subject:"Re\: \[qmailtoaster\] qmail machine being spammer help..."

RE: [qmailtoaster] qmail machine being spammer help...

2009-09-11 Thread António Pedro Lima

I had one of my servers with this problem.
It was Roundcube and Apache.
Still not sure that I'm safe enough. It didn't happen again so far, and I
hope it wont. I have two other servers, for witch I gladly bought a QMT
install cd to prevent any of this :)


Regards,

António Pedro Lima

> -Mensagem original-
> De: Philip Nix Guru [mailto:phi...@ows.ch]
> Enviada: segunda-feira, 31 de Agosto de 2009 21:20
> Para: qmailtoaster-list@qmailtoaster.com
> Assunto: Re: [qmailtoaster] qmail machine being spammer help...
> 
> Hello
> we had a lot of those attacks on our web hosting servers in the past
> and it has only to do with apache . It is a known and old exploit,
> a spam relay is using Apache to forward data to an open mail relay.
> We check those at router level but the mod_security works fine for a
> single machine
> 
> Really it is an old exploit.
> Nothing to worry about regarding the toaster, well you can always add a
> nice mod_security configuration to take care of all those little exploits
> 
> 
> 
> 
> Jake Vickers wrote:
> > Eric Shubert wrote:
> >> Thanks Jake. So is this simply an apache configuration issue? Is
> >> there an easy way it can be 'fixed' in a toaster package configuration?
> >>
> >
> > It's actually an issue with the programming of the application
> > (talking about Roundcube here). There are a couple different Apache
> > modules that can be utilized to proxy or filter the PHP code used and
> > help prevent the exploits in the code.
> > I'm sure something could be written into QTP to install any one of
> > those modules if someone wants to lay out a skeleton that can be used
> > as a base for the installation of the module.
> >
> >
> > 
> -
> >
> > Qmailtoaster is sponsored by Vickers Consulting Group
> > (www.vickersconsulting.com)
> >Vickers Consulting Group offers Qmailtoaster support and
> > installations.
> >  If you need professional help with your setup, contact them today!
> > 
> -
> >
> > Please visit qmailtoaster.com for the latest news, updates, and
> > packages.
> >  To unsubscribe, e-mail:
> > qmailtoaster-list-unsubscr...@qmailtoaster.com
> > For additional commands, e-mail:
> > qmailtoaster-list-h...@qmailtoaster.com
> >
> >
> 
> --
> ---
> Qmailtoaster is sponsored by Vickers Consulting Group
> (www.vickersconsulting.com)
> Vickers Consulting Group offers Qmailtoaster support and
> installations.
>   If you need professional help with your setup, contact them today!
> --
> ---
>  Please visit qmailtoaster.com for the latest news, updates, and
> packages.
> 
>   To unsubscribe, e-mail: qmailtoaster-list-
> unsubscr...@qmailtoaster.com
>  For additional commands, e-mail: qmailtoaster-list-
> h...@qmailtoaster.com
> 



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-31 Thread Philip Nix Guru


Hello
we had a lot of those attacks on our web hosting servers in the past
and it has only to do with apache . It is a known and old exploit,
a spam relay is using Apache to forward data to an open mail relay.
We check those at router level but the mod_security works fine for a 
single machine


Really it is an old exploit.
Nothing to worry about regarding the toaster, well you can always add a 
nice mod_security configuration to take care of all those little exploits





Jake Vickers wrote:

Eric Shubert wrote:
Thanks Jake. So is this simply an apache configuration issue? Is 
there an easy way it can be 'fixed' in a toaster package configuration?




It's actually an issue with the programming of the application 
(talking about Roundcube here). There are a couple different Apache 
modules that can be utilized to proxy or filter the PHP code used and 
help prevent the exploits in the code.
I'm sure something could be written into QTP to install any one of 
those modules if someone wants to lay out a skeleton that can be used 
as a base for the installation of the module.



- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and 
installations.

