication of where they're coming from.


Roundcube had some security issues at one point some time ago. Is your 
roundcube up to date?




-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Attack?

2010-06-22 Thread Eric Shubert 
Your 192.168.1. subnet is an open relay. I'd shut that down, at least 
for the time being. What's coming from there?


What's in your smtp log that corresponds to the messages in the queue? 
That should give an indication of where they're coming from.


Roundcube had some security issues at one point some time ago. Is your 
roundcube up to date?


--
-Eric 'shubes'

Rafael Andrade wrote:

Look my tcp.smtp
192.168.1.:allow,RELAYCLIENT="",BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1" 

189.72.77.72:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1" 

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1" 



in 3 seconds my queue grow more of 13k emails

[r...@net www]# qmailctl queue
messages in queue: 5474
messages in queue but not yet preprocessed: 5474
[r...@net www]# qmailctl queue
messages in queue: 6002
messages in queue but not yet preprocessed: 6003
[r...@net www]# qmailctl queue
messages in queue: 6096
messages in queue but not yet preprocessed: 6097
[r...@net www]# qmailctl queue
messages in queue: 6169
messages in queue but not yet preprocessed: 6169
[r...@net www]# qmailctl queue
messages in queue: 13531
messages in queue but not yet preprocessed: 13531
I dont use squirrel i use roundcube, and now i stop roundcube too.

Any ideia? :(
Thanks mans





Eric Shubert escreveu:

I'm guessing then that they call came from a single submission. ?
What are the rest of the messages in the smtp log right after that one?
# qmlog -lc anonym...@metalservice smtp
will take you right to it in the smtp log.

Also, they came from 127.0.0.2. That looks suspicious. Perhaps your 
apache server has been cracked.


I would get rid of the 127.: line in /etc/tcprules.d/tcp.smtp, then
# qmailctl cdb

Then, in order for squirrelmail to be able to submit, change SM 
configuration to use authentication by adding this to your 
/etc/squirrelmail/config_local.php file:

$smtpServerAddress  = 'localhost';
$smtpPort   = 587;
$smtp_auth_mech = 'login';

then restart apache:
# service httpd restart



- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)

   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Attack?

2010-06-22 Thread Rafael Andrade 

Look my tcp.smtp
192.168.1.:allow,RELAYCLIENT="",BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1"
189.72.77.72:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1"
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan",DKSIGN="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1"

in 3 seconds my queue grow more of 13k emails

[r...@net www]# qmailctl queue
messages in queue: 5474
messages in queue but not yet preprocessed: 5474
[r...@net www]# qmailctl queue
messages in queue: 6002
messages in queue but not yet preprocessed: 6003
[r...@net www]# qmailctl queue
messages in queue: 6096
messages in queue but not yet preprocessed: 6097
[r...@net www]# qmailctl queue
messages in queue: 6169
messages in queue but not yet preprocessed: 6169
[r...@net www]# qmailctl queue
messages in queue: 13531
messages in queue but not yet preprocessed: 13531
I dont use squirrel i use roundcube, and now i stop roundcube too.

Any ideia? :(
Thanks mans





Eric Shubert escreveu:

I'm guessing then that they call came from a single submission. ?
What are the rest of the messages in the smtp log right after that one?
# qmlog -lc anonym...@metalservice smtp
will take you right to it in the smtp log.

Also, they came from 127.0.0.2. That looks suspicious. Perhaps your 
apache server has been cracked.


I would get rid of the 127.: line in /etc/tcprules.d/tcp.smtp, then
# qmailctl cdb

Then, in order for squirrelmail to be able to submit, change SM 
configuration to use authentication by adding this to your 
/etc/squirrelmail/config_local.php file:

$smtpServerAddress  = 'localhost';
$smtpPort   = 587;
$smtp_auth_mech = 'login';

then restart apache:
# service httpd restart



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Attack?

2010-06-22 Thread Eric Shubert 

I'm guessing then that they call came from a single submission. ?
What are the rest of the messages in the smtp log right after that one?
# qmlog -lc anonym...@metalservice smtp
will take you right to it in the smtp log.

Also, they came from 127.0.0.2. That looks suspicious. Perhaps your 
apache server has been cracked.


