qmail Digest 6 May 2000 10:00:01 -0000 Issue 993

qmail-digest-help Sat, 06 May 2000 02:57:41 -0700


qmail Digest 6 May 2000 10:00:01 -0000 Issue 993

Topics (messages 41086 through 41197):

Re: hack for filtering "i love you" worm
        41086 by: octave klaba
        41092 by: Jesper Hess Nielsen
        41095 by: Rainer Link
        41096 by: octave klaba
        41098 by: Jesper Hess Nielsen
        41099 by: Petr Novotny
        41100 by: Jesper Hess Nielsen
        41101 by: Tim Gollschewsky
        41102 by: Petr Novotny
        41103 by: Ricardo Cerqueira
        41109 by: Bruno Wolff III
        41112 by: Paul Farber
        41113 by: Johan Almqvist
        41114 by: Alex at MessageLabs
        41130 by: Kai MacTane
        41131 by: Kai MacTane
        41136 by: Neil Schemenauer
        41140 by: Neil Schemenauer
        41142 by: Vrba Miroslav
        41165 by: Jason Haar
        41177 by: vogelke.c17mis.region2.wpafb.af.mil
        41194 by: Rainer Link

reverting back to mbox format with qmail
        41087 by: Nicholas Horwood

No Mail Log ?!
        41088 by: Cedric Revest
        41107 by: Chris Harris

Qmail filter for ILOVEYOU
        41089 by: Rodney Edwards
        41105 by: Len Budney

Problem with tcpserver
        41090 by: Clark Hon
        41094 by: Chris Johnson

Atención:::::VIRUS!!!!!!!!!!!!!!
        41091 by: Rafael Villalobos Prats

Re: qmail won't start!?
        41093 by: Isaiah Chua
        41125 by: Dave Sill

Virus Scanners
        41097 by: Jason Brooke
        41106 by: Johan Almqvist
        41111 by: Rainer Link

Re: accustamp|tailocal|matchup
        41104 by: Len Budney
        41144 by: Kins Orekhov
        41145 by: Len Budney

Re: Global filtering
        41108 by: Paul Schinder
        41124 by: Dave Sill

how do i apply QMAILQUEUE
        41110 by: Jan Stifter
        41120 by: Jan Stifter

Re: db files for vpopmail and courier imap
        41115 by: Ken Jones

shim before final local delivery?
        41116 by: Paul Farber
        41121 by: Len Budney

Re: ETRN and QMail
        41117 by: John White
        41118 by: Robert Varga

QMAILQUEUE seems not to work with scan4virus
        41119 by: Jan Stifter

Re: Alias file
        41122 by: Dave Sill

Re: qmail abuse...
        41123 by: Dave Sill
        41127 by: Ronneil Camara

PERL filtering...
        41126 by: John W. Lemons III
        41129 by: Patrick Berry
        41133 by: octave klaba
        41134 by: Patrick Berry
        41146 by: Searcher
        41153 by: John W. Lemons III
        41156 by: Neil Schemenauer
        41157 by: Mark D. Wilkins

qmail-mrtg & qfilelog
        41128 by: Mark E. Drummond
        41155 by: Mark E. Drummond
        41160 by: Mark E. Drummond

Antigen found =love-letter-for-you.txt.vbs file
        41132 by: ANTIGEN_HOUSTON
        41137 by: Kai MacTane
        41167 by: David L. Nicol

How do I invoke the qmail-users Mechanism ??
        41135 by: Tony D'Andrade
        41139 by: Dave Sill

Antigen found =*.vbs file
        41138 by: ANTIGEN_HOUSTON

Qmail-send
        41141 by: Eric Davis
        41143 by: Dave Sill

Re: Two Delivered-To headers - Why ?
        41147 by: Dave Kitabjian

Future of qmail: will it care about viri/worms/etc?
        41148 by: Keith Warno
        41150 by: markd.bushwire.net
        41151 by: Patrick Berry
        41154 by: Dave Sill
        41168 by: Jason Haar
        41169 by: David L. Nicol
        41170 by: Kevin Waterson
        41171 by: Paul Farber
        41172 by: Steve Wolfe
        41188 by: Russell Nelson
        41189 by: Mrs. Brisby

Connecting to my email server..
        41149 by: Steve Peace\(Internal\)
        41152 by: Tim Hunter
        41158 by: spacetask.youwasahero.com
        41164 by: Steve Peace

Re: IL0VEY0U worm
        41159 by: Keith Warno

Re: smtp-auth?
        41161 by: Russell Nelson

Re: qmail-mrtg & qfilelog - oops
        41162 by: Mark E. Drummond

ETRN problem with qmail
        41163 by: Eric Davis
        41173 by: rvanzant

qmail and debugging
        41166 by: clifford thurber

Open Today.
        41174 by: zxmmnnuv1l1l.www0101111111101tototo.to
        41175 by: Irwan

.qmail questions
        41176 by: Chris Hanlon

adduser?
        41178 by: James
        41179 by: Bolivar Diaz Galarza
        41181 by: Bolivar Diaz Galarza

checkpassword and Openbsd 2.6
        41180 by: Dale Miracle
        41182 by: Charles Werbick
        41183 by: chuck
        41184 by: Dale Miracle
        41185 by: chuck
        41186 by: Dale Miracle

Install Help!!
        41187 by: Mark Lo

tcprules problem
        41190 by: James

Still can send, but not receive
        41191 by: James
        41192 by: Kevin Waterson
        41193 by: James

EZMLM problems
        41195 by: jay

On-line web mail
        41196 by: Mark Lo

Help on SMTP !
        41197 by: Xionghui Chen

Administrivia:

To unsubscribe from the digest, e-mail:
        [EMAIL PROTECTED]

To subscribe to the digest, e-mail:
        [EMAIL PROTECTED]

To bug my human owner, e-mail:
        [EMAIL PROTECTED]

To post to the list, e-mail:
        [EMAIL PROTECTED]


----------------------------------------------------------------------

Hi,
I did setup your qmail-filter.py and test works
# echo "test 1" | mail -s okay myself
# echo "test 2" | mail -s ILOVEYOU myself
qmail-inject: fatal: mail server permanently rejected message (#5.3.0)
# echo "test 2" | mail -s ILOVEYOU [EMAIL PROTECTED]
qmail-inject: fatal: mail server permanently rejected message (#5.3.0)

but when I send an email thought eudora using smtp of this serveur or not
to a pop on this serveur, email is not rejected.

any idea ?

PS I restarted all

thanks !

Octave


Neil Schemenauer a écrit :
> 
>    qmail-filter.pyName: qmail-filter.py
>                   Type: Plain Text (text/plain)

-- 
Amicalement,
oCtAvE 

Connexion terminée par expiration du délai d'attente

I tried installing the hack as described, but when I try the test, I get an
arror saying

[root@ns bin]# echo "test 1" | mail -s okay [EMAIL PROTECTED]
[root@ns bin]# qmail-inject: fatal: unable to exec qq (#4.3.0)

Anyone know what this could be?

When I try to execute the py script, it says

bash: ./qmail-filter.py: No such file or directory

I double checked that the path to python is correct in the script file.

/Jesper

Mulindwa Eric wrote:
> 
> but hoe can one use Amavis with qmail, p'se help

Please have a look at http://www.unixzone.com/virus - I would suggest to
use AMaViS-Perl-5. It should work out-of-the-box. 
If you run into troubles, please ask me directly.

HTH

best regards,
Rainer Link

-- 
Rainer Link  | Member of Virus Help Munich (www.vhm.haitec.de)           
[EMAIL PROTECTED] | Member of AMaViS Development Team (amavis.org)            
rainer.w3.to | Maintainer FAQ "antivirus for Linux" (av-linux.w3.to)



Jesper Hess Nielsen a écrit :
> 
> I tried installing the hack as described, but when I try the test, I get an
> arror saying
> 
> [root@ns bin]# echo "test 1" | mail -s okay [EMAIL PROTECTED]
> [root@ns bin]# qmail-inject: fatal: unable to exec qq (#4.3.0)
> 
> Anyone know what this could be?
> 
> When I try to execute the py script, it says
> 
> bash: ./qmail-filter.py: No such file or directory

#!/usr/bin/python
# You might have to modify the Python path at the top.  

which python and fix the first line

Amicalement,
oCtAvE 

Connexion terminée par expiration du délai d'attente

If you had taken the time to read the whole mail I sent, You would notice
that I already had double checked the location of python. That is not the
problem - something else is not working right.

/Jesper

----- Original Message -----
From: "octave klaba" <[EMAIL PROTECTED]>
To: "Jesper Hess Nielsen" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, May 05, 2000 1:46 PM
Subject: Re: hack for filtering "i love you" worm


>
>
> Jesper Hess Nielsen a écrit :
> >
> > I tried installing the hack as described, but when I try the test, I get
an
> > arror saying
> >
> > [root@ns bin]# echo "test 1" | mail -s okay [EMAIL PROTECTED]
> > [root@ns bin]# qmail-inject: fatal: unable to exec qq (#4.3.0)
> >
> > Anyone know what this could be?
> >
> > When I try to execute the py script, it says
> >
> > bash: ./qmail-filter.py: No such file or directory
>
> #!/usr/bin/python
> # You might have to modify the Python path at the top.
>
> which python and fix the first line
>
> Amicalement,
> oCtAvE
>
> Connexion terminée par expiration du délai d'attente
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 5 May 00, at 13:50, Jesper Hess Nielsen wrote:

> If you had taken the time to read the whole mail I sent, You would notice
> that I already had double checked the location of python. That is not the
> problem - something else is not working right.

chmod +x /var/qmail/bin/that-script-filename perhaps?

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2 -- QDPGP 2.60 
Comment: http://community.wow.net/grt/qdpgp.html

iQA/AwUBORKoe1MwP8g7qbw/EQK+XQCgoTAFg93O4YoKe3ihN1EhFETaEXwAnRWK
/N9090LPOKs6n3Xubs7OsG+V
=U5QP
-----END PGP SIGNATURE-----
--
Petr Novotny, ANTEK CS
[EMAIL PROTECTED]
http://www.antek.cz
PGP key ID: 0x3BA9BC3F
-- Don't you know there ain't no devil there's just God when he's drunk.
                                                             [Tom Waits]

I have ALREADY done everything stated at the beginning of the script file
(which I have attached for clarity - some of you may not have seen it).
When I have done all this, I get an error when performing the test :

[root@ns bin]# echo "test 1" | mail -s okay [EMAIL PROTECTED]
[root@ns bin]# qmail-inject: fatal: unable to exec qq (#4.3.0)

When I try to run the script directly :

[root@ns bin]# ./qmail-filter.py

bash: ./qmail-filter.py: No such file or directory


Now. Does anyone have any ideas what the problem could be? I've tried
running strace ./qmail-filter.py, but it only outputs a "exec: file not
found" error.

/Jesper


---------[SNIP]-----------------

#!/usr/bin/python
#
# A quick hack to filter the ILOVEYOU worm with qmail.  Use:
#
#   $ cp qmail-filter.py /var/qmail/bin
#   $ cd /var/qmail/bin
#   $ chmod +x qmail-filter.py
#   $ mv qmail-queue qmail-queue-real; ln -s qmail-filter.py qmail-queue
#
# Test:
#
#   $ echo "test 1" | mail -s okay myself
#   $ echo "test 2" | mail -s ILOVEYOU myself
#
# You might have to modify the Python path at the top.  This is a
# temporary fix.  Remove it after the dust settles:
#
#   $ cd /var/qmail/bin
#   $ mv qmail-queue-real qmail-queue
#
# Neil Schemenauer <[EMAIL PROTECTED]>

PATTERN = r"^Subject: ILOVEYOU\s*$"
QMAIL_QUEUE = "/var/qmail/bin/qmail-queue-real"

import re
import string
import sys
import os
import tempfile

def mktemp():
    for i in range(10):
        tmp = tempfile.mktemp()
        try:
            fd = os.open(tmp, os.O_RDWR|os.O_CREAT|os.O_EXCL, 0700)
        except OSError:
            continue
        file = os.fdopen(fd, "w+b")
        os.unlink(tmp)
        return file
    return None


try:
    mess = mktemp()
    if not mess:
        os._exit(53) # write error
    header = 1
    while 1:
        line = sys.stdin.readline()
        if not line:
            break
        if line in ("\r\n", "\n"):
            header = 0
        if header and re.search(PATTERN, line):
            os._exit(31) # blocked, permanent error
        mess.write(line)
    mess.flush()
    mess.seek(0)
    os.dup2(mess.fileno(), 0)
    os.execv(QMAIL_QUEUE, ())
except:
    os._exit(81) # internal error


-------------------[SNIP]---------------------

On Fri, May 05, 2000 at 01:59:39PM +0200, Jesper Hess Nielsen spoke thusly:
> I have ALREADY done everything stated at the beginning of the script file
> (which I have attached for clarity - some of you may not have seen it).
> When I have done all this, I get an error when performing the test :
> 
> [root@ns bin]# echo "test 1" | mail -s okay [EMAIL PROTECTED]
> [root@ns bin]# qmail-inject: fatal: unable to exec qq (#4.3.0)
> 
> When I try to run the script directly :
> 
> [root@ns bin]# ./qmail-filter.py
> 
> bash: ./qmail-filter.py: No such file or directory

This looks like the error you get when the path to your interpreter on
the shebang line is incorrect.