 If you need professional help with your setup, contact them today!
- 

Please visit qmailtoaster.com for the latest news, updates, and 
packages.
 To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com





-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-31 Thread Jake Vickers


Eric Shubert wrote:
Thanks Jake. So is this simply an apache configuration issue? Is there 
an easy way it can be 'fixed' in a toaster package configuration?




It's actually an issue with the programming of the application (talking 
about Roundcube here). There are a couple different Apache modules that 
can be utilized to proxy or filter the PHP code used and help prevent 
the exploits in the code.
I'm sure something could be written into QTP to install any one of those 
modules if someone wants to lay out a skeleton that can be used as a 
base for the installation of the module.



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-31 Thread Eric Shubert

Thanks Jake. So is this simply an apache configuration issue? Is there 
an easy way it can be 'fixed' in a toaster package configuration?


Jake Vickers wrote:

Eric Shubert wrote:
Is this a vulnerability that needs to be addressed in the stock 
toaster, or is it only due to roundcube?




 From the last half-dozen or so servers I've fixed from issues just like 
this, the vulnerability has been because of Roundcube (1 was because of 
other custom-written apps the organization was using).




- 



--
-Eric 'shubes'


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-31 Thread Jake Vickers


Eric Shubert wrote:
Is this a vulnerability that needs to be addressed in the stock 
toaster, or is it only due to roundcube?




From the last half-dozen or so servers I've fixed from issues just like 
this, the vulnerability has been because of Roundcube (1 was because of 
other custom-written apps the organization was using).




-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-31 Thread Eric Shubert

Maybe nothing to do with email, but since various toaster packages use 
apache, I would think that there's a relationship.


Philip wrote:

Hello
it is due to apache
got nothing to do with toaster


Eric Shubert wrote:
Is this a vulnerability that needs to be addressed in the stock 
toaster, or is it only due to roundcube?


Philip wrote:

Hello
ok that's typical attack :)
even if you have proxy disabled it happends

What you can do to block this quickly , simply use apache mod_security
and block CONNECT
something like this :

#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "





Hajid wrote:
Remove RoundCube, use squirrelmail. Check your http log, you 
probably find

successful attack on RC (POST method).
For example:
"POST /roundcube/bin/html2text.php HTTP/1.0"

I got this log from apache.

143.127.102.144 - - [27/Jul/2009:02:23:55 +0700] "POST
http://143.127.103.23:25/ HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:44 +0700] "CONNECT 
mtrap.freenet.de:25

HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:45 +0700] "PUT 
http://mtrap.freenet.de:25

HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:46 +0700] "PUT
http://mail.panentour.com:25 HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:47 +0700] "PUT http://localhost:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:47 +0700] "POST 
http://mtrap.freenet.de:25

HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:48 +0700] "POST
http://mail.panentour.com:25 HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:49 +0700] "POST http://localhost:25
HTTP/1.0" 302 - "-" "-"

and check http error.log, if you find something like "saved" your 
server is

hacked. :(
Check do you have /etc/ssh2 or strange directory in /tmp.
Tripwire could help you but IMHO it's too late.



--
-Eric 'shubes'


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-31 Thread Philip


Hello
it is due to apache
got nothing to do with toaster


Eric Shubert wrote:
Is this a vulnerability that needs to be addressed in the stock 
toaster, or is it only due to roundcube?


Philip wrote:

Hello
ok that's typical attack :)
even if you have proxy disabled it happends

What you can do to block this quickly , simply use apache mod_security
and block CONNECT
something like this :

#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "





Hajid wrote:
Remove RoundCube, use squirrelmail. Check your http log, you 
probably find

successful attack on RC (POST method).
For example:
"POST /roundcube/bin/html2text.php HTTP/1.0"

I got this log from apache.