I would get rid of the 127.: line in /etc/tcprules.d/tcp.smtp, then
# qmailctl cdb

Then, in order for squirrelmail to be able to submit, change SM 
configuration to use authentication by adding this to your 
/etc/squirrelmail/config_local.php file:

$smtpServerAddress  = 'localhost';
$smtpPort   = 587;
$smtp_auth_mech = 'login';

then restart apache:
# service httpd restart

--
-Eric 'shubes'


Rafael Andrade wrote:
[r...@net ~]# qmlog -nl -g anonym...@metalservice smtp | grep "CHKUSER 
accepted sender"
06-22 14:57:16 CHKUSER accepted sender: from 
 remote 
 rcpt <> : sender accepted


Only show one entry. :(


Eric Shubert escreveu:

Rafael Andrade wrote:

[r...@net metalservice.ind.br]# qmailctl queue | wc -l
86325 :(

[r...@net metalservice.ind.br]# qmailctl queue | head -n 50
messages in queue: 40591
messages in queue but not yet preprocessed: 15
22 Jun 2010 15:46:19 GMT  #2467164  1456  


   remote  mat...@mikrus.com.br
22 Jun 2010 15:09:18 GMT  #3087267  1459  


   remote  robertajard...@yahoo.com.br
22 Jun 2010 15:37:38 GMT  #2461644  1463  


   remote  mate...@cetesbnet.sp.gov.br
22 Jun 2010 15:45:28 GMT  #2447016  1457  


   remote  mati...@joinet.com.br
22 Jun 2010 15:49:08 GMT  #3069258  1461  


   remote  mattaro...@psibo.unibo.it
22 Jun 2010 15:38:28 GMT  #2462288  2835  <#...@[]>
   remote  postmas...@net
22 Jun 2010 15:44:16 GMT  #2465807  1455  


   remote  mati...@is-koeln.de
22 Jun 2010 15:28:35 GMT  #2455112  1451  


   remote  rodolfo...@uol.com.br
22 Jun 2010 15:46:45 GMT  #2467555  1454  


   remote  matildene...@msn.com
22 Jun 2010 15:02:44 GMT  #3069603  1454  


   remote  roberto.come...@bol.com.br
22 Jun 2010 15:42:13 GMT  #2464565  1460  


   remote  matoso.sona...@gmail.com
22 Jun 2010 15:34:11 GMT  #2443198  2872  <#...@[]>
   remote  postmas...@net
22 Jun 2010 15:50:15 GMT  #2470591  1459  


   remote  mat...@sum.desktop.com.br
22 Jun 2010 15:53:22 GMT  #2450535  1465  


   local   metalservice.ind.br-audito...@metalservice.ind.br
   remote  matilhaproduc...@terra.com.br
22 Jun 2010 15:56:32 GMT  #2506264  1452  


   local   metalservice.ind.br-audito...@metalservice.ind.br
   remote  matr...@uol.com.br
22 Jun 2010 15:53:25 GMT  #2448971  1457  


   local   metalservice.ind.br-audito...@metalservice.ind.br
   remote  matle...@terra.com.br
22 Jun 2010 15:43:26 GMT  #2465278  1458  


   remote  mat...@infraero.gov.br
22 Jun 2010 15:38:51 GMT  #2462702  1459  


   remote  mat...@dequi.eel.usp.br

As i can delete all msgs to anonym...@metalservice.ind.br using 
qmail-remove ( syntax ? )


Thanks so much again




I think that
# qmHandle -tf "anonym...@metalservice.ind.br"
will clean them out. I think you should do
# qmailctl stop
first, then start qmail back up when qmHandle completes.

Then you need to find out which account is being used to authenticate.

# qmlog -nl -g anonym...@metalservice smtp \
> | grep "CHKUSER accepted sender" | head -n10

This will show you the first 10 occurrences of messages that were 
submitted with that user id. You should see something like:
06-07 02:58:23 CHKUSER accepted sender: from 
 ...


The ??...@??? part is the account name that was used to 
authenticate. Change that password, and you should no longer get more 
spam messages from this spammer.


Then re-do the qmHandle command again to clean out any messages that 
came in since the first time you ran it.