Tim.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 5 May 00, at 13:59, Jesper Hess Nielsen wrote:

> [root@ns bin]# ./qmail-filter.py
> 
> bash: ./qmail-filter.py: No such file or directory

I see. What does "head -n1 qmail-filter.py|od -c" say? Is there 
anything about character "015" or "\r" or so? Then you need to 
delete DOS-like end-of-line characters.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2 -- QDPGP 2.60 
Comment: http://community.wow.net/grt/qdpgp.html

iQA/AwUBORKqwFMwP8g7qbw/EQITcgCg8ZCWR3Rc04kHKT48tt5gryf8HOQAoIuN
AVub7s3cLN50Bz6fASIiUw+s
=VVpT
-----END PGP SIGNATURE-----
--
Petr Novotny, ANTEK CS
[EMAIL PROTECTED]
http://www.antek.cz
PGP key ID: 0x3BA9BC3F
-- Don't you know there ain't no devil there's just God when he's drunk.
                                                             [Tom Waits]

On Fri, May 05, 2000 at 01:10:53PM +0200, Jesper Hess Nielsen wrote:
> I tried installing the hack as described, but when I try the test, I get an
> arror saying
> 
> [root@ns bin]# echo "test 1" | mail -s okay [EMAIL PROTECTED]
> [root@ns bin]# qmail-inject: fatal: unable to exec qq (#4.3.0)
> 
> Anyone know what this could be?
> 
> When I try to execute the py script, it says
> 
> bash: ./qmail-filter.py: No such file or directory

ldd /path/to/python

Maybe you're missing a library.

                                Regards;
                                        RC

-- 
+-------------------
| Ricardo Cerqueira  
| PGP Key fingerprint  -  B7 05 13 CE 48 0A BF 1E  87 21 83 DB 28 DE 03 42 
| Novis  -  Engenharia ISP / Rede Técnica 
| Pç. Duque Saldanha, 1, 7º E / 1050-094 Lisboa / Portugal
| Tel: +351 21 3166730/00 (24h/dia) - Fax: +351 21 3166701

On Fri, May 05, 2000 at 02:56:38AM -0600,
  Neil Schemenauer <[EMAIL PROTECTED]> wrote:
> On Thu, May 04, 2000 at 07:28:32PM -0400, Searcher wrote:
> > >   exit(31) if /name="LOVE-LETTER-FOR-YOU.TXT.vbs"/o;
> > 
> > Am I missing something here?
> 
> Nothing except that fact that the real solution is to fix the
> broken mail clients.  IMHO, virus scanners and the like are
> fundamentally broken.

I agree with that. Since this one actually burns people, maybe people
will learn not to run attachments unless they are expecting them and they
are from someone they have a good reason to trust.

I am suprised that we aren't already seeing viruses that mutate by encrypting
themselves (to make virus scanning harder by greatly reducing the fixed part
of the payload) and using varients in the deliverly envelope at each
iteration. Using the same filename for the attachment and the same subject
each time the virus transmits itself makes it too easy to detect the message.

Well, to thourghly test any of these scripts for qmail.. you need a copy
or infected e-mail to run through the script.

Does anyone have an infected e-mail to post?  Or a URL where I can get
one?  Just adding a script is useless.... gotta test it out.

BTW, should we send the bill to Bill Gates or Ballmer for allowing thier
software to yet again grind the internet to a freaking halt.  My
Pine/Linux box has been virus free for 3+ years!

Paul Farber
Farber Technology
[EMAIL PROTECTED]
Ph  570-628-5303
Fax 570-628-5545

On Fri, 5 May 2000, Rainer Link wrote:

> Mulindwa Eric wrote:
> > 
> > but hoe can one use Amavis with qmail, p'se help
> 
> Please have a look at http://www.unixzone.com/virus - I would suggest to
> use AMaViS-Perl-5. It should work out-of-the-box. 
> If you run into troubles, please ask me directly.
> 
> HTH
> 
> best regards,
> Rainer Link
> 
> -- 
> Rainer Link  | Member of Virus Help Munich (www.vhm.haitec.de)           
> [EMAIL PROTECTED] | Member of AMaViS Development Team (amavis.org)            
> rainer.w3.to | Maintainer FAQ "antivirus for Linux" (av-linux.w3.to)
>

On Fri, May 05, 2000 at 09:47:57AM -0400, Paul Farber wrote:
> Well, to thourghly test any of these scripts for qmail.. you need a copy
> or infected e-mail to run through the script.
> 
> Does anyone have an infected e-mail to post?  Or a URL where I can get
> one?  Just adding a script is useless.... gotta test it out.

http://www.almqvist.net/~johan/virus.txt

> BTW, should we send the bill to Bill Gates or Ballmer for allowing thier
> software to yet again grind the internet to a freaking halt.  My
> Pine/Linux box has been virus free for 3+ years!

-Johan
-- 
Johan Almqvist

>Well, to thourghly test any of these scripts for qmail.. you need a copy
>or infected e-mail to run through the script.

You must be the only person in the world without a copy! Seriously though,
you don't need a copy of the virus. Just create an email with the correct
subject line, and with a correctly named attachment. That should be
enough to test your script




_______________________________________________________________
This message has been checked for all known viruses by the 
MessageLabs Virus Control Centre. For further information visit
http://www.messagelabs.com/stats.asp

At 5/5/2000 09:47 AM -0400, Paul Farber wrote or quoted:
>Well, to thourghly test any of these scripts for qmail.. you need a copy
>or infected e-mail to run through the script.

Good point.

>Does anyone have an infected e-mail to post?  Or a URL where I can get
>one?  Just adding a script is useless.... gotta test it out.

Yeah, I got emailed a copy of the I-LOVE-YOU-LETTER.TXT.vbs last night, and 
it's still in my Maildir on my server. Should I just email it to you, or 
does the whole list want a copy?

-----------------------------------------------------------------
                              Kai MacTane
                          System Administrator
                       Online Partners.com, Inc.
-----------------------------------------------------------------
 From the Jargon File: (v4.0.0, 25 Jul 1996)

finger trouble /n./

Mistyping, typos, or generalized keyboard incompetence (this is
surprisingly common among hackers, given the amount of time they
spend at keyboards). "I keep putting colons at the end of statements
instead of semicolons", "Finger trouble again, eh?".

At 5/4/2000 11:29 PM -0600, Bruce Guenter wrote or quoted:
> > Anyone can rename that .vbs to what ever they want and send it around again
> > so wouldn't it be more efficient to filter all .vbs attachments?
>
>Nope, you're exactly right.  However, the question was, how do I filter
>the "ILOVEYOU" worm, and the above is a quick (and somewhat dirty)
>answer.  If you know how to identify VBS source, with the absence of a
>MIME type, please tell us.  I intend to do this for my employers, so I'm
>not just being facetious.

I really think this is the way to go as well. I've been telling my employer 
since yesterday morning that the Subject: line is probably the single most 
easily mutatable thing about this email, and that it would make much more 
sense to just stop any mail containing a .vbs attachment.

I looked at the copy on my disk, and found the following at the beginning:

Content-Type: application/octet-stream; name="LOVE-LETTER-FOR-YOU.TXT.vbs"
Content-Disposition: attachment; filename="LOVE-LETTER-FOR-YOU.TXT.vbs"
Content-Transfer-Encoding: base64

You could probably just do a regex match on:

    ^Content-type: \S+\; name=\".+\.vbs\"

(Note: I have not tested that regex yet. It may not even function. It is 
quick-and-dirty, and even if it *does* work, there are probably better ways 
to do it.)

In particular, there's probably a better way to express that .+\.vbs, 
although I note that \w+\.vbs and \S+\.vbs are *not* the way to do it, as 
filenames may contain spaces and other characters.

-----------------------------------------------------------------
                              Kai MacTane
                          System Administrator
                       Online Partners.com, Inc.
-----------------------------------------------------------------
 From the Jargon File: (v4.0.0, 25 Jul 1996)

finger trouble /n./

Mistyping, typos, or generalized keyboard incompetence (this is
surprisingly common among hackers, given the amount of time they
spend at keyboards). "I keep putting colons at the end of statements
instead of semicolons", "Finger trouble again, eh?".

On Fri, May 05, 2000 at 01:59:39PM +0200, Jesper Hess Nielsen wrote:
> When I try to run the script directly :
> 
> [root@ns bin]# ./qmail-filter.py
> 
> bash: ./qmail-filter.py: No such file or directory

Try:

    $ python qmail-filter.py

If that works then something is wrong with the first line or the
permissions are wrong.  It may also be useful to remove the
try/except lines when testing.

    Neil

-- 
"All truth passes through three stages: first, it is ridiculed; next it is
violently attacked; finally, it is held to be self-evident." -- Schopenhauer

On Fri, May 05, 2000 at 12:19:09PM +0200, octave klaba wrote:
> Hi,
> I did setup your qmail-filter.py and test works
> # echo "test 1" | mail -s okay myself
> # echo "test 2" | mail -s ILOVEYOU myself
> qmail-inject: fatal: mail server permanently rejected message (#5.3.0)
> # echo "test 2" | mail -s ILOVEYOU [EMAIL PROTECTED]
> qmail-inject: fatal: mail server permanently rejected message (#5.3.0)

Nothing is wrong with those tests.

> but when I send an email thought eudora using smtp of this serveur or not
> to a pop on this serveur, email is not rejected.

Are you sure you have the Subject right?  It should be:

    "Subject: ILOVEYOU\r\n"

Try:

    $ telnet localhost 25
    220 example.com ESMTP
    mail <me>
    250 ok
    rcpt <me>
    250 ok
    data
    354 go ahead
    Subject: ILOVEYOU^M
    ^M
    .
    250 ok 957554771 qp 1623
    quit
    
Where you see ^M type "Control-v Enter".

> PS I restarted all

Not necessary.

    Neil

-- 
Real programmers don't make mistrakes

On Fri, 5 May 2000, Jesper Hess Nielsen wrote:

> Date: Fri, 5 May 2000 13:10:53 +0200
> From: Jesper Hess Nielsen <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: hack for filtering "i love you" worm
> 
> I tried installing the hack as described, but when I try the test, I get an
> arror saying
> 
> [root@ns bin]# echo "test 1" | mail -s okay [EMAIL PROTECTED]
> [root@ns bin]# qmail-inject: fatal: unable to exec qq (#4.3.0)
> 
> Anyone know what this could be?
> 
> When I try to execute the py script, it says
> 
> bash: ./qmail-filter.py: No such file or directory

missing language python --- /usr/local/bin/python



> 
> I double checked that the path to python is correct in the script file.
> 
> /Jesper
> 
> 
>

Rainer Link wrote:

> "Benjamin de los Angeles Jr." wrote:
> >
> > Can you sight pros/cons of using your antivirus software compared to
> > AmaVis?
> > > [I used it's perlscanner interface to match on the attachment filename while
> > > waiting for the Antivirus vendors to come up with an "official" fix :-)]
> > > See http://www.geocities.com/jhaar/scan4virus/
>
> Well, I think you refer to AMaViS-Perl? AMaViS-Perl does not require any
> qmail patch(es) and supports more antivirus software.
> scan4virus provides a "generic filter/scanner" to filter out eMails with
> a specific attachment name - which in case of "I love you" is a good
> thing, but it's very easy to change the file name (or the subject line),
> according to BugTraq this has happend.

Err - no scan4virus contains a "generic filter" IN ADDITION TO support for other
commercial virus scanners.

Currently Trend, MacAffee, HBEDV and Sophos.

My original rationale for developing my own virusscanner wrapper was that I  had
some security concerns with AmaVis which weren't shared by the author, it didn't
support Qmail, and it was a shell script instead of a more "secure" language like
perl (well, "perl -T").

Maybe some of these reasons no longer apply, but I doubt it operates as efficiently
as scan4virus does (i.e. at the qmail-queue level) - that would be difficult to do
and retain conpatibility with postfix and sendmail...

Anyway, variety is the spice of life...