143.127.102.144 - - [27/Jul/2009:02:23:55 +0700] "POST
http://143.127.103.23:25/ HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:44 +0700] "CONNECT 
mtrap.freenet.de:25

HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:45 +0700] "PUT 
http://mtrap.freenet.de:25

HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:46 +0700] "PUT
http://mail.panentour.com:25 HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:47 +0700] "PUT http://localhost:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:47 +0700] "POST 
http://mtrap.freenet.de:25

HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:48 +0700] "POST
http://mail.panentour.com:25 HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:49 +0700] "POST http://localhost:25
HTTP/1.0" 302 - "-" "-"

and check http error.log, if you find something like "saved" your 
server is

hacked. :(
Check do you have /etc/ssh2 or strange directory in /tmp.
Tripwire could help you but IMHO it's too late.





-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-31 Thread Eric Shubert

Is this a vulnerability that needs to be addressed in the stock toaster, 
or is it only due to roundcube?


Philip wrote:

Hello
ok that's typical attack :)
even if you have proxy disabled it happends

What you can do to block this quickly , simply use apache mod_security
and block CONNECT
something like this :

#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "





Hajid wrote:
Remove RoundCube, use squirrelmail. Check your http log, you probably 
find

successful attack on RC (POST method).
For example:
"POST /roundcube/bin/html2text.php HTTP/1.0"

I got this log from apache.

143.127.102.144 - - [27/Jul/2009:02:23:55 +0700] "POST
http://143.127.103.23:25/ HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:44 +0700] "CONNECT mtrap.freenet.de:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:45 +0700] "PUT 
http://mtrap.freenet.de:25

HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:46 +0700] "PUT
http://mail.panentour.com:25 HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:47 +0700] "PUT http://localhost:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:47 +0700] "POST 
http://mtrap.freenet.de:25

HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:48 +0700] "POST
http://mail.panentour.com:25 HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:49 +0700] "POST http://localhost:25
HTTP/1.0" 302 - "-" "-"

and check http error.log, if you find something like "saved" your 
server is

hacked. :(
Check do you have /etc/ssh2 or strange directory in /tmp.
Tripwire could help you but IMHO it's too late.



--
-Eric 'shubes'


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-31 Thread Philip


Hello
ok that's typical attack :)
even if you have proxy disabled it happends

What you can do to block this quickly , simply use apache mod_security
and block CONNECT
something like this :

#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "





Hajid wrote:

Remove RoundCube, use squirrelmail. Check your http log, you probably find
successful attack on RC (POST method).
For example:
"POST /roundcube/bin/html2text.php HTTP/1.0"

I got this log from apache.

143.127.102.144 - - [27/Jul/2009:02:23:55 +0700] "POST
http://143.127.103.23:25/ HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:44 +0700] "CONNECT mtrap.freenet.de:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:45 +0700] "PUT http://mtrap.freenet.de:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:46 +0700] "PUT
http://mail.panentour.com:25 HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:47 +0700] "PUT http://localhost:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:47 +0700] "POST http://mtrap.freenet.de:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:48 +0700] "POST
http://mail.panentour.com:25 HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:49 +0700] "POST http://localhost:25
HTTP/1.0" 302 - "-" "-"

and check http error.log, if you find something like "saved" your server is
hacked. :(
Check do you have /etc/ssh2 or strange directory in /tmp.
Tripwire could help you but IMHO it's too late.





-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



  


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-31 Thread Aleksander Podsiadly


W dniu 31.08.2009 10:35, Hajid pisze:

I got this log from apache.

143.127.102.144 - - [27/Jul/2009:02:23:55 +0700] "POST
http://143.127.103.23:25/ HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:44 +0700] "CONNECT mtrap.freenet.de:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:45 +0700] "PUT http://mtrap.freenet.de:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:46 +0700] "PUT
http://mail.panentour.com:25 HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:47 +0700] "PUT http://localhost:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:47 +0700] "POST http://mtrap.freenet.de:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:48 +0700] "POST
http://mail.panentour.com:25 HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:49 +0700] "POST http://localhost:25
HTTP/1.0" 302 - "-" "-"
[...]
   