I'm presuming here that you have only one account/pw that's been 
compromised. You might want to do something like

# qmlog -nl -g anonym...@metalservice smtp \
> | grep "CHKUSER accepted sender" | grep -v "??...@???"
That will spit out any other account names that might have been used. 
If there was only one compromised account, this command will return 
nothing.




- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)

   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

Re: [qmailtoaster] Re: Attack?

2010-06-22 Thread Rafael Andrade 
[r...@net ~]# qmlog -nl -g anonym...@metalservice smtp | grep "CHKUSER 
accepted sender"
06-22 14:57:16 CHKUSER accepted sender: from 
 remote 
 rcpt <> : sender accepted


Only show one entry. :(


Eric Shubert escreveu:

Rafael Andrade wrote:

[r...@net metalservice.ind.br]# qmailctl queue | wc -l
86325 :(

[r...@net metalservice.ind.br]# qmailctl queue | head -n 50
messages in queue: 40591
messages in queue but not yet preprocessed: 15
22 Jun 2010 15:46:19 GMT  #2467164  1456  


   remote  mat...@mikrus.com.br
22 Jun 2010 15:09:18 GMT  #3087267  1459  


   remote  robertajard...@yahoo.com.br
22 Jun 2010 15:37:38 GMT  #2461644  1463  


   remote  mate...@cetesbnet.sp.gov.br
22 Jun 2010 15:45:28 GMT  #2447016  1457  


   remote  mati...@joinet.com.br
22 Jun 2010 15:49:08 GMT  #3069258  1461  


   remote  mattaro...@psibo.unibo.it
22 Jun 2010 15:38:28 GMT  #2462288  2835  <#...@[]>
   remote  postmas...@net
22 Jun 2010 15:44:16 GMT  #2465807  1455  


   remote  mati...@is-koeln.de
22 Jun 2010 15:28:35 GMT  #2455112  1451  


   remote  rodolfo...@uol.com.br
22 Jun 2010 15:46:45 GMT  #2467555  1454  


   remote  matildene...@msn.com
22 Jun 2010 15:02:44 GMT  #3069603  1454  


   remote  roberto.come...@bol.com.br
22 Jun 2010 15:42:13 GMT  #2464565  1460  


   remote  matoso.sona...@gmail.com
22 Jun 2010 15:34:11 GMT  #2443198  2872  <#...@[]>
   remote  postmas...@net
22 Jun 2010 15:50:15 GMT  #2470591  1459  


   remote  mat...@sum.desktop.com.br
22 Jun 2010 15:53:22 GMT  #2450535  1465  


   local   metalservice.ind.br-audito...@metalservice.ind.br
   remote  matilhaproduc...@terra.com.br
22 Jun 2010 15:56:32 GMT  #2506264  1452  


   local   metalservice.ind.br-audito...@metalservice.ind.br
   remote  matr...@uol.com.br
22 Jun 2010 15:53:25 GMT  #2448971  1457  


   local   metalservice.ind.br-audito...@metalservice.ind.br
   remote  matle...@terra.com.br
22 Jun 2010 15:43:26 GMT  #2465278  1458  


   remote  mat...@infraero.gov.br
22 Jun 2010 15:38:51 GMT  #2462702  1459  


   remote  mat...@dequi.eel.usp.br

As i can delete all msgs to anonym...@metalservice.ind.br using 
qmail-remove ( syntax ? )


Thanks so much again




I think that
# qmHandle -tf "anonym...@metalservice.ind.br"
will clean them out. I think you should do
# qmailctl stop
first, then start qmail back up when qmHandle completes.

Then you need to find out which account is being used to authenticate.

# qmlog -nl -g anonym...@metalservice smtp \
> | grep "CHKUSER accepted sender" | head -n10

This will show you the first 10 occurrences of messages that were 
submitted with that user id. You should see something like:
06-07 02:58:23 CHKUSER accepted sender: from 
 ...


The ??...@??? part is the account name that was used to 
authenticate. Change that password, and you should no longer get more 
spam messages from this spammer.


Then re-do the qmHandle command again to clean out any messages that 
came in since the first time you ran it.