--
Jason Haar

>> On Thu, 4 May 2000 19:28:32 -0400, 
>> "Searcher" <[EMAIL PROTECTED]> said:

R> Anyone can rename that .vbs to what ever they want and send it around
R> again so wouldn't it be more efficient to filter all .vbs attachments?

   The only safe way to handle this is to check any attachment for a
   Registry reference or an indication that Visual Basic is being run.
   Few if any legitimate attachments should be referring to the Registry,
   and all the mischief seems to be done via VB scripts.

   Unpacking an infected attachment (different virus) and running strings
   on it gave me the following:

        HKEY_CURRENT_USER\Software\Microsoft\Office\
        VB_Nam
        VBProjectOh
        VBComponents
        temp\VBE
        C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VBA\VBA332.DLL
        \VBE\MSForms.EXD

-- 
Karl Vogel
ASC/YCOA, Wright-Patterson AFB, OH 45433, USA
[EMAIL PROTECTED]  or  [EMAIL PROTECTED]

Jason Haar wrote:

> > scan4virus provides a "generic filter/scanner" to filter out eMails with
> > a specific attachment name - which in case of "I love you" is a good
> > thing, but it's very easy to change the file name (or the subject line),
> > according to BugTraq this has happend.
> 
> Err - no scan4virus contains a "generic filter" IN ADDITION TO support for other
> commercial virus scanners.
> Currently Trend, MacAffee, HBEDV and Sophos.

Yes, I know that. The word "also/moreover/too" is missing in the
sentence above. Sorry for that - it wasn't intended to make a false
statemant about scan4virus. To few sleep in the past days :-( 


> My original rationale for developing my own virusscanner wrapper was that I  had
> some security concerns with AmaVis which weren't shared by the author, it didn't
Huh? Can you tell me more, please? Maybe you can simple repost/forward
your old  mails to me. Thx a lot!

> support Qmail, and it was a shell script instead of a more "secure" language like
> perl (well, "perl -T").

Well, that's why we startet AMaViS-perl (written by Chris Mason) :-) See
www.unixzone.com/virus/


> Maybe some of these reasons no longer apply, but I doubt it operates as efficiently
> as scan4virus does (i.e. at the qmail-queue level) - that would be difficult to do
> and retain conpatibility with postfix and sendmail...

Well, AMaViS-perl does :-) 

> Anyway, variety is the spice of life...
Yes. Competition is welcome :-) 

cheers, Rainer
-- 
Rainer Link  | Member of Virus Help Munich (www.vhm.haitec.de)           
[EMAIL PROTECTED] | Member of AMaViS Development Team (amavis.org)            
rainer.w3.to | Maintainer FAQ "antivirus for Linux" (av-linux.w3.to)

Hi there

I'm having problems with qmail and procmail, were procmail is being able
to deliver into the $HOME/Maildir directort, and seems to want to put it
all in /var/mail/user, even when we change authenticate.c file, so we
have decided to revert back to the mailbox format and put up with it.
Does anyoe have a script to conert mailboxes back to the mbox format
from the qmail maildir format?

cheers

nicholas

Hello everyone,

I am using Qmail on Suse 6.3, using /var/spool/mail/USERDIR.

For an unknown reason, the mail logs have been cleared and Qmail does not
log anything anymore.......

I have looked in syslog and qmail does not report any errors either.
Maybe permissions are wrong on the /var/log/mail file ?? what should they
be?

Does anybody have any suggestions? (No the hard drive is not full :))

Regards

Cedric Revest

-----------------------------------------------
Cedric Revest
Britnet Ltd
http://www.britnet.co.uk/

Direct Line: 0208 962 9542
Fax: 0208 964 8457


>> Hello everyone,
> 
> I am using Qmail on Suse 6.3, using /var/spool/mail/USERDIR.
> 
> For an unknown reason, the mail logs have been cleared and Qmail does not
> log anything anymore.......
> 
> I have looked in syslog and qmail does not report any errors either.
> Maybe permissions are wrong on the /var/log/mail file ?? what should they
> be?
> 
> Does anybody have any suggestions? (No the hard drive is not full :))
> 
> Regards
> 
> Cedric Revest
> 

This may be due to the feature of syslogd that if the file it's supposed to be 
writing to doesn't exist, it doesn't create it, & nothing gets logged. If that's 
the case, try touching the log file and see if the messages start coming.

Chris Harris
System Manager
STL Ltd.
ph. 01228 512512 ext. 2211
fax 01228 514949

Hi,

This has probably been asked already but I've literally just joined.

How can I filter and reject ILOVEYOU messages in Qmail.

Any pointers would be appreciated

Best regards

Rod

Rodney Edwards <[EMAIL PROTECTED]> wrote:
> 
> This has probably been asked already but I've literally just joined.
> How can I filter and reject ILOVEYOU messages in Qmail?

Congratulations! You may be the first new subscriber whose question is
at least 1) timely, and 2) not a FAQ! You get a cigar!

> Any pointers would be appreciated

Let me point you to the qmail archive: <http://www-archive.ornl.gov:8000/>.
There have been some quick-and-dirty hacks suggested over the last couple
of days, but since I don't run Windows I haven't paid much attention.
Searching on ``ILOVEYOU'' should turn them up.

Hope this helps,
Len.

--
Frugal Tip #31:
Incrementally reduce your year-to-year operating expenditures while
aggressively recognizing unrealized receivables in the current quarter.

Hi,

I am new to this distribution list. Please forgive me
if I am not posting to the correct DL. 

I have a problem to setup a new qmail server. When I
trying to enable selective relaying with
tcpserver/tcprules for qmail-smtpd, I always got

*** 553 sorry, that domain isn't in my list of allowed

*** rcpthosts (#5.7.1)

To make it simple, I have already tried to put a
single rule 
    :allow, RELAYCLIENT=""
inside tcp.smtp file and convert it to tcp.smtp.cdb.
(no error message) Sill failed.

What I have tried is use an OLD cdb file from the
retiring server. It works! I have already lost the
original rule file in text format. Is there any
special way to generate the cdb file?? Is there any
suggestion/suspection?

Here is my configuration:
 - Redhat 6.2
 - uscpi-tcp 8.0 / 8.4 / 8.8
 - qmail 1.03 (install from rpm packages)

Appreciated for your help!

Regards,
Clark



__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/

On Fri, May 05, 2000 at 03:31:57AM -0700, Clark Hon wrote:
> I have a problem to setup a new qmail server. When I
> trying to enable selective relaying with
> tcpserver/tcprules for qmail-smtpd, I always got
> 
> *** 553 sorry, that domain isn't in my list of allowed
> 
> *** rcpthosts (#5.7.1)
> 
> To make it simple, I have already tried to put a
> single rule 
>     :allow, RELAYCLIENT=""
             ^

Take out the space.

Chris

Me ha infectado el virus I LOVE YOU, a alguno de vosotros le ha tenido que
llegar, lo siento.

hi Dave,

> >The init scripts are in,
> In what/where? And what's in them? And what platform are you using?

Sorry I didn't give enough info. The init scripts are in my /etc/rc.d/init.d
dir and softlinked to the various /etc/rcx.d directories. I'm using RH6.2,
and used the RPM package to first compile the src then installed it using
rpm.

> By "nothing happens" do you mean that the script runs but doesn't
> output anything, runs but exits immediately, or what?

It runs, but immediately exits.

> You can't start qmail from inetd.conf. Perhaps you mean qmail-smtpd?

Yes, I meant qmail-smtpd.

"Isaiah Chua" <[EMAIL PROTECTED]> wrote:

>Sorry I didn't give enough info. The init scripts are in my /etc/rc.d/init.d
>dir and softlinked to the various /etc/rcx.d directories. I'm using RH6.2,
>and used the RPM package to first compile the src then installed it using
>rpm.
>
>> By "nothing happens" do you mean that the script runs but doesn't
>> output anything, runs but exits immediately, or what?
>
>It runs, but immediately exits.

That's normal. Init scripts generally run stuff in the background so
the system can move on to the next script.

Do the qmail processes show up when you run ps? See:

  http://Web.InfoAve.Net/~dsill/lwq.html#processes

-Dave


Any recommendations on server virus scanners that run in harmony with qmail
on linux, and if so, why the recommendation?

Thanks,
jason

On Fri, May 05, 2000 at 09:51:52PM +1000, Jason Brooke wrote:
> 
> Any recommendations on server virus scanners that run in harmony with qmail
> on linux, and if so, why the recommendation?

H+BEDV antivir, from www.hbedv.com and www.antivir.de. Free for
non-commercial use, no fuzz with web interfaces and the like (just
command-line), fast updates. German version is better than english,
though.

> Thanks,
> jason

-Johan
-- 
Johan Almqvist

Jason Brooke wrote:
> 
> Any recommendations on server virus scanners that run in harmony with qmail
> on linux, and if so, why the recommendation?

Please have a look at http://av-linux.w3.to, esp. the Mini-FAQ as text
file
(direct link is
http://www.ce.is.fh-furtwangen.de/~link/security/av-linux_e.txt)

(please bookmark only http://av-linux.w3.to - thnx)

HTH

cu, Rainer
-- 
Rainer Link  | Member of Virus Help Munich (www.vhm.haitec.de)           
[EMAIL PROTECTED] | Member of AMaViS Development Team (amavis.org)            
rainer.w3.to | Maintainer FAQ "antivirus for Linux" (av-linux.w3.to)

"David Dyer-Bennet" <[EMAIL PROTECTED]> wrote:
> Peter Samuel <[EMAIL PROTECTED]> wrote:
>  > 
>  > And you editor can't read in the results of a program?
> 
> I can think offhand of a couple of ways of doing it, but all of them
> are grossly inefficient and take lots of keystrokes.  There may well
> be an easy way I'm overlooking, too.  Nothing exotic, I'm an emacs
> user.  I'm not starting a new instance, I'm visiting the log file from
> my existing instance.

<rant>
``Nothing exotic, I'm an emacs user''? Emacs? Have you heard the
debates whether Emacs was an OS, a shell, or an editor? Have you seen
the emacs mailreaders, shell modes, IRC interfaces, and web browser?
What you want to do is absolutely trivial in emacs, and you can bind it
to a single keystroke.
</rant>

Anyway, what you want to do is absolutely trivial in emacs, and you can
bind it to a single keystroke.

Len.

--
You're repeating the same old ``forks are bad and execs are
disastrous'' litany without _profiling_ where your time is actually
going.
                                -- Dan Bernstein

> > Because we look at them too often :)
> 
> And can't you look at them by passing them through tai64nlocal each
> time? Can you spell "shell script wrapper"? :)

I *asked* the list about *some program* which can do reverse time
translation for my *already existing logs* - from Local to TAI.
I *know* how solve my problem for newly generated logs, but my question
was about *old* logs.

Isn't it clear?

And your response(s) (especially last one) never answered my question.

-- 
Kins Orekhov
Outlook Technologies, Inc.
E-mail: [EMAIL PROTECTED]
Phone: 773-775-2099, ext. 226
http://swoop.outlook.net

Kins Orekhov <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
> > And can't you look at them by passing them through tai64nlocal each
> > time? Can you spell "shell script wrapper"? :)
> 
> I *asked* the list about *some program* which can do reverse time
> translation for my *already existing logs* - from Local to TAI.

Correct. And Peter answered your question: ``Can you spell `shell script
wrapper'?''

Translated, he just told you to write a script called ``look-at-old-logs'',
which runs tai64nlocal on the old log files, and then displays
them to you. Then, whenever you want to look at old logs, you run
``look-at-old-logs'', and voila! The magic happens all over again.
That's the wonderful thing about computers: they never get bored.

> And your response(s) (especially last one) never answered my question.

It did. However, to benefit from the answer required some work from you.
If you want somebody to do the work for you, pay them. (I'll do it if
you prepay, in US dollars. Say, $250 for 2.5 hours work, and if I'm done
sooner, I'll refund the difference.)

Len.

--
Frugal Tip #41:
Remember, the best things in life are free. That means if you can resell
them, that's a 100% profit margin.

At 9:33 PM -0400 5/4/00, Bennett Samowich wrote:
>Greetings,
>
>I am relatively new to qmail, so forgive me if this is too simple...
>
>With all of the current goings on about the "luv bug", I have a 
>question concerning qmail and filtering.  My customer base uses 
>sendmail primarily, while I have been experimenting with qmail at my 
>site.  With the sendmail sites I was able to implement a 
>configuration "hack" to stop initial instances of the message.  I 
>was also able to implement a global procmail filter to accomplish 
>the same thing.
>
>My question is this:
>Does qmail have the ability to implement global filters.  I know 
>that I can put procmail lines in each users .qmail file, but that 
>seems like alot of work.

IIRC, the default delivery instruction in /var/qmail/rc can be a pipe 
to a program.  So you can qmail-start "| preline /path/to/procmail" 
and have mail by default run through procmail.  Of course, you still 
have a .qmail problem: any user with a .qmail will override the 
default instruction.  "man qmail-command" gives you some details.