Error code 302 means for POST success, redirect after proper fill in 
form (e.g. login in Squirrelmail). You should read lines GET after 
POST/PUT with error 302. Do you have apache proxy module enabled?


--
Pozdrawiam / Regards,
Aleksander Podsiadły
mail: a...@westside.kielce.pl
jid: a...@jabber.westside.kielce.pl
ICQ: 201121279
gg: 9150578


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] qmail machine being spammer help...

2009-08-31 Thread Hajid


Remove RoundCube, use squirrelmail. Check your http log, you probably find
successful attack on RC (POST method).
For example:
"POST /roundcube/bin/html2text.php HTTP/1.0"

I got this log from apache.

143.127.102.144 - - [27/Jul/2009:02:23:55 +0700] "POST
http://143.127.103.23:25/ HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:44 +0700] "CONNECT mtrap.freenet.de:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:45 +0700] "PUT http://mtrap.freenet.de:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:46 +0700] "PUT
http://mail.panentour.com:25 HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:47 +0700] "PUT http://localhost:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:47 +0700] "POST http://mtrap.freenet.de:25
HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:48 +0700] "POST
http://mail.panentour.com:25 HTTP/1.0" 302 - "-" "-"
195.4.92.4 - - [14/Aug/2009:01:00:49 +0700] "POST http://localhost:25
HTTP/1.0" 302 - "-" "-"

and check http error.log, if you find something like "saved" your server is
hacked. :(
Check do you have /etc/ssh2 or strange directory in /tmp.
Tripwire could help you but IMHO it's too late.





-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-31 Thread Aleksander Podsiadly


W dniu 31.08.2009 05:32, Hajid pisze:


My domain panentour.com

* From: * Vidyadhar [mailto:vidyadha...@gmail.com]
*Sent:* Monday, August 31, 2009 10:23 AM
*To:* qmailtoaster-list@qmailtoaster.com
*Subject:* Re: [qmailtoaster] qmail machine being spammer help...

What is your domain name?

Sent on my BlackBerry® from Vodafone Essar

* From *: "Hajid"
*Date*: Mon, 31 Aug 2009 08:37:45 +0700
*To*: 
*Subject*: [qmailtoaster] qmail machine being spammer help...

Hi all, please help me with this spam. My qmail machine being spammer.

MESSAGE NUMBER 144860
--
Received: (qmail 26019 invoked by uid 30); 26 Aug 2009 21:18:10 -
To: undisclosed-recipients: ;
Subject: Employment Opportunity .
MIME-Version: 1.0
Date: Thu, 27 Aug 2009 04:18:10 +0700
From: "Jiangsu Chemical Co. Ltd" 
Reply-To: dr.jim...@yahoo.co.uk <mailto:dr.jim...@yahoo.co.uk>
Message-ID: <4858311e857373283a28c403d3b24...@localhost>
X-Sender: jiangsuchemicals1...@yahoo.co.uk 
<mailto:jiangsuchemicals1...@yahoo.co.uk>

User-Agent: RoundCube Webmail/0.2
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

26379 ? S 0:00 qmail-remote mysmtpmail.com 
jiangsuchemicals1...@yahoo.co.uk 
<mailto:jiangsuchemicals1...@yahoo.co.uk> philomenag...@mysmt
26380 ? S 0:00 qmail-remote mysmtpmail.com 
jiangsuchemicals1...@yahoo.co.uk 
<mailto:jiangsuchemicals1...@yahoo.co.uk> philomenaginocchio@
26383 ? S 0:00 qmail-remote dotstandards.com 
jiangsuchemicals1...@yahoo.co.uk 
<mailto:jiangsuchemicals1...@yahoo.co.uk> philomenaginocchi
26384 ? S 0:00 qmail-remote dotstandards.com 
jiangsuchemicals1...@yahoo.co.uk 
<mailto:jiangsuchemicals1...@yahoo.co.uk> philomenagi...@do


Remove RoundCube, use squirrelmail. Check your http log, you probably 
find successful attack on RC (POST method).