I'm presuming here that you have only one account/pw that's been 
compromised. You might want to do something like

# qmlog -nl -g anonym...@metalservice smtp \
> | grep "CHKUSER accepted sender" | grep -v "??...@???"
That will spit out any other account names that might have been used. 
If there was only one compromised account, this command will return 
nothing.




-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Attack?

2010-06-22 Thread Eric Shubert 

Rafael Andrade wrote:

[r...@net metalservice.ind.br]# qmailctl queue | wc -l
86325 :(

[r...@net metalservice.ind.br]# qmailctl queue | head -n 50
messages in queue: 40591
messages in queue but not yet preprocessed: 15
22 Jun 2010 15:46:19 GMT  #2467164  1456  
   remote  mat...@mikrus.com.br
22 Jun 2010 15:09:18 GMT  #3087267  1459  
   remote  robertajard...@yahoo.com.br
22 Jun 2010 15:37:38 GMT  #2461644  1463  
   remote  mate...@cetesbnet.sp.gov.br
22 Jun 2010 15:45:28 GMT  #2447016  1457  
   remote  mati...@joinet.com.br
22 Jun 2010 15:49:08 GMT  #3069258  1461  
   remote  mattaro...@psibo.unibo.it
22 Jun 2010 15:38:28 GMT  #2462288  2835  <#...@[]>
   remote  postmas...@net
22 Jun 2010 15:44:16 GMT  #2465807  1455  
   remote  mati...@is-koeln.de
22 Jun 2010 15:28:35 GMT  #2455112  1451  
   remote  rodolfo...@uol.com.br
22 Jun 2010 15:46:45 GMT  #2467555  1454  
   remote  matildene...@msn.com
22 Jun 2010 15:02:44 GMT  #3069603  1454  
   remote  roberto.come...@bol.com.br
22 Jun 2010 15:42:13 GMT  #2464565  1460  
   remote  matoso.sona...@gmail.com
22 Jun 2010 15:34:11 GMT  #2443198  2872  <#...@[]>
   remote  postmas...@net
22 Jun 2010 15:50:15 GMT  #2470591  1459  
   remote  mat...@sum.desktop.com.br
22 Jun 2010 15:53:22 GMT  #2450535  1465  
   local   metalservice.ind.br-audito...@metalservice.ind.br
   remote  matilhaproduc...@terra.com.br
22 Jun 2010 15:56:32 GMT  #2506264  1452  
   local   metalservice.ind.br-audito...@metalservice.ind.br
   remote  matr...@uol.com.br
22 Jun 2010 15:53:25 GMT  #2448971  1457  
   local   metalservice.ind.br-audito...@metalservice.ind.br
   remote  matle...@terra.com.br
22 Jun 2010 15:43:26 GMT  #2465278  1458  
   remote  mat...@infraero.gov.br
22 Jun 2010 15:38:51 GMT  #2462702  1459  
   remote  mat...@dequi.eel.usp.br

As i can delete all msgs to anonym...@metalservice.ind.br using 
qmail-remove ( syntax ? )


Thanks so much again




I think that
# qmHandle -tf "anonym...@metalservice.ind.br"
will clean them out. I think you should do
# qmailctl stop
first, then start qmail back up when qmHandle completes.

Then you need to find out which account is being used to authenticate.

# qmlog -nl -g anonym...@metalservice smtp \
> | grep "CHKUSER accepted sender" | head -n10

This will show you the first 10 occurrences of messages that were 
submitted with that user id. You should see something like:
06-07 02:58:23 CHKUSER accepted sender: from 
 ...


The ??...@??? part is the account name that was used to 
authenticate. Change that password, and you should no longer get more 
spam messages from this spammer.


Then re-do the qmHandle command again to clean out any messages that 
came in since the first time you ran it.


I'm presuming here that you have only one account/pw that's been 
compromised. You might want to do something like

# qmlog -nl -g anonym...@metalservice smtp \
> | grep "CHKUSER accepted sender" | grep -v "??...@???"
That will spit out any other account names that might have been used. If 
there was only one compromised account, this command will return nothing.


--
-Eric 'shubes'


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Attack?

2010-06-22 Thread senthil vel 
Hi Eric,

In linux and administration works, there are many paths to a single
destination. Thanks for pointing the smartest way.