>
>Thanks in advance,
>- Bennett

-- 
--
Paul J. Schinder
NASA Goddard Space Flight Center
Code 693
[EMAIL PROTECTED]

Bennett Samowich <[EMAIL PROTECTED]> wrote:

>Does qmail have the ability to implement global filters.  I know that
>I can put procmail lines in each users .qmail file, but that seems
>like alot of work.

qmail doesn't have a filtering mechanism built in, but one can be
constructed pretty easily using the technique described in the
following article:

http://www.faqts.com/knowledge-base/view.phtml/aid/2142/fid/203/lang/en

-Dave

hi
i am sorry for this very easy question, but i am playing around and
can not work it out.

how can i apply the QMAILQUEUE patch?

i made a file with the patch in it, qmailqueue-patch, which looks
like:
---------------------- start
--- qmail-1.03-orig/Makefile    Mon Jun 15 04:53:16 1998
+++ qmail-1.03/Makefile Tue Jan 19 10:52:24 1999@@ -1483,12 +1483,12
@@
 trigger.o fmtqfn.o quote.o now.o readsubdir.o qmail.o date822fmt.o \
 datetime.a case.a ndelay.a getln.a wait.a seek.a fd.a sig.a open.a \
 lock.a stralloc.a alloc.a substdio.a error.a str.a fs.a auto_qmail.o
\
-auto_split.o+auto_split.o env.a
        ./load qmail-send qsutil.o control.o constmap.o newfield.o \
        prioq.o trigger.o fmtqfn.o quote.o now.o readsubdir.o \
        qmail.o date822fmt.o datetime.a case.a ndelay.a getln.a \
        wait.a seek.a fd.a sig.a open.a lock.a stralloc.a alloc.a \
-       substdio.a error.a str.a fs.a auto_qmail.o auto_split.o
+       substdio.a error.a str.a fs.a auto_qmail.o auto_split.o env.a
qmail-sen
d.0: \
 qmail-send.8diff -u qmail-1.03-orig/qmail.c qmail-1.03/qmail.c
--- qmail-1.03-orig/qmail.c     Mon Jun 15 04:53:16 1998
+++ qmail-1.03/qmail.c  Tue Jan 19 09:57:36 1999@@ -6,14 +6,25 @@
#include "fd.h
"
 #include "qmail.h" #include "auto_qmail.h"+#include "env.h"
-static char *binqqargs[2] = { "bin/qmail-queue", 0 } ;
+static char *binqqargs[2] = { 0, 0 } ;++static void setup_qqargs()+{
+  if(!binqqargs[0])+    binqqargs[0] = env_get("QMAILQUEUE");
+  if(!binqqargs[0])+    binqqargs[0] = "bin/qmail-queue";+}  int
qmail_open(qq)
 struct qmail *qq; {   int pim[2];   int pie[2];++  setup_qqargs();
   if (pipe(pim) == -1) return -1;
   if (pipe(pie) == -1) { close(pim[0]); close(pim[1]); return -1; }
----------------------------- end
i tried to apply it:

caramel:/usr/local/src # ls -d qmail*
qmail-1.03/
qmail.tar.gz
qmailanalog-0.70/
qmailanalog-0_70.tar.gz
qmailqueue-patch
caramel:/usr/local/src # patch < qmailqueue-patch
Hmm...  I can't seem to find a patch in there anywhere.
caramel:/usr/local/src #


what am i doing wrong?
any help is greatly appreciated
jan stifter

On Fri, 05 May 2000 15:21:43 +0200, Jan Stifter <[EMAIL PROTECTED]>
wrote:

i solved it. my patch was broken.
sorry
jan

> Cono D'Elia wrote:
> 
> Hello,
> 
> Is there a limitation for the amount of users courier imap and
> vpopmail can support using the db type files? Is it better to go with
> an sql database instead?
> 
> 
> Thanks,
> 
> Cono.

There is no limitation of cdb password files. However, modifications
to the file (add/delete/mod) start taking long amounts of time >30
seconds
when you have more than 5,000 users. 

ken jones
inter7

Hello all,

Is there a way to insert a shim (or shell wrapper) before qmail-local
deleivers a local message?

IE, check for message size if $RECIEPENT = 'baduser' or some such thing?

It would seem administratively easier to apply these type of filters for a
large group of users that way rather than ~/.qmail-default 'ing all the
home dirs.

Paul Farber
Farber Technology
[EMAIL PROTECTED]
Ph  570-628-5303
Fax 570-628-5545

Paul Farber <[EMAIL PROTECTED]> wrote:
> 
> Is there a way to insert a shim (or shell wrapper) before qmail-local
> delivers a local message?

Simple; write a wrapper called ``qmail-local'', which in the end
exec's the original qmail-local (which you should rename, of
course). The interface is remarkably simple. From qmail-local(8):

  SYNOPSIS
       qmail-local  [  -nN  ]  user homedir local dash ext domain
       sender defaultdelivery

  DESCRIPTION
       ...
       The standard input for  qmail-local  must  be  a  seekable
       file, so that qmail-local can read it more than once.

See? It's a snap. (If you don't know how, I'll do it for a small fee.)

> It would seem administratively easier to apply these type of filters for a
> large group of users that way rather than ~/.qmail-default 'ing all the
> home dirs.

In fact this latter ``solution'' doesn't work anyway--unless the users
cannot create .qmail files. Extensions for which more specific
.qmail-ext files exist are delivered according to those instructions,
bypassing .qmail-default entirely.

Len.

--
Frugal Tip #19:
Discover the secret to happiness, then sell the franchise rights.

On Thu, May 04, 2000 at 05:51:46PM -0700, Jon Rust wrote:
> At 2:43 AM +0200 5/5/00, Peter van Dijk wrote:
> >So much for security, eh?
> >
> 
> Hrmf. You have apoint there. :-/ Guess I should think before typing. 
> Of course, by limiting the range of IPs allowed to trigger the 
> download, you could decrease the exposure, but it would be far from 
> perfect.

No, you're on the right track.

Have tcpserver on the private port trigger authentication via
the qmail-popup and checkpassword.  tcpserver sets the incoming
ip address in an environment variable, and you can trigger serial-
mail from the tcpserver commandline.

John

On Thu, 4 May 2000, Jon Rust wrote:

> At 2:43 AM +0200 5/5/00, Peter van Dijk wrote:
> >So much for security, eh?
> >
> 
> Hrmf. You have apoint there. :-/ Guess I should think before typing. 
> Of course, by limiting the range of IPs allowed to trigger the 
> download, you could decrease the exposure, but it would be far from 
> perfect.
> 
> (crawling back into lurk mode)
> 
> jon
> 

Exchange servers can be made to run an arbitrary program upon completing
the initiation of the dialup connection. Give them program which initiates
a pop3 or spop3 connection, authenticates itself at the server, then
quits. And there is a wrapper for this behaviour on www.qmail.org.

ssh can also be made to do this, but that would need a system account on
the mailserver for each such user. Albeit their shell can be the script
maildir2smtp.

Robert Varga

hi,
i applied the QMAILQUEUE patch to qmail.

i start my qmail-smtpd with
    supervise /var/lock/svc/qmail-smtpd tcpserver -v -q
-x/etc/tcp.smtp.cdb\
    -u101 -g101 0 smtp /var/qmail/bin/qmail-smtpd 2>&1 | \
    setuser qmaill accustamp | \
    setuser qmaill tailocal >> /var/log/qmail-smtpd.log &

and it works.

if i do an

export QMAILQUEUE="/var/qmail/bin/antivirus-qmail-queue.pl"

in front of the above command, no mail is working:

caramel:/var/log # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 caramel.medres.ch ESMTP
helo
250 caramel.medres.ch
mail from: test
250 ok
rcpt to: [EMAIL PROTECTED]
250 ok
data
354 go ahead
.
451 qq temporary problem (#4.3.0)
quit
221 caramel.medres.ch
Connection closed by foreign host.
caramel:/var/log #

the file qmail-smtpd.log shows the following lines:
2000-05-05 16:44:31.581449 Can't do setuid

what is the problem? what can i do?
any hints are greatly appreciated
jan

Mario Rafael <[EMAIL PROTECTED]> wrote:

>       Hi :), I have several questions.... I have an /var/spool/mail/alias file
>that is getting bigger and bigger each moment, what it's is purpose?,

It's the user "alias"'s mailbox. It's sometimes where root/postmaster
mail ends up.

>I have taken a lookt at it and it seems that the messages double
>bouncing are stored there... how can I directly throw those messages
>to /dev/null?, thanks in advance.

echo devnull > /var/qmail/control/doublebounceto
echo # > ~alias/.qmail-devnull

Then restart qmail.

-Dave

"Luke Chiam" <[EMAIL PROTECTED]> wrote:

>I suspect someone is sending bulk mail using our qmail server, as we are
>getting a lot of rebounced mail and delivery failure notice.

A spammer might be sending stuff out with your domain in the envelope
return path. That would cause bounces to come to you even if the
messages didn't come from you. (They could be doing that to avoid
anti-spam mechanisms that require a valid domain in the return path.)

One of your users could be sending spam. Presumably this would be
apparent from examing the double bounces.

You could be an open relay. See:

  http://Web.InfoAve.Net/~dsill/lwq.html#relaying

-Dave

I guess the bounce mail comes from my side since I'm trying to configure my
qmail also but still having some problems. Sorry for that. I've restored my
old config and later, I will test again. 

My qmail setup is different. My qmail is configured as an email gateway
only. So there are no users in my qmail server. I hope you can help with
this kind of scenario.

> -----Original Message-----
> From: Dave Sill [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, May 06, 2000 1:18 AM
> To: [EMAIL PROTECTED]
> Subject: Re: qmail abuse...
> 
> 
> "Luke Chiam" <[EMAIL PROTECTED]> wrote:
> 
> >I suspect someone is sending bulk mail using our qmail 
> server, as we are
> >getting a lot of rebounced mail and delivery failure notice.
> 
> A spammer might be sending stuff out with your domain in the envelope
> return path. That would cause bounces to come to you even if the
> messages didn't come from you. (They could be doing that to avoid
> anti-spam mechanisms that require a valid domain in the return path.)
> 
> One of your users could be sending spam. Presumably this would be
> apparent from examing the double bounces.
> 
> You could be an open relay. See:
> 
>   http://Web.InfoAve.Net/~dsill/lwq.html#relaying
> 
> -Dave
>

I have recently deployed a freeware procmail script that does a very good
job filtering out various forms or malicious mail.  So far it has caught all
the ILOVEYOU mail and a few of the variants we have seen.  Since I use QMail
on my own machine, can procmail scripts be used with QMail?  Most of the
script uses some well crafted PERL code, so if not, it could probably be
shoe-horned into a form that QMail will utilize.  Any suggestions?

on 5/5/00 10:32 AM, John W. Lemons III had the thought:

> I have recently deployed a freeware procmail script that does a very good
> job filtering out various forms or malicious mail.  So far it has caught all
> the ILOVEYOU mail and a few of the variants we have seen.  Since I use QMail
> on my own machine, can procmail scripts be used with QMail?  Most of the
> script uses some well crafted PERL code, so if not, it could probably be
> shoe-horned into a form that QMail will utilize.  Any suggestions?

You are better off using something like scan4virus at the queue level.
http://www.geocities.com/jhaar/scan4virus/

While it is probably not advised, I am using it without the QMAILQUEUE
patch.  Instead, the scan4virus program receives the mail, scans it, then
passes it to my renamed qmail-queue program.

Right now I deny all .vbs attachments.  Yes, this is rather draconian and
there might be a 1 in 100,000,000,000,000 chance that someone really needs
to send a .vbs attachment.  Those are the breaks...

Pat

-- 
Freestyle Interactive | http://www.freestyleinteractive.com | 415.778.0610

Hi,

> You are better off using something like scan4virus at the queue level.
> http://www.geocities.com/jhaar/scan4virus/

setuping scan4vuris I have this error

Cannot find unzip on your system!

2 stupid questions:
- where can I find it out for linux ?
- do I need to use McAfee with ? if yes, whch version ? an url ?

thanks
Octave

Amicalement,
oCtAvE 

Connexion terminée par expiration du délai d'attente

on 5/5/00 10:55 AM, octave klaba had the thought:

> setuping scan4vuris I have this error
> 
> Cannot find unzip on your system!
> 
> 2 stupid questions:
> - where can I find it out for linux ?

http://freshmeat.net

> - do I need to use McAfee with ? if yes, whch version ? an url ?

No, but should have at least one kind of scanner.  It is easier if you use
one that is already tested and on the list.  Or you can simply use the built
in perl scanner.  Freshmeat also has links for cirus scanners.