For example:
"POST /roundcube/bin/html2text.php HTTP/1.0"

and check http error.log, if you find something like "saved" your server 
is hacked. :(

Check do you have /etc/ssh2 or strange directory in /tmp.
Tripwire could help you but IMHO it's too late.

--
Pozdrawiam / Regards,
Aleksander Podsiad?y
mail: a...@westside.kielce.pl
jid: a...@jabber.westside.kielce.pl
ICQ: 201121279
gg: 9150578

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-30 Thread senthil vel

Looking nice... So no new spam mails reaching the box now.. Use
qmailremove to remove the affected mails in the queue...


Thanks and Regards,
S.Senthilvel,




On Mon, Aug 31, 2009 at 10:28 AM, Hajid wrote:
>
>
>
> What is the mailid "jiangsuchemicals1...@yahoo.co.uk" ?
>
> Does it really comes from yahoo.co.uk? this can be found from
> smtp(/var/log/qmail/smtp) logs or submission logs.
>
> I can didn't see any smtp log for this, I have searching all smtp log.
>
> From which ip the spam mails are reaching to the server? Can you block
> this ip from tcp.smtp?
>
> I have blok the ip from my firewall but next spammer used diferrent block
> IP.
>
> If all the spam mails originating as same mail id
> jiangsuchemicals1...@yahoo.co.uk, add this to the
> /var/qmail/control/badmailto.
>
> jiangsuchemicals1...@yahoo.co.uk also add to that's control but next will
> used different user
>
> Does the spam mails still relayed through your server? or the spam
> mails are in queue.
>
> Now not relayed after changed user password but mails are in queue.
>
>
>
>
>
> -
> Qmailtoaster is sponsored by Vickers Consulting Group 
> (www.vickersconsulting.com)
>    Vickers Consulting Group offers Qmailtoaster support and installations.
>      If you need professional help with your setup, contact them today!
> -
>     Please visit qmailtoaster.com for the latest news, updates, and packages.
>
>      To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>     For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>
>
>

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] qmail machine being spammer help...

2009-08-30 Thread Hajid




What is the mailid "jiangsuchemicals1...@yahoo.co.uk" ?

Does it really comes from yahoo.co.uk? this can be found from
smtp(/var/log/qmail/smtp) logs or submission logs.

I can didn't see any smtp log for this, I have searching all smtp log.

>From which ip the spam mails are reaching to the server? Can you block
this ip from tcp.smtp?

I have blok the ip from my firewall but next spammer used diferrent block
IP.

If all the spam mails originating as same mail id
jiangsuchemicals1...@yahoo.co.uk, add this to the
/var/qmail/control/badmailto.

jiangsuchemicals1...@yahoo.co.uk also add to that's control but next will
used different user

Does the spam mails still relayed through your server? or the spam
mails are in queue.

Now not relayed after changed user password but mails are in queue.





-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-30 Thread senthil vel

What is the mailid "jiangsuchemicals1...@yahoo.co.uk" ?

Does it really comes from yahoo.co.uk? this can be found from
smtp(/var/log/qmail/smtp) logs or submission logs.

>From which ip the spam mails are reaching to the server? Can you block
this ip from tcp.smtp?

If all the spam mails originating as same mail id
jiangsuchemicals1...@yahoo.co.uk, add this to the
/var/qmail/control/badmailto.

Does the spam mails still relayed through your server? or the spam
mails are in queue.

If your user(local) users sned mail via port 587 instead of port 25,
they all need to be authenticated first. It will be more helpful to
prevent spam mails originating from local users itself. Please correct
me if i am wrong..