Hi Rafael,

cat /var/log/qmail/smtp/*  | grep -i prittyg...@yahoo.com.br (empty)

cat /var/log/qmail/submission/*  | grep -i prittyg...@yahoo.com.br
(empty)

instead of using 'prittyg...@yahoo.com.br', can you check with some other
mail id which is very recent in the spam queue?

in general, each log file inside /var/log/qmail will grow up to 1Mb by
default and 100 log files will be preserved. So in some busy servers, only
we can find logs for few hours. In your server, what is the oldest log file
in smtp folder?.

--Senthilvel.

On Tue, Jun 22, 2010 at 8:38 PM, Eric Shubert  wrote:

> senthil vel wrote:
>
>> Not sure what is going on.. Some other spamdyke gurus may help.
>>
>> How many mails are there in the queue now?
>>
>> If the mail queue is still large, use qmail-remove to remove the mails in
>> the queue. If qmail remove is not installed, please follow this.
>>
>> *Install Qmail-Remove*
>>
>> First you need to download latest version from here <
>> http://www.linuxmagic.com/opensource/qmail/qmail-remove/> current version
>> is Qmail-Remove 0.95
>>
>>
>> Download using the following command
>>
>> #wget
>> http://www.linuxmagic.com/opensource/qmail/qmail-remove/qmail-remove-0.95.tar.gz
>>
>> Now you have qmail-remove-0.95.tar.gz file and now you need to extract
>> using the following command
>>
>> #tar -zxvf qmail-remove-0.95.tar.gz
>>
>> Now you should have qmail-remove-0.95 folder go in to the directory and
>> run the following commands
>>
>> #make
>>
>> #make install
>>
>> This will complete the installation.
>>
>> Now you need to create a directory named “yanked” in the qmail queue
>> directory you intend to use before using this program.
>>
>> #mkdir /var/qmail/queue/yanked
>>
>> *Using qmail-remove*
>>
>> *Syntax*
>>
>> qmail-remove [options]
>>
>> *Available options*
>>
>> -e use extended POSIX regular expressions
>>
>> -h, -? this help message
>>
>> -i search case insensitively [default: case sensitive]
>>
>> -n limit our search to the first bytes of each file
>>
>> -p specify the pattern to search for
>>
>> -q specify the base qmail queue dir [default: /var/qmail/queue]
>>
>> -r actually remove files, without this we’ll only print them
>>
>> -s specify your conf-split value if non-standard [default: 23]
>>
>> -v increase verbosity (can be used more than once)
>>
>> -y directory to put files yanked from the queue [default: /yanked]
>>
>> -X modify timestamp on matching files, to make qmail expire mail is the
>> number of seconds we want to move the file into the past.specifying a value
>> of 0 causes this to default to (604800)
>>
>> -x modify timestamp on matching files, to make qmail expire mail is a
>> date/time string in the format of output of the “date” program.
>>
>> *Examples for qmail-remove*
>>
>>
>> To delete mails from Que,
>>
>>
>> # qmail-remove -r -p gtre.ac.net 
>>
>>
>> 324001: yes
>> moved mess/0/324001 to yanked/324001.mess
>> moved remote/0/324001 to yanked/324001.remote
>> moved info/0/324001 to yanked/324001.info 
>>
>> 324024: yes
>> moved mess/0/324024 to yanked/324024.mess
>> moved remote/0/324024 to yanked/324024.remote
>> moved info/0/324024 to yanked/324024.info 
>>
>> This will remove all emails 
>> in que with “gtre.ac.net ” in it and place it in
>> /var/qmail/queue/yanked folder.
>>
>>
>> In this way we are using qmail-remove, there must be some other smarter
>> way may be there to use this...
>>
>> As all the spam mails are having same from address
>> anonym...@metalservice.ind.br ,
>> append this mail id to /var/qmail/control/badmailfrom file or
>> /var/qmail/control/badmailto. This will be a temperarory solution.
>>
>>
> qmail-remove looks like a handy tool.
>
> Short of that, you can use qmHandle (part of QTP) to remove messages in the
> queue. It can delete messages according to the contents of from, to, or
> subject.
>
> FWIW, I agree that it's likely that a spammer obtained the password to one
> of your accounts, and is using it to submit messages. I'm going to butt out
> though, and let Senthil help you out. ;)
>
> --
> -Eric 'shubes'
>
>
>
>
> -
> Qmailtoaster is sponsored by Vickers Consulting Group (
> www.vickersconsulting.com)
>   Vickers Consulting Group offers Qmailtoaster support and installations.
> If you need professional help with your setup, contact them today!
>
> -
>Please visit qmailtoaster.com for the latest news, updates, and
> packages.
> To unsubscribe, e-mail:
> qmailtoaster-list-unsubscr...@qmailtoaster.com
>For additional commands, e-mail:
> qmailtoaster-list-h...@

[qmailtoaster] Re: Attack?