Pat

-- 
Freestyle Interactive | http://www.freestyleinteractive.com | 415.778.0610

> > I have recently deployed a freeware procmail script that does a very
good
> > job filtering out various forms or malicious mail.  So far it has caught
all
> > the ILOVEYOU mail and a few of the variants we have seen.  Since I use
QMail
> > on my own machine, can procmail scripts be used with QMail?  Most of the
> > script uses some well crafted PERL code, so if not, it could probably be
> > shoe-horned into a form that QMail will utilize.  Any suggestions?
>
> You are better off using something like scan4virus at the queue level.
> http://www.geocities.com/jhaar/scan4virus/
>
> While it is probably not advised, I am using it without the QMAILQUEUE
> patch.  Instead, the scan4virus program receives the mail, scans it, then
> passes it to my renamed qmail-queue program.
>
> Right now I deny all .vbs attachments.  Yes, this is rather draconian and
> there might be a 1 in 100,000,000,000,000 chance that someone really needs
> to send a .vbs attachment.  Those are the breaks...

Thanks Pat...

That was the point I was trying to get across yesterday...  It can be
renamed and sent  through over and over so why not filter all .vbs
attachments?  I tried to emphasize the point that non tech uses are killing
us with their carelessness so we have to protect them from vbs scripts in
order to protect ourselves.

On the same note I carried it through to all exe files as well.  If they
need to be sent by good users-  What's the big deal in changing the
extension to .exx?  Bad guys will send an exe and hope it is run on double
click while an exx.obviously won't till the end user changes the extension
back to .exe.

My point is, if we don't stop viruses and Trojans from spreading then Uncle
Sam will try and we do not want that to happen considering the mess we have
with this child safety act.  I wonder at times if they don't create these
problems so they have an excuse to try to control the net!  The news I saw
and read leaned heavily towards government offices and military bases being
affected. :(

Rick < == paranoid!

>> Right now I deny all .vbs attachments.  Yes, this is rather draconian and
>> there might be a 1 in 100,000,000,000,000 chance that someone really
needs
>> to send a .vbs attachment.  Those are the breaks...

>That was the point I was trying to get across yesterday...  It can be
>renamed and sent  through over and over so why not filter all .vbs
>attachments?  I tried to emphasize the point that non tech uses are killing
>us with their carelessness so we have to protect them from vbs scripts in
>order to protect ourselves.

>On the same note I carried it through to all exe files as well.  If they
>need to be sent by good users-  What's the big deal in changing the
>extension to .exx?  Bad guys will send an exe and hope it is run on double
>click while an exx.obviously won't till the end user changes the extension
>back to .exe.

Consider filtering the following as well:

*.reg           Regedit will inject its contents into your registry without any
warning if you open this file
*.hlp           Windose help files can contain auto-executing vb script
*.hta           html application, can contain vb script, javascript etc.(MSHTA.EXE
will run them when you click on them)
*.shs           shell automation code
*.vbs           vb script
*.chm           compiled HTML help file, also can contain vb script, javascript etc.

Most of these will never need to be sent or received by a user and all can
contain malicious code.  Any other suggestions?

On Fri, May 05, 2000 at 02:32:10PM -0500, John W. Lemons III wrote:
[A whole pile of extensions cut]
> Most of these will never need to be sent or received by a user and all can
> contain malicious code.  Any other suggestions?

Yes.  Fix the mail client or switch to one that does not execute
untrusted code without prompting.

    Neil

-- 
Real programmers don't make mistrakes

> Consider filtering the following as well:
> 
> *.reg         Regedit will inject its contents into your 
> registry without any
> warning if you open this file
> *.hlp         Windose help files can contain auto-executing vb script
> *.hta         html application, can contain vb script, 
> javascript etc.(MSHTA.EXE
> will run them when you click on them)
> *.shs         shell automation code
> *.vbs         vb script
> *.chm         compiled HTML help file, also can contain vb 
> script, javascript etc.
> 
> Most of these will never need to be sent or received by a 
> user and all can
> contain malicious code.  Any other suggestions?

Here's a snip from a bugtraq post...

<snip>
Sean Malloy <[EMAIL PROTECTED]> is letting us known that changing the
virus to use a WSF extension instead of VBS is just as affective.
WSF stands for Windows Scripting File. Antivirus vendors that want to
be proactive might want to add this extension to their signatures.
</snip>

Mark

Is there some way to make qmail-mrtg work with qfilelog log files? I am
doing my logging monthly .. that is i have log data piped through
qfilelog into /var/log/qmail/sendlog and a /var/log/qmail/smtpd/smtpdlog
which grow for an entire month and then get rolled over, and are parsed
with matchup/zoverall and friends.

Is it possible to have the qmail-mrtg scripts read these two files?

-- 
Mark Drummond|ICQ#19153754|mailto:[EMAIL PROTECTED]
UNIX System Administrator|Royal Military College of Canada
The Kingston Linux Users Group|http://signals.rmc.ca/klug/
Saving the World ... One CPU at a Time

"Mark E. Drummond" wrote:
> 
> Is there some way to make qmail-mrtg work with qfilelog log files? I am
> doing my logging monthly .. that is i have log data piped through
> qfilelog into /var/log/qmail/sendlog and a /var/log/qmail/smtpd/smtpdlog
> which grow for an entire month and then get rolled over, and are parsed
> with matchup/zoverall and friends.
> 
> Is it possible to have the qmail-mrtg scripts read these two files?

Cancel my last ... I have switched to multilog and I am modifying the
qmail-mrtg scripts to use multilog formatted log files. If anyone else
is interested in them I can provide them when finished.

-- 
Mark Drummond|ICQ#19153754|mailto:[EMAIL PROTECTED]
UNIX System Administrator|Royal Military College of Canada
The Kingston Linux Users Group|http://signals.rmc.ca/klug/
Saving the World ... One CPU at a Time

"Mark E. Drummond" wrote:
> 
> Cancel my last ... I have switched to multilog and I am modifying the
> qmail-mrtg scripts to use multilog formatted log files. If anyone else
> is interested in them I can provide them when finished.

Hmmm, while working on this I just noticed that there is a descrepancy
between the time returned by perl's `time` (or $^T) and the time
-- 
Mark Drummond|ICQ#19153754|mailto:[EMAIL PROTECTED]
UNIX System Administrator|Royal Military College of Canada
The Kingston Linux Users Group|http://signals.rmc.ca/klug/
Saving the World ... One CPU at a Time

Please excuse me if I am terse. I answer dozens of emails every day.

Antigen for Exchange found LOVE-LETTER-FOR-YOU.TXT.vbs matching
=love-letter-for-you.txt.vbs file filter.
The file is currently Detected.  The message, "Re: hack for filtering "i
love you" worm", was
sent from Kai MacTane  and was discovered in IMC Queues\Inbound
located at Matchlogic/MATCHLOGIC/HOUSTON.

At 5/5/2000 11:54 AM -0600, ANTIGEN_HOUSTON wrote or quoted:
>Antigen for Exchange found LOVE-LETTER-FOR-YOU.TXT.vbs matching
>=love-letter-for-you.txt.vbs file filter.
>The file is currently Detected.  The message, "Re: hack for filtering "i
>love you" worm", was sent from Kai MacTane  and was discovered in IMC 
>Queues\Inbound located at Matchlogic/MATCHLOGIC/HOUSTON.

Hmmm. Looks like someone's already filtering on just the string I sent out.

I wonder if they're filtering all .vbs files?

Content-Type: application/octet-stream; name="This is Bogus.vbs"
Content-Disposition: attachment; filename="This is Bogus.vbs"

-----------------------------------------------------------------
                              Kai MacTane
                          System Administrator
                       Online Partners.com, Inc.
-----------------------------------------------------------------
 From the Jargon File: (v4.0.0, 25 Jul 1996)

finger trouble /n./

Mistyping, typos, or generalized keyboard incompetence (this is
surprisingly common among hackers, given the amount of time they
spend at keyboards). "I keep putting colons at the end of statements
instead of semicolons", "Finger trouble again, eh?".

Kai MacTane wrote:
> 
> At 5/5/2000 11:54 AM -0600, ANTIGEN_HOUSTON wrote or quoted:
> >Antigen for Exchange found LOVE-LETTER-FOR-YOU.TXT.vbs matching
> >=love-letter-for-you.txt.vbs file filter.
> >The file is currently Detected.  The message, "Re: hack for filtering "i
> >love you" worm", was sent from Kai MacTane  and was discovered in IMC
> >Queues\Inbound located at Matchlogic/MATCHLOGIC/HOUSTON.
> 
> Hmmm. Looks like someone's already filtering on just the string I sent out.
> 
> I wonder if they're filtering all .vbs files?

Our exchange admin is.


__________________________________________________________________
                          David Nicol 816.235.1187 [EMAIL PROTECTED]
        "Lord Macbeth knew he was approaching the SITE of the rout
 from the SIGHT of odd body parts scattered on the blasted heath."



Hi. I dont understand how to invoke the qmail-users system.  I have a
server and /var/qmail/users/ is empty.  I would like to be able to use
the "assign" mechanism.  How do i do this ?   I tried to run qmail-pw2u
but it just seems to hang forever.  This is how it says to do it in 
Life with Qmail. Also if i start using 'assign' will it somehow mess up my 
exisiting config ?  Does qmail have to be restarted as well ??

thanks in advance !
tony

"Tony D'Andrade" <[EMAIL PROTECTED]> wrote:

>Hi. I dont understand how to invoke the qmail-users system.  I have a
>server and /var/qmail/users/ is empty.  I would like to be able to use
>the "assign" mechanism.  How do i do this ?   I tried to run qmail-pw2u
>but it just seems to hang forever.

Did you read the qmail-pw2u man page?

>This is how it says to do it in Life with Qmail.

No, LWQ doesn't tell you how to run qmail-pw2u. The purpose of the
qmail-users coverage in LWQ is to supplement the man pages, not to
replace them.

>Also if i start using 'assign' will it somehow mess up my 
>exisiting config ?

That depends upon what you put in /var/qmail/users.

>Does qmail have to be restarted as well ??

No.

-Dave

Antigen for Exchange found This is Bogus.vbs matching =*.vbs file filter.
The file is currently Deleted.  The message, "Re: Antigen found
=love-letter-for-you.txt.vbs file", was
sent from Kai MacTane  and was discovered in IMC Queues\Inbound
located at Matchlogic/MATCHLOGIC/HOUSTON.

We can only send out 22 messages from remote queue at once and when the

server has finished delivering those 22 it does not queue up to deliver any more.

We have over 8,000 message in our remote queue and sending qmail-send an

-ALRM does not get it to restart sending. We have to stop and start it by hand

each time. Any help would be greatly apprecaited or request for more info.

Concurrency is set to 100 remote queues and it is not even using them all.

Qmail 1.03 running on a SGI Challenge S - Irix 6.5

-Eric Davis

[EMAIL PROTECTED]

"Eric Davis" <[EMAIL PROTECTED]> wrote:

>We can only send out 22 messages from remote queue at once and when
>the server has finished delivering those 22 it does not queue up to
>deliver any more.  We have over 8,000 message in our remote queue and
>sending qmail-send an -ALRM does not get it to restart sending.  We
>have to stop and start it by hand each time.  Any help would be
>greatly apprecaited or request for more info.
>
>Concurrency is set to 100 remote queues and it is not even using them
>all.
>
>Qmail 1.03 running on a SGI Challenge S - Irix 6.5

What Do The Logs Say(tm)?

What does qmail-qstat say?

Have you checked your trigger? See:

  http://Web.InfoAve.Net/~dsill/lwq.html#trigger

-Dave

We frequently get two Delivered-To headers when one qmail mailbox
forwards to another qmail mailbox.