Thanks and Regards,
S.Senthilvel,

On Mon, Aug 31, 2009 at 9:23 AM, Hajid wrote:
> 1. In my case.. Local (my domain) mail id got compromised. I used port
> 587 to send mails. So i checked the submission logs and found that
> exact user(mail id). Then unplugged him from server(at least reset the
> password)..
>
> I have changed user password but spammer. But spammer still happened
>
> Received: (qmail 19673 invoked by uid 30); 20 Aug 2009 02:15:16 -
> Cc: recipient list not shown: ;
> Received: from 207.112.82.131
>        (SquirrelMail authenticated user u...@domain.com)
>        by mail.domain.com with HTTP;
>        Thu, 20 Aug 2009 09:15:16 +0700 (WIT)
>
> After I changed that user password :
>
> MESSAGE NUMBER 144860
>  --
>  Received: (qmail 26019 invoked by uid 30); 26 Aug 2009 21:18:10 -
>  To: undisclosed-recipients: ;
>  Subject: Employment Opportunity.
>  MIME-Version: 1.0
>  Date: Thu, 27 Aug 2009 04:18:10 +0700
>  From: "Jiangsu Chemical Co. Ltd" 
>  Reply-To: dr.jim...@yahoo.co.uk
>  Message-ID: <4858311e857373283a28c403d3b24...@localhost>
>  X-Sender: jiangsuchemicals1...@yahoo.co.uk
>  User-Agent: RoundCube Webmail/0.2
>  Content-Transfer-Encoding: 8bit
>  Content-Type: text/plain; charset="UTF-8"
>
> After I check port 587 open at my server. How to check that port 587 used to
> send email ?
>
> Hajid
>
>
>
>
>
> -
> Qmailtoaster is sponsored by Vickers Consulting Group 
> (www.vickersconsulting.com)
>    Vickers Consulting Group offers Qmailtoaster support and installations.
>      If you need professional help with your setup, contact them today!
> -
>     Please visit qmailtoaster.com for the latest news, updates, and packages.
>
>      To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>     For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>
>
>

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] qmail machine being spammer help...

2009-08-30 Thread Hajid

1. In my case.. Local (my domain) mail id got compromised. I used port
587 to send mails. So i checked the submission logs and found that
exact user(mail id). Then unplugged him from server(at least reset the
password)..

I have changed user password but spammer. But spammer still happened

Received: (qmail 19673 invoked by uid 30); 20 Aug 2009 02:15:16 -
Cc: recipient list not shown: ;
Received: from 207.112.82.131
(SquirrelMail authenticated user u...@domain.com)
by mail.domain.com with HTTP;
Thu, 20 Aug 2009 09:15:16 +0700 (WIT)

After I changed that user password :

MESSAGE NUMBER 144860
 --
 Received: (qmail 26019 invoked by uid 30); 26 Aug 2009 21:18:10 -
 To: undisclosed-recipients: ;
 Subject: Employment Opportunity.
 MIME-Version: 1.0
 Date: Thu, 27 Aug 2009 04:18:10 +0700
 From: "Jiangsu Chemical Co. Ltd" 
 Reply-To: dr.jim...@yahoo.co.uk
 Message-ID: <4858311e857373283a28c403d3b24...@localhost>
 X-Sender: jiangsuchemicals1...@yahoo.co.uk
 User-Agent: RoundCube Webmail/0.2
 Content-Transfer-Encoding: 8bit
 Content-Type: text/plain; charset="UTF-8"

After I check port 587 open at my server. How to check that port 587 used to
send email ?

Hajid





-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-30 Thread senthil vel

Hajid,

   Are you using submission(587) port ?