2010-06-22 Thread Eric Shubert 

senthil vel wrote:

Not sure what is going on.. Some other spamdyke gurus may help.

How many mails are there in the queue now?

If the mail queue is still large, use qmail-remove to remove the mails 
in the queue. If qmail remove is not installed, please follow this.


*Install Qmail-Remove*

First you need to download latest version from here 
 current 
version is Qmail-Remove 0.95


Download using the following command

#wget 
http://www.linuxmagic.com/opensource/qmail/qmail-remove/qmail-remove-0.95.tar.gz


Now you have qmail-remove-0.95.tar.gz file and now you need to extract 
using the following command


#tar -zxvf qmail-remove-0.95.tar.gz

Now you should have qmail-remove-0.95 folder go in to the directory and 
run the following commands


#make

#make install

This will complete the installation.

Now you need to create a directory named “yanked” in the qmail queue 
directory you intend to use before using this program.


#mkdir /var/qmail/queue/yanked

*Using qmail-remove*

*Syntax*

qmail-remove [options]

*Available options*

-e use extended POSIX regular expressions

-h, -? this help message

-i search case insensitively [default: case sensitive]

-n limit our search to the first bytes of each file

-p specify the pattern to search for

-q specify the base qmail queue dir [default: /var/qmail/queue]

-r actually remove files, without this we’ll only print them

-s specify your conf-split value if non-standard [default: 23]

-v increase verbosity (can be used more than once)

-y directory to put files yanked from the queue [default: /yanked]

-X modify timestamp on matching files, to make qmail expire mail is the 
number of seconds we want to move the file into the past.specifying a 
value of 0 causes this to default to (604800)


-x modify timestamp on matching files, to make qmail expire mail is a 
date/time string in the format of output of the “date” program.


*Examples for qmail-remove*


To delete mails from Que,


# qmail-remove -r -p gtre.ac.net 

324001: yes
moved mess/0/324001 to yanked/324001.mess
moved remote/0/324001 to yanked/324001.remote
moved info/0/324001 to yanked/324001.info 
324024: yes
moved mess/0/324024 to yanked/324024.mess
moved remote/0/324024 to yanked/324024.remote
moved info/0/324024 to yanked/324024.info 

This will remove all emails 
 in que with “gtre.ac.net 
” in it and place it in /var/qmail/queue/yanked folder.


In this way we are using qmail-remove, there must be some other smarter 
way may be there to use this...


As all the spam mails are having same from address 
anonym...@metalservice.ind.br , 
append this mail id to /var/qmail/control/badmailfrom file or 
/var/qmail/control/badmailto. This will be a temperarory solution.




qmail-remove looks like a handy tool.

Short of that, you can use qmHandle (part of QTP) to remove messages in 
the queue. It can delete messages according to the contents of from, to, 
or subject.


FWIW, I agree that it's likely that a spammer obtained the password to 
one of your accounts, and is using it to submit messages. I'm going to 
butt out though, and let Senthil help you out. ;)


--
-Eric 'shubes'


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Attack?

2010-06-22 Thread Eric Shubert 

senthil vel wrote:
message posted from  /var/log/qmail/smtp/current doesnot having any 
information regarding this issue


Step 1. #qmailctl queue

it will show the mails in queue. Say for example, i am pasting the 
output you have posted in first mail.


21 Jun 2010 22:45:02 GMT  #3087267  1435  >

  remote  prittyg...@yahoo.com.br 
21 Jun 2010 22:34:44 GMT  #3069258  1430  >

  remote  prisci...@terra.com.br 
21 Jun 2010 22:44:39 GMT  #3079585  1439  >
  remote  priscillame...@yahoo.com.br 

22 Jun 2010 00:02:57 GMT  #2443198  1438  >

  remote  qeezajtze...@stargate5.com 


select a mail id which is in 'remote' field. for example let us take,  
prittyg...@yahoo.com.br. 