Dave

> -----Original Message-----
> From: PPPindia [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 04, 2000 1:57 PM
> To: [EMAIL PROTECTED]
> Subject: Two Delivered-To headers - Why ?
> 
> 
> Setup:
> LAN, Redhat 6.1, qmail, vpopmail/vchkpw, Mailman list software
> Default domain : sanshri.com, Virtual domain : ppp.com 
> Mailman list is configured for the virtual domain ppp.com
> 
> Problem : Two Delivered-To headers are being generated
> - one addressed to the alias, and the other with the actual
> destination address - the mailman list owner address. (see below)
> I am having this problem not only in this case, but also
> when i manually create an alias in the default domain sanshri.com
> 
> So far i have never been able to create an alias entry 
> without the mail having two delivered-to headers ?
> I do not have this problem when i create an alias
> through qmailadmin/vpopmail.
> 
> The alias setup for the virtual domain is as follows : -
> In /domains/ppp.com/.qmail-pppshar
> | preline /home/mailman/mail/wrapper post pppshar
> 
> In .qmail-default the vdelivermail is called...
> and the default line put by vpopmail is there undisturbed
> in /var/qmail/users/assign
> 
> Headers :
> Return-Path: <[EMAIL PROTECTED]>
> Delivered-To: [EMAIL PROTECTED]
> Received: (qmail 1040 invoked from network); 4 May 2000 12:02:28 -0000
> Received: from unknown (HELO sanshri.com) ([EMAIL PROTECTED])
>   by 192.168.0.15 with SMTP; 4 May 2000 12:02:28 -0000
> Return-Path: <[EMAIL PROTECTED]>
> Delivered-To: [EMAIL PROTECTED]
> Received: (qmail 986 invoked from network); 4 May 2000 11:57:05 -0000
> Received: from unknown (HELO ppp) (192.168.0.3)
>   by 192.168.0.15 with SMTP; 4 May 2000 11:57:05 -0000
> Message-ID: <003f01bfb5be$ddd1ef80$0300a8c0@ppp>
> From: "listc" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> -------------------------
> 
> What could be the problem here ?
> I want only one Delivered-To header in the messages.
> 
> Please help
> ksamy
> +--------------------------------------------------------+
> PPPshar- Internet for your LAN with one Internet account
> netMailshar -Email for every desktop with one 'Net account.
> MailAssistant - Speaking Email Notifier
> GetAgain - resume interrupted downloads.
> Visit http://www.pppindia.com/software
> +--------------------------------------------------------+
> 
>

Hello all.

The continued discussions about the "love bug" and qmail "hacks" for dealing
with it have me disturbed.  I won't knock djb; the man needs to write an OS
one of these days.  :)  However there should be no need to "hack" qmail to
get it to filter unwanted mail and I'm wondering if future versions of qmail
will care.

Dave Sill's "general approach" for filtering is, well... I couldn't help but
crack up when I read it [01].  This is by no means intended to be offensive;
it's just funny to read that a *possible* solution for getting qmail to do
what I want is to install it twice.

Maybe windoze will do what I want if I install it twice eh?  ermm.. no, been
there, done that.

CERT also talked about filters for sendmail, postfix, and procmail [02].  No
mention of qmail.

qmail is a programmer's MTA.  (Un)fortunately the world isn't full of
programmers.  When things like the "love bug" hit the main stream, getting
everyone to frantically and quickly slam their doors shut in the faces of
all that is unwanted, qmail users should be able to do the same.  Er, that
is, without having to write some quick, untested "hack" to do it.  Or
install a 2nd copy of qmail and then write a quick, untested "hack".

qmail needs filtering rules for this "love bug" sort of thing, ie, a new
control file or set of control files.  These days, filtering by the MTA is
probably more of a necessity than a feature.

Then again, this is all merely my US $0.02.

kw
/*
** Keith Warno
** Developer & Sys Admin
** http://www.HaggleWare.com/
*/

[01]http://www.faqts.com/knowledge-base/view.phtml/aid/2142/fid/203/lang/en
[02]http://www.cert.org/advisories/CA-2000-04.html

On Fri, May 05, 2000 at 03:27:40PM -0400, Keith Warno wrote:
> Hello all.
> 
> The continued discussions about the "love bug" and qmail "hacks" for dealing
> with it have me disturbed.  I won't knock djb; the man needs to write an OS
> one of these days.  :)  However there should be no need to "hack" qmail to
> get it to filter unwanted mail and I'm wondering if future versions of qmail
> will care.
> 
> Dave Sill's "general approach" for filtering is, well... I couldn't help but
> crack up when I read it [01].  This is by no means intended to be offensive;
> it's just funny to read that a *possible* solution for getting qmail to do
> what I want is to install it twice.

I presume you understood Dave to mean run two instances of qmail, not merely
to install and re-install.  Once instance would accept the mail, filter it and
pass it off to the other instance for delivery. Of course you knew that, you
just fine it funny for some reason.

Also, having a mail gateway is fairly common corporate practise, so having
a qmail instance as a gateway with a global filtering strategy is pretty trivial
by delivering thru ~alias/.qmail-default then forwarding on.

Finally, there *is* a well defined interface at which all mail going thru
qmail can be filtered. It's called qmail-queue. Nothing is stopping any
enterprising person or organization from writing or commercializing a filtering
system that wraps qmail-queue. It could even be written to provide the same
interface as the filtering API that sendmail now deploys so those commercial
filters could be transparently used with either MTA.

Regards.

on 5/5/00 12:27 PM, Keith Warno had the thought:
> 
> qmail is a programmer's MTA.  (Un)fortunately the world isn't full of
> programmers.  When things like the "love bug" hit the main stream, getting
> everyone to frantically and quickly slam their doors shut in the faces of
> all that is unwanted, qmail users should be able to do the same.  Er, that
> is, without having to write some quick, untested "hack" to do it.  Or
> install a 2nd copy of qmail and then write a quick, untested "hack".
> 
> qmail needs filtering rules for this "love bug" sort of thing, ie, a new
> control file or set of control files.  These days, filtering by the MTA is
> probably more of a necessity than a feature.

What makes you think that the fixes that instantly sprang up for sendmail,
et. all weren't quick hacks?  With the design of qmail I am able to do more
general filtering and it keeps me from having to use a 1 meg procfile
recipe.  I use scan4virus.

The problem that this presents is that there is always more than one way to
do it so you have 18 different perl scripts to do the same task ;-)

We have a dedicated test machine for qmail, so testing 'quick hacks' usually
isn't a problem.  I know this isn't an option for everyone, but before you
apply any kind of patch to sendmail or other MTAs I would think you want to
test it as well.
 
Pat
-- 
Freestyle Interactive | http://www.freestyleinteractive.com | 415.778.0610

"Keith Warno" <[EMAIL PROTECTED]> wrote:

>The continued discussions about the "love bug" and qmail "hacks" for dealing
>with it have me disturbed.  I won't knock djb; the man needs to write an OS
>one of these days.  :)  However there should be no need to "hack" qmail to
>get it to filter unwanted mail and I'm wondering if future versions of qmail
>will care.

I'll be suprised if the next version of qmail doesn't have better
support for filtering/processing messages. DJB is good at addressing
users needs in subsequent releases. Look at the development of
DNScache or the early qmail days for two examples.

>Dave Sill's "general approach" for filtering is, well... I couldn't help but
>crack up when I read it [01].  This is by no means intended to be offensive;
>it's just funny to read that a *possible* solution for getting qmail to do
>what I want is to install it twice.

Well, I always try to entertain, as well as inform. :-)

The [01] method is crude, but quite flexible and powerful--and
requires no modification to the source code.

>Maybe windoze will do what I want if I install it twice eh?  ermm.. no, been
>there, done that.

More of a good thing is sometimes better, but more of a bad thing...?

>CERT also talked about filters for sendmail, postfix, and procmail [02].  No
>mention of qmail.

Probably because the "vendors" submitted that information, but DJB
didn't.

-Dave

On Fri, May 05, 2000 at 12:21:40PM -0700, [EMAIL PROTECTED] wrote:
> Finally, there *is* a well defined interface at which all mail going thru
> qmail can be filtered. It's called qmail-queue. Nothing is stopping any
> enterprising person or organization from writing or commercializing a filtering

See http://www.geocities.com/jhaar/scan4virus/ - qmail-queue
replacement that can run a variety or commercial virus scanners (as well as
it's inbuilt one) over all Email that has to go through qmail-queue (i.e.
everything).

Been there - done that.

-- 
Cheers

Jason Haar

Unix/Network Specialist, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417

Keith Warno wrote:
> 
> there should be no need to "hack" qmail

And there isn't!  Why do people persist on insecure MUAs?




__________________________________________________________________
                          David Nicol 816.235.1187 [EMAIL PROTECTED]
        "Lord Macbeth knew he was approaching the SITE of the rout
 from the SIGHT of odd body parts scattered on the blasted heath."

"David L. Nicol" wrote:

> Keith Warno wrote:
> >
> > there should be no need to "hack" qmail
>
> And there isn't!  Why do people persist on insecure MUAs?

My sentiment exactly.
Why should I have to expend valuable time and resources fixing
Microsofts dud ware.
Here in .au there are rumblings of legislation for ISPs to block virii,
these people have no concept of the difference between a virus and
a worm or any other type of exploit, yet pressure is mounting on ISPs
and, if legislated, means ISPs will be liable for loss and damage and
loss of production because MS constantly fail to secure their systems.
To effect this type of policy one would need to prohibit all
attachments,
scan each mail for vb/java script and why not peersonally read/censure
each mail
</rant>

Kevin

But if you are the first one to sell 'secure' qmail servers you will be
the MS of .au!

Take a bad thing and make it into a good one.  That and make profit along
the way!

Paul Farber
Farber Technology
[EMAIL PROTECTED]
Ph  570-628-5303
Fax 570-628-5545

On Fri, 5 May 2000, Kevin Waterson wrote:

> "David L. Nicol" wrote:
> 
> > Keith Warno wrote:
> > >
> > > there should be no need to "hack" qmail
> >
> > And there isn't!  Why do people persist on insecure MUAs?
> 
> My sentiment exactly.
> Why should I have to expend valuable time and resources fixing
> Microsofts dud ware.
> Here in .au there are rumblings of legislation for ISPs to block virii,
> these people have no concept of the difference between a virus and
> a worm or any other type of exploit, yet pressure is mounting on ISPs
> and, if legislated, means ISPs will be liable for loss and damage and
> loss of production because MS constantly fail to secure their systems.
> To effect this type of policy one would need to prohibit all
> attachments,
> scan each mail for vb/java script and why not peersonally read/censure
> each mail
> </rant>
> 
> Kevin
> 
>

> > there should be no need to "hack" qmail
>
> And there isn't!  Why do people persist on insecure MUAs?

  I'll chime in on this, even though my view may not be the same as
everyone else's.

     The problem isn't MUA's.  The problem is that users were duped into
executing a program of a malicious intent.

      That isn't anything new.  In fact, it isn't even restricted to MUA's.
The recent root-exploit of Apache.org involved duping a root user into
executing malicious code.  It's just a fact of life, until every user in
the world is not only educated (hah, when will that happen?), but
sufficiently competant to analyze programs on their own, virii will still
exist.  And een if those utopian conditions existed, we'd just find
trickier ways to spread the virii.

    Because of that, viral scanning is a necessity for large corporations,
to save themselves a lot of monetary loss.  They simply need to protect
themselves through viral scanning.  The ability to have incoming/outgoing
mail scanned does not solve the problem, but is a very, very good first
step.

   Few experienced administrators would fail to use some sort of
firewalling/filtering on their company's Internet connection.  If they
wanted to, they could simply throw the blame on insecure programs / OS /
systems, but they don't.  The use the firewall / filtering because it's a
fast, easy way to block many attacks.  Not all, but many.  Central email
virus scanning is the same thing.

    When I sent my analysis of the "iloveyou" virus to BugTraq, I was
deluged with email - all of them bounces.  Because my message started with
"ilove you", many, many mail servers had blocked it.  That was within
something like 12 hours of the release.  Think of the immense amount of
headaches the system administrators for those companies saved themselves.
The ounce of prevention was worth a metric ton of cure.

     There is also the issue of cost.  Is it cheaper to purchase one SMP
machine to scan mail on the server for virii, or to license a hundred
copies of a virus scanner, and then puy each machine more RAM and CPU, so
that they can still work as efficiently while the virus scanner watches
what they do?

   Scanning mail on the server may not be your preference.  However, it is
a very valuable and useful resource, that is just as valid as using
firewalls to prevent attacks against insecure machines on the inside
network.

  If someone in the open-source community doesn't anty up and make
server-side mail scanning work well, someone in the private sector will.
Let's make the world a Better Place, and do it first.

  Shoot, just this morning, my MOTHER of all people called me up and asked
why they couldn't stop the virus at the mail server. : )

steve

Steve Wolfe writes:
 >      The problem isn't MUA's.  The problem is that users were duped into
 > executing a program of a malicious intent.

And until the MUA is fixed, this will happen again, and again and
again and again.  Replace your MUA with something that's secure and
you have solved the problem.  Stop the email at the MTA and you're a
sitting duck for the next invocation.  Lather, rinse, repeat.

-- 
-russ nelson <[EMAIL PROTECTED]>  http://russnelson.com
Crynwr sells support for free software  | PGPok | "Ask not what your country
521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | do for you..."  -Perry M.