Thanks and Regards,
S.Senthilvel,





On Mon, Aug 31, 2009 at 9:02 AM, Hajid wrote:
> My domain panentour.com
>
>
>
> 
>
> From: Vidyadhar [mailto:vidyadha...@gmail.com]
> Sent: Monday, August 31, 2009 10:23 AM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: Re: [qmailtoaster] qmail machine being spammer help...
>
>
>
> What is your domain name?
>
> Sent on my BlackBerry® from Vodafone Essar
>
> 
>
> From: "Hajid"
> Date: Mon, 31 Aug 2009 08:37:45 +0700
> To: 
> Subject: [qmailtoaster] qmail machine being spammer help...
>
> Hi all, please help me with this spam. My qmail machine being spammer.
>
>
>
>
>
> MESSAGE NUMBER 144860
> --
> Received: (qmail 26019 invoked by uid 30); 26 Aug 2009 21:18:10 -
> To: undisclosed-recipients: ;
> Subject: Employment Opportunity.
> MIME-Version: 1.0
> Date: Thu, 27 Aug 2009 04:18:10 +0700
> From: "Jiangsu Chemical Co. Ltd" 
> Reply-To: dr.jim...@yahoo.co.uk
> Message-ID: <4858311e857373283a28c403d3b24...@localhost>
> X-Sender: jiangsuchemicals1...@yahoo.co.uk
> User-Agent: RoundCube Webmail/0.2
> Content-Transfer-Encoding: 8bit
> Content-Type: text/plain; charset="UTF-8"
>
>
>
> 26379 ? S 0:00 qmail-remote mysmtpmail.com jiangsuchemicals1...@yahoo.co.uk
> philomenag...@mysmt
> 26380 ? S 0:00 qmail-remote mysmtpmail.com jiangsuchemicals1...@yahoo.co.uk
> philomenaginocchio@
> 26383 ? S 0:00 qmail-remote dotstandards.com
> jiangsuchemicals1...@yahoo.co.uk philomenaginocchi
> 26384 ? S 0:00 qmail-remote dotstandards.com
> jiangsuchemicals1...@yahoo.co.uk philomenagi...@do
>
>

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] qmail machine being spammer help...

2009-08-30 Thread Hajid

My domain panentour.com

 

  _  

From: Vidyadhar [mailto:vidyadha...@gmail.com] 
Sent: Monday, August 31, 2009 10:23 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] qmail machine being spammer help...

 

What is your domain name?

Sent on my BlackBerryR from Vodafone Essar

  _  

From: "Hajid" 
Date: Mon, 31 Aug 2009 08:37:45 +0700
To: 
Subject: [qmailtoaster] qmail machine being spammer help...

Hi all, please help me with this spam. My qmail machine being spammer.

 

 

MESSAGE NUMBER 144860
--
Received: (qmail 26019 invoked by uid 30); 26 Aug 2009 21:18:10 -
To: undisclosed-recipients: ;
Subject: Employment Opportunity.
MIME-Version: 1.0
Date: Thu, 27 Aug 2009 04:18:10 +0700
From: "Jiangsu Chemical Co. Ltd" 
Reply-To:  <mailto:dr.jim...@yahoo.co.uk> dr.jim...@yahoo.co.uk
Message-ID: <4858311e857373283a28c403d3b24...@localhost>
X-Sender:  <mailto:jiangsuchemicals1...@yahoo.co.uk>
jiangsuchemicals1...@yahoo.co.uk
User-Agent: RoundCube Webmail/0.2
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

 

26379 ? S 0:00 qmail-remote mysmtpmail.com
<mailto:jiangsuchemicals1...@yahoo.co.uk> jiangsuchemicals1...@yahoo.co.uk
philomenag...@mysmt
26380 ? S 0:00 qmail-remote mysmtpmail.com
<mailto:jiangsuchemicals1...@yahoo.co.uk> jiangsuchemicals1...@yahoo.co.uk
philomenaginocchio@
26383 ? S 0:00 qmail-remote dotstandards.com
<mailto:jiangsuchemicals1...@yahoo.co.uk> jiangsuchemicals1...@yahoo.co.uk
philomenaginocchi
26384 ? S 0:00 qmail-remote dotstandards.com
<mailto:jiangsuchemicals1...@yahoo.co.uk> jiangsuchemicals1...@yahoo.co.uk
philomenagi...@do

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-30 Thread senthil vel

I faced the same problem a short time back...