Step 2. Use the grep command to search the mailid we collected in the 
first field.


grep -i 'prittyg...@yahoo.com.br ' 
/var/log/qmail/smtp/current


if no results found, check time of the mail in queue (21 Jun 2010 
22:45:02) for this mail. if so check the log file which is having this 
time stamp. To do this, go to /var/log/qmail/smtp/


#cd /var/log/qmail/smtp/
#ll  or # ls -l

check the log file for appropriate date and time.

If anything does not work,

use,

grep -i 'prittyg...@yahoo.com.br ' 
/var/log/qmail/smtp/*
grep -i 'prittyg...@yahoo.com.br ' 
/var/log/qmail/submission/*


This may take long time and server resource. It will show the log for 
origin of the mail.


--Senthilvel.



Alternatively, you could simply:
# qmlog -lc prittyg...@yahoo smtp
# qmlog -lc prittyg...@yahoo submission

Let qmlog do the work. ;)

--
-Eric 'shubes'


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Attack?

2010-06-22 Thread Eric Shubert 

Rafael Andrade wrote:

Look in /var/log/maillog

Jun 22 09:02:10 net spamdyke[5028]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@client.ind.br origin_ip: 189.2.134.108 origin_rdns: 
(unknown) auth: (unknown)
Jun 22 09:02:11 net spamdyke[5024]: DENIED_RDNS_MISSING from: 
affectionatevb...@semagroup.sema.se to: r...@metalservice.ind.br 
origin_ip: 79.189.227.34 origin_rdns: (unknown) auth: (unknown)
Jun 22 09:02:14 net spamdyke[5025]: DENIED_RDNS_MISSING from: 
il...@neofiber.com.br to: il...@client.com.br origin_ip: 80.184.67.122 
origin_rdns: (unknown) auth: (unknown)
Jun 22 09:02:14 net spamdyke[5026]: DENIED_RDNS_RESOLVE from: (unknown) 
to: anonym...@client.ind.br origin_ip: 209.113.141.35 origin_rdns: 
mlsvr01.mindleaf.com auth: (unknown)
Jun 22 09:02:44 net spamdyke[5033]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@client.ind.br origin_ip: 200.143.203.70 origin_rdns: 
(unknown) auth: (unknown)
Jun 22 09:02:50 net spamdyke[5032]: DENIED_OTHER from: 
rgper...@fibria.com.br to: anonym...@client.ind.br origin_ip: 
200.185.80.78 origin_rdns: smtp4.votorantim.com.br auth: (unknown)
Jun 22 09:03:09 net spamdyke[5043]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@client.ind.br origin_ip: 202.181.238.101 origin_rdns: 
(unknown) auth: (unknown)
Jun 22 09:03:26 net spamdyke[5046]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@client.ind.br origin_ip: 200.14.68.55 origin_rdns: 
(unknown) auth: (unknown)
Jun 22 09:03:30 net spamdyke[5050]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@client.ind.br origin_ip: 200.228.168.2 origin_rdns: 
(unknown) auth: (unknown)
Jun 22 09:03:42 net spamdyke[5106]: DENIED_RDNS_MISSING from: (unknown) 
to: anonym...@client.ind.br origin_ip: 200.228.168.2 origin_rdns: 
(unknown) auth: (unknown)
Jun 22 09:03:53 net spamdyke[5108]: DENIED_RBL_MATCH from: (unknown) to: 
anonym...@client.ind.br origin_ip: 201.76.223.15 origin_rdns: 
send.wnetrj.com.br auth: (unknown)



The ips are spoofing?
Actually im not using 587 port
Im using vpopmail to auth my users.

Thanks so much!!




These messages are normal spam rejections. They correspond to messages 
that would not have made it into the queue. IOW, these messages have no 
correlation to the flood of spam that made it into your queue.


The messages in the queue will have had corresponding "ALLOWED" messages 
in the smtp log.

--
-Eric 'shubes'


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com