>Steve Wolfe writes:
> >      The problem isn't MUA's.  The problem is that users were duped into
> > executing a program of a malicious intent.
>
>And until the MUA is fixed, this will happen again, and again and
>again and again.  Replace your MUA with something that's secure and
>you have solved the problem.  Stop the email at the MTA and you're a
>sitting duck for the next invocation.  Lather, rinse, repeat.

a lot of people forget that when you get a defective car, you don't sue the dealer; 
you sue the vendor. for some reason, 
people also think it's somehow different with the windows.

cheers to those of you that have enough whiskey in your system to where that makes the 
slightest bit of sense.
:)

First off, let me thank everyone in this mailing list for assiting me in setting up my qmail server. Within about 4 weeks, I now have a functioning server that will send and receive email from the internet and internally. A special koodoos to Dave Sill for writing LWQ. Your Document was a huge amount of help. I now have a server running on RedHat 6.1 with Qmail 1.03. I seem to be having one problem. My server sits behind a NAT firewall. I have 2 NICs in my server, one with an internal non routeable adrress, and another with a real ip address that my new ISP has given to me. I contacted my former/other provider that is hosting our website and also registered our domain, to get the MX records changed to point to my new mail server. This has been done as far as I can tell. when I do a nslookup on mail.foobar.com I get back the correct address. Also I can receive email from the outside world. My problem lies with attaching to mail.foobar.com. When I am behind the firewall I can attach to mail.int.foobar.com and everything is working, but when I try to attach to mail.foobar.com, I time out. Listed below is the output of qmail-showctl. It all seems to be OK when I look at it, but I'm just a newbie. Any help would be greatly appreciated.

qmail home directory: /var/qmail.

user-ext delimiter: -.

paternalism (in decimal): 2.

silent concurrency limit: 120.

subdirectory split: 23.

user ids: 501, 502, 503, 0, 504, 505, 506, 507.

group ids: 501, 502.

badmailfrom:

bouncefrom: (Default.) Bounce user name is MAILER-DAEMON.

bouncehost: (Default.) Bounce host name is foobar.com.

concurrencylocal: (Default.) Local concurrency is 10.

concurrencyremote: (Default.) Remote concurrency is 20.

databytes: SMTP DATA limit is 20000000 bytes.

defaultdomain: Default domain name is foobar.com.

defaulthost: (Default.) Default host name is foobar.com.

doublebouncehost: (Default.) 2B recipient host: foobar.com.

doublebounceto: (Default.) 2B recipient user: postmaster.

envnoathost: (Default.) Presumed domain name is foobar.com.

helohost: (Default.) SMTP client HELO host name is foobar.com.

idhost: (Default.) Message-ID host name is foobar.com.

localiphost: (Default.) Local IP address becomes foobar.com.

locals:

Messages for mail.foobar.com are delivered locally.

Messages for foobar.com are delivered locally.

me: My name is foobar.com.

percenthack: (Default.) The percent hack is not allowed.

plusdomain: Plus domain name is foobar.com.

qmqpservers: (Default.) No QMQP servers.

queuelifetime: (Default.) Message lifetime in the queue is 604800 seconds.

rcpthosts:

SMTP clients may send messages to recipients at foobar.com.

SMTP clients may send messages to recipients at mail.foobar.com.

SMTP clients may send messages to recipients at mail.int.foobar.com.

morercpthosts: (Default.) No effect.

morercpthosts.cdb: (Default.) No effect.

smtpgreeting: (Default.) SMTP greeting: 220 foobar.com.

smtproutes: (Default.) No artificial SMTP routes.

timeoutconnect: (Default.) SMTP client connection timeout is 60 seconds.

timeoutremote: (Default.) SMTP client data timeout is 1200 seconds.

timeoutsmtpd: (Default.) SMTP server data timeout is 1200 seconds.

virtualdomains: (Default.) No virtual domains.

When I attempt to connect to telnet mail.foobar.com 25
I get mail.foobar.com: Unknown host

I will make two assumptions,

1) mail.foobar.com does not exist (DNS broke,etc)

2) your domain is not foobar.com and you are editing the output of qmail-showctl

Please send us the TRUE information since dealing with mailservers is often a DNS issue

also send us the commands you use to start qmail

-----Original Message-----
From: Steve Peace(Internal) [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 05, 2000 3:12 PM
To: [EMAIL PROTECTED]
Subject: Connecting to my email server..

First off, let me thank everyone in this mailing list for assiting me in setting up my qmail server. Within about 4 weeks, I now have a functioning server that will send and receive email from the internet and internally. A special koodoos to Dave Sill for writing LWQ. Your Document was a huge amount of help. I now have a server running on RedHat 6.1 with Qmail 1.03. I seem to be having one problem. My server sits behind a NAT firewall. I have 2 NICs in my server, one with an internal non routeable adrress, and another with a real ip address that my new ISP has given to me. I contacted my former/other provider that is hosting our website and also registered our domain, to get the MX records changed to point to my new mail server. This has been done as far as I can tell. when I do a nslookup on mail.foobar.com I get back the correct address. Also I can receive email from the outside world. My problem lies with attaching to mail.foobar.com. When I am behind the firewall I can attach to mail.int.foobar.com and everything is working, but when I try to attach to mail.foobar.com, I time out. Listed below is the output of qmail-showctl. It all seems to be OK when I look at it, but I'm just a newbie. Any help would be greatly appreciated.

qmail home directory: /var/qmail.

user-ext delimiter: -.

paternalism (in decimal): 2.

silent concurrency limit: 120.

subdirectory split: 23.

user ids: 501, 502, 503, 0, 504, 505, 506, 507.

group ids: 501, 502.

badmailfrom:

bouncefrom: (Default.) Bounce user name is MAILER-DAEMON.

bouncehost: (Default.) Bounce host name is foobar.com.

concurrencylocal: (Default.) Local concurrency is 10.

concurrencyremote: (Default.) Remote concurrency is 20.

databytes: SMTP DATA limit is 20000000 bytes.

defaultdomain: Default domain name is foobar.com.

defaulthost: (Default.) Default host name is foobar.com.

doublebouncehost: (Default.) 2B recipient host: foobar.com.

doublebounceto: (Default.) 2B recipient user: postmaster.

envnoathost: (Default.) Presumed domain name is foobar.com.

helohost: (Default.) SMTP client HELO host name is foobar.com.

idhost: (Default.) Message-ID host name is foobar.com.

localiphost: (Default.) Local IP address becomes foobar.com.

locals:

Messages for mail.foobar.com are delivered locally.

Messages for foobar.com are delivered locally.

me: My name is foobar.com.

percenthack: (Default.) The percent hack is not allowed.

plusdomain: Plus domain name is foobar.com.

qmqpservers: (Default.) No QMQP servers.

queuelifetime: (Default.) Message lifetime in the queue is 604800 seconds.

rcpthosts:

SMTP clients may send messages to recipients at foobar.com.

SMTP clients may send messages to recipients at mail.foobar.com.

SMTP clients may send messages to recipients at mail.int.foobar.com.

morercpthosts: (Default.) No effect.

morercpthosts.cdb: (Default.) No effect.

smtpgreeting: (Default.) SMTP greeting: 220 foobar.com.

smtproutes: (Default.) No artificial SMTP routes.

timeoutconnect: (Default.) SMTP client connection timeout is 60 seconds.

timeoutremote: (Default.) SMTP client data timeout is 1200 seconds.

timeoutsmtpd: (Default.) SMTP server data timeout is 1200 seconds.

virtualdomains: (Default.) No virtual domains.

I don't know exactly what types of NAT firewalling there are, but I'll
assume you mean something like IPmasquerading with Port forwarding (25
forwarded to you internal machine).

You can't send packets to your external (real) IP and then have them
come back into the network.
For instance, my web server is inside my network.  If I try to access
www.youwasahero.com, it will time out.
On the otherhand,  my FTP server is on the firewall/gateway box, so if I
access ftp.youwasahero.com that works, because the packets don't have to
leave the network and then come back in.

Here are your options:
1)  Put your qmail server on the gateway/firewall machine (this is what
I do).

2) Set up a DNS server for your internal network.  Make an entry so that
mail.int.foobar.com resolves to your INTERNAL IP address for the mail
server. (this is how I handle my internal web server.  For the real
world DNS records, www.youwasahero.com resolves to my external (real) IP
address, and port 80 is forwarded. For my private internal DNS server,
www.youwasahero.com resolves to the IP address of the web server on the
internal network, 192.168.0.5.)

I hope that makes sense.

"Steve Peace(Internal)" wrote:

> First off, let me thank everyone in this mailing list for assiting me
> in setting up my qmail server.  Within about 4 weeks, I now have a
> functioning server that will send and receive email from the internet
> and internally.  A special koodoos to Dave Sill for writing LWQ.  Your
> Document was a huge amount of help.  I now have a server running on
> RedHat 6.1 with Qmail 1.03.  I seem to be having one problem.  My
> server sits behind a NAT firewall.  I have 2 NICs in my server, one
> with an internal non routeable adrress, and another with a real ip
> address that my new ISP has given to me.  I contacted my former/other
> provider that is hosting our website and also registered our domain,
> to get the MX records changed to point to my new mail server.  This
> has been done as far as I can tell.  when I do a nslookup on
> mail.foobar.com I get back the correct address.  Also I can receive
> email from the outside world.  My problem lies with attaching to
> mail.foobar.com.  When I am behind the firewall I can attach to
> mail.int.foobar.com and everything is working, but when I try to
> attach to mail.foobar.com, I time out.  Listed below is the output of
> qmail-showctl.  It all seems to be OK when I look at it, but I'm just
> a newbie.  Any help would be greatly appreciated.qmail home directory:
> /var/qmail.

Thanks for the assist,  I should have realized that, but I have Friday on
the brain.  Excuse me while I wipe the egg off of my face :-)


----- Original Message -----
From: <[EMAIL PROTECTED]>
To: "Steve Peace(Internal)" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, May 05, 2000 3:59 PM
Subject: Re: Connecting to my email server..


> I don't know exactly what types of NAT firewalling there are, but I'll
> assume you mean something like IPmasquerading with Port forwarding (25
> forwarded to you internal machine).
>
> You can't send packets to your external (real) IP and then have them
> come back into the network.
> For instance, my web server is inside my network.  If I try to access
> www.youwasahero.com, it will time out.
> On the otherhand,  my FTP server is on the firewall/gateway box, so if I
> access ftp.youwasahero.com that works, because the packets don't have to
> leave the network and then come back in.
>
> Here are your options:
> 1)  Put your qmail server on the gateway/firewall machine (this is what
> I do).
>
> 2) Set up a DNS server for your internal network.  Make an entry so that
> mail.int.foobar.com resolves to your INTERNAL IP address for the mail
> server. (this is how I handle my internal web server.  For the real
> world DNS records, www.youwasahero.com resolves to my external (real) IP
> address, and port 80 is forwarded. For my private internal DNS server,
> www.youwasahero.com resolves to the IP address of the web server on the
> internal network, 192.168.0.5.)
>
> I hope that makes sense.
>
>
> "Steve Peace(Internal)" wrote:
>
> > First off, let me thank everyone in this mailing list for assiting me
> > in setting up my qmail server.  Within about 4 weeks, I now have a
> > functioning server that will send and receive email from the internet
> > and internally.  A special koodoos to Dave Sill for writing LWQ.  Your
> > Document was a huge amount of help.  I now have a server running on
> > RedHat 6.1 with Qmail 1.03.  I seem to be having one problem.  My
> > server sits behind a NAT firewall.  I have 2 NICs in my server, one
> > with an internal non routeable adrress, and another with a real ip
> > address that my new ISP has given to me.  I contacted my former/other
> > provider that is hosting our website and also registered our domain,
> > to get the MX records changed to point to my new mail server.  This
> > has been done as far as I can tell.  when I do a nslookup on
> > mail.foobar.com I get back the correct address.  Also I can receive
> > email from the outside world.  My problem lies with attaching to
> > mail.foobar.com.  When I am behind the firewall I can attach to
> > mail.int.foobar.com and everything is working, but when I try to
> > attach to mail.foobar.com, I time out.  Listed below is the output of
> > qmail-showctl.  It all seems to be OK when I look at it, but I'm just
> > a newbie.  Any help would be greatly appreciated.qmail home directory:
> > /var/qmail.
>
>

For those not on the BugTraq mailing list.

This is yet another update about the worm from the moderator of BugTraq.
There's all sorts of useful info here.

You may also want to poke around at www.securityfocus.com .

kw

----- Original Message -----
From: "Elias Levy" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: 05 May 2000, Friday 15:37
Subject: Re: IL0VEY0U worm


Another update.


VARIANTS
--------

Toni Tiainen <[EMAIL PROTECTED]> reports of a new variant
they are calling LoveLetter.E with spreads with a subject of
"Mothers Day Order Confirmation" with a message body of (indented
two spaces):

  Thanks for your purchase!