1. In my case.. Local (my domain) mail id got compromised. I used port
587 to send mails. So i checked the submission logs and found that
exact user(mail id). Then unplugged him from server(at least reset the
password)..

2. Stop the qmail service...

3. then removed the queue by qmailremove.

Thanks and Regards,
S.Senthilvel,

On Mon, Aug 31, 2009 at 8:53 AM, Vidyadhar wrote:
> What is your domain name?
>
> Sent on my BlackBerry® from Vodafone Essar
>
> 
> From: "Hajid"
> Date: Mon, 31 Aug 2009 08:37:45 +0700
> To: 
> Subject: [qmailtoaster] qmail machine being spammer help...
>
> Hi all, please help me with this spam. My qmail machine being spammer.
>
>
>
>
>
> MESSAGE NUMBER 144860
> --
> Received: (qmail 26019 invoked by uid 30); 26 Aug 2009 21:18:10 -
> To: undisclosed-recipients: ;
> Subject: Employment Opportunity.
> MIME-Version: 1.0
> Date: Thu, 27 Aug 2009 04:18:10 +0700
> From: "Jiangsu Chemical Co. Ltd" 
> Reply-To: dr.jim...@yahoo.co.uk
> Message-ID: <4858311e857373283a28c403d3b24...@localhost>
> X-Sender: jiangsuchemicals1...@yahoo.co.uk
> User-Agent: RoundCube Webmail/0.2
> Content-Transfer-Encoding: 8bit
> Content-Type: text/plain; charset="UTF-8"
>
>
>
> 26379 ? S 0:00 qmail-remote mysmtpmail.com jiangsuchemicals1...@yahoo.co.uk
> philomenag...@mysmt
> 26380 ? S 0:00 qmail-remote mysmtpmail.com jiangsuchemicals1...@yahoo.co.uk
> philomenaginocchio@
> 26383 ? S 0:00 qmail-remote dotstandards.com
> jiangsuchemicals1...@yahoo.co.uk philomenaginocchi
> 26384 ? S 0:00 qmail-remote dotstandards.com
> jiangsuchemicals1...@yahoo.co.uk philomenagi...@do
>
>

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail machine being spammer help...

2009-08-30 Thread Vidyadhar

What is your domain name?
Sent on my BlackBerry® from Vodafone Essar

-Original Message-
From: "Hajid" 

Date: Mon, 31 Aug 2009 08:37:45 
To: 
Subject: [qmailtoaster] qmail machine being spammer help...

Hi all, please help me with this spam. My qmail machine being spammer.

 

 

MESSAGE NUMBER 144860
--
Received: (qmail 26019 invoked by uid 30); 26 Aug 2009 21:18:10 -
To: undisclosed-recipients: ;
Subject: Employment Opportunity.
MIME-Version: 1.0
Date: Thu, 27 Aug 2009 04:18:10 +0700
From: "Jiangsu Chemical Co. Ltd" 
Reply-To:   dr.jim...@yahoo.co.uk
Message-ID: <4858311e857373283a28c403d3b24...@localhost>
X-Sender:  
jiangsuchemicals1...@yahoo.co.uk
User-Agent: RoundCube Webmail/0.2
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

 

26379 ? S 0:00 qmail-remote mysmtpmail.com
 jiangsuchemicals1...@yahoo.co.uk
philomenag...@mysmt
26380 ? S 0:00 qmail-remote mysmtpmail.com
 jiangsuchemicals1...@yahoo.co.uk
philomenaginocchio@
26383 ? S 0:00 qmail-remote dotstandards.com
 jiangsuchemicals1...@yahoo.co.uk
philomenaginocchi
26384 ? S 0:00 qmail-remote dotstandards.com
 jiangsuchemicals1...@yahoo.co.uk
philomenagi...@do

RE: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

RE: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

RE: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

RE: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

RE: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

Re: [qmailtoaster] qmail machine being spammer help...

20 matches

Site Navigation

Mail list logo

Footer information