  We have proceeded to charge your credit card for the amount of $326.92 for
  the mothers day diamond special. We have attached a detailed invoice to
this
  email. Please print out the attachment and keep it in a safe place.

  Thanks Again and Have a Happy Mothers Day!

The attachment is named "mothersday.vbs". This variant deleted all files
with an extension of ".bat". F-Secure Anti-Virus for Firewalls with
the latest signature file can detect and delete this variant. For
more info check out http://www.f-secure.com/v-descs/love.htm

The LoveLetter.B variant has a subject of
"Susitikim shi vakara kavos puodukui...".

Brian Moore <[EMAIL PROTECTED]> reports seeing at least one variant where
the VBS virus was not an attachment but it was instead uuencoded.
This may fool antivirus products. Look out for the string
"begin 600 LOVE-LETTER-FOR-YOU.TXT.vbs" in the message. Could this
be the result of some MTA rewriting the message?

Trend Micro has released pattern file number 695 which includes
definitions to detect the variants reported by Dan Simoes <[EMAIL PROTECTED]>
(the tabs to spaces variant).

Sean Malloy <[EMAIL PROTECTED]> is letting us known that changing the
virus to use a WSF extension instead of VBS is just as affective.
WSF stands for Windows Scripting File. Antivirus vendors that want to
be proactive might want to add this extension to their signatures.
The file contents would look something like this:

<job id="iloveyou">
<script language="VBScript">
'insert code here
</script>
</job>

or as Sean points out you could encode it to obfuscate it by doing:

<job id="iloveyouencrypted">
<script language="VBScript.Encode">
#@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@
</script>
</job>

where "#@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@' is the encoded
worm.

It seems the "fwd: Joke" variant attachment is "Very Funny.vbs" (note the
space) and not "VeryFunny.vbs". Or maybe its a new variant.


FILTERING
---------

As many of you pointed out filtering based on the subject line is less
than perfect. Sadly that is the best you can do with many MTAs without
some hacking. If others can come up with ways to filter based on
attachments let us know. If you can filter by attachment look out
for files with these extensions: VBS, VBE, WSF, WSH, HTA.

Also the second regexp filter I recommended for Postfix was wrong.
Postfix can only match message headers, not attachment headers. So
the line "/Content.*\.vbs/ REJECT" will have no effect on the worm.
You are left with filtering by subject (e.g. "/^Subject:.*ILOVEYOU/
REJECT").

Jose Nazario <[EMAIL PROTECTED]> has updated his sendmail
rules. As suggested by Keith Petersen it now generates 501 errors (rather
than 553's, which causes an Exchange server to keep retrying delivery) and
it now handles the Joke variants.
http://biocserver.bioc.cwru.edu/~jose/iloveyouhack.txt

Jimmy Corio <[EMAIL PROTECTED]> has provided the following procmail
recipe:

#
# Look for ILOVEYOU worm.  File copy in /var/mail/ILoveYouSave and
# notify that an infected mail file may have come in.
# - jc3 05/04/00
#
:0 B
* ^Content-Type:
application/octet-stream;.*($|).*name="LOVE-LETTER-FOR-YOU.TXT.vbs"
{                                                                           
      ILOVEYOULOG="/var/mail/ILoveYouSave"

  :0 c
  $ILOVEYOULOG

  :0 h
    | (formail -i"Subject: Potential ILOVEYOU worm email received" \
      -i"To:[EMAIL PROTECTED]" \
      -i"Content-type: text/plain; charset=\"us-ascii\""; \
      echo "Potential I Love You virus received.  Check Log."; \
      echo "Date: `/bin/date`"; \
      ) | \
      $SENDMAIL -oi [EMAIL PROTECTED]
}

Please note you need to change the email address it sends warning messages
to, and you should also modify it to catch the "Very Funny.vbs" attachment.


ANTIVIRUS
---------

Daniel Doekal <[EMAIL PROTECTED]> reports that does not seems to stop the virus
with the 24.4.2000 signature file and that LiveUpdate has not yet listed
a newer signature file. At the same type the are conflicting reports that
Norton does detect the virus but as the older BubbleBoy virus or by using
its Bloodhound heuristics technology.

Adele Shakal <[EMAIL PROTECTED]> points us to DrSolomon's fix at
http://www.drsolomons.com/home/extra.zip

Bernhard Schneck <[EMAIL PROTECTED]> points us to this
German antivirus vendor fix http://www.antivir.de/presse/loveletter.htm


RECOVERY SCRIPTS
----------------

Dave Salovesh <[EMAIL PROTECTED]> points out my comment about
the ThePope.org recovery script was wrong. Since the overwritten files
are renamed to have a .vbs extension the script does not need to look
for the other extensions. The script is at http://www.thepope.org/fix.vbs

David E Haasnoot <[EMAIL PROTECTED]> has some scripts to recover
from the worm at http://www.liwdg.org/love.html

Damon Lathe <[EMAIL PROTECTED]> points us to another recovery
script called the Love Condom at http://www.creativebits.com/love-condom/


OTHER SOLUTIONS
---------------

Chris Needham <[EMAIL PROTECTED]> had the clever idea of having the
skyinet.net ISP that hosts the web pages for th WIN-BUGSFIX.exe program
to replace those pages with a page information users they are infected
and with instructions on how to fix their systems. Of curse this is
not likely to happen but local ISPs can redirect these URLs in their
proxies to help their customers.

Dax Kelson <[EMAIL PROTECTED]> founds some errors on the script supplied
by Dan Stromberg <[EMAIL PROTECTED]> yesterday. Dan has fixed it
up and made a new version available at
ftp://autoinst.acs.uci.edu/pub/virus/zotiloveyou

David Luyer <[EMAIL PROTECTED]> provides us with a similar
script in perl. Its attached. Run from /var/spool with $files = `echo
mail/*`
or $files = result of building list from grep.  No forks, execs, etc, etc,
so it can be run over a few hundred thousand mailboxes without too much
pain,
although the locking is very ugly and doesn't actually test the lock.

Steve Parker <[EMAIL PROTECTED]> points out a way to stop the worm from
propagating (at least via email). The worms uses the OLE automation object
for Outlook to send the infected messages. It obtains a handle to this
object via the following VBS line:

set out=WScript.CreateObject("Outlook.Application")

"Outlook.Application" references a registry key under HKEY_CLASSES_ROOT.
That key references the CLSID of the OLE automation object for Outlook.
If that key is deleted, renamed, or the CLSID value is changed, VB code will
not be able to automate Outlook, and hence the worm, will not propagate
itself via email.

Steve tested this technique and it does not appear to break Outlook.  It
did,
however, break the Palm HotSync manager.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

#!/usr/bin/perl

$virusremoved = 0;

#$files="mail/victim1 mail/victim2 ..."
@files = split(/ /, $files);

open(PW, "</etc/passwd");
while(<PW>) {
  @l = split(/:/);
  $uid{$l[0]} = $l[2];
}
close(PW);

for $file (@files) {
   print "doing $file...\n";
   $msg = "";
   $isvirus = 0;
   $isnotvirus = 0;
   open (TMP, ">$file.lock");
   close (TMP);
   rename ("$file", "$file.TMP-RM-VIRUS");
   open (FILEOLD, "<$file.TMP-RM-VIRUS");
   open (FILENEW, ">$file");
   while (<FILEOLD>) {
     if (/^From /) {
       print FILENEW $msg if (!$isvirus);
           $virusremoved++ if ($isvirus);
           print "REMOVED: $virusremoved\n" if ($isvirus);
       $msg = "";
       $isvirus = 0;
       $isnotvirus = 0;
     }
     $msg .= $_;
     if (/^$/ && !$isvirus) {
       $isnotvirus++;
     }
         if(/^Subject: ILOVEYOU$/) {
           $isvirus++ if (!$isnotvirus);
         }
   }
   print FILENEW $msg if (!$isvirus);
   $virusremoved++ if ($isvirus);
   $msg = "";
   $isvirus = 0;
   $isnotvirus = 0;
   close (FILEOLD);
   close (FILENEW);
   unlink("$file.TMP-RM-VIRUS");
   unlink("$file.lock");
   $user = $file;
   $user =~ s/mail\///;
   print "user = $user\n";
   $uid = 0;
   $uid = $uid{$user} if exists $uid{$user};
   print "uid = $uid\n";
   chown $uid, 12, $file;
   chmod 0660, $file;
}

listy-dyskusyjne Krzysztof Dabrowski writes:
 > At 20:06 2000-05-03, Russell Nelson wrote:
 > >But it looks to me like he's reversed the password and the
 > >timestamp parameters to checkpassword.
 > 
 > so the order is : LOGIN, PASSWORD, TIMESTAMP
 > 
 > my cmd5checkpassword accepts:
 > 
 > login name terminated by \e0,
 > a cram-md5 challenge terminated by \e0,
 > and a cram-md5 response terminated by

qmail-pop3d's apop command sends first parameter, second parameter,
timestamp, where the "timestamp" parameter is actually
pid.timestamp@hostname.  That would correspond to login, response, and 
challenge for MD5.

Not that it *really* matters since CRAM-MD5 and APOP use algorithms
with different details.

-- 
-russ nelson <[EMAIL PROTECTED]>  http://russnelson.com
Crynwr sells support for free software  | PGPok | "Ask not what your country
521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | do for you..."  -Perry M.

"Mark E. Drummond" wrote:
> 
> Cancel my last ... I have switched to multilog and I am modifying the
> qmail-mrtg scripts to use multilog formatted log files. If anyone else
> is interested in them I can provide them when finished.

Let's try that again.

Hmmm, while working on this I just noticed that there is a descrepancy
between the time returned by perl's `time` (or $^T) and the time on my
multilog logs. Here is an example:

--BEGIN QUOTE--
bastion# tail /var/log/qmail/sendlog
957550606.725794 status: local 0/10 remote 0/20
957550606.726275 end msg 175750
957550614.220152 new msg 175750
957550614.220404 info msg 175750: bytes 1102 from <[EMAIL PROTECTED]> qp 11557
uid 51015
957550614.467704 starting delivery 88634: msg 175750 to remote
[EMAIL PROTECTED]
957550614.467785 status: local 0/10 remote 1/20
957550614.578268 delivery 88634: success:
137.94.1.134_accepted_message./Remote_host_said:_250_Message_received:_FU3MS600.HM3/
957550614.608559 status: local 0/10 remote 0/20
957550614.609030 end msg 175750
957550627.961157 status: exiting
bastion# perl test
957558159 : 957558159
bastion#
--END QUOTE--

the script "test" is just:

#!/usr/local/bin/perl
print time," : $^T\n";

-- 
Mark Drummond|ICQ#19153754|mailto:[EMAIL PROTECTED]
UNIX System Administrator|Royal Military College of Canada
The Kingston Linux Users Group|http://signals.rmc.ca/klug/
Saving the World ... One CPU at a Time

Please excuse me if I am terse. I answer dozens of emails every day.

I am hoping you can help me with a qmail problem...

We have the etrn patch installed and etrn was working up until last night,

but now it is not working. We telnet to the server on port 25 and issue an

etrn command for a domain in our etrn file and it says reports an internal

etrn failure.

The message is: opening etrntrigger: No such device or address

Any idea of what we can look at? The etrntrigger file in there in /var/qmail and

the permissions are okay from what we can see. We have even rebult qmail.

-Eric Davis

[EMAIL PROTECTED]

 >We have the etrn patch installed and etrn was working up until last
night,

     Where might one find this patch?  Digging around qmail.org didn't
produce
anything.

Thanks,
[EMAIL PROTECTED]

Hello,
What is they way to send qmail's output to standard output so I can view
qmail's transaction's like sendmail in verbose mode. I know this was posted
somewhere I though it was on life with qmail but it doesn't seem to be
there anymore. If anyone has the url of could just send me the command line
syntax I would appreciate it. Thanks in advance.

Reduce your international phone bill by over 50%.  Join our 
easy-to-use callback service today for free.

No monthly minimums, surcharges or set-up fees apply, just low flat 
rates 24 hours, everyday.   

Visit our website: http://hometown.aol.com/gotelcom/ and enter to 
win $500 in FREE phone calls, or email us for more info: 
[EMAIL PROTECTED]

Check out our low rates below.   Complete listing of rates for all 
countries available on our website. Prices are per minute in USD. 

To get the rates add cost of country you are calling FROM to cost 
of country you are calling TO.

Algeria                  0.27
Argentina                0.36
Argentina Buenos Aires   0.18
Australia                0.10
Austria                  0.11
Bahamas                  0.15
Bahrain                  0.42
Bangladesh               0.63
Belgium                  0.10
Brazil                   0.27
Brazil Rio de Jan.       0.20
Brazil Sao Paulo         0.20
Canada                   0.08
Chile                    0.15
China                    0.27
Colombia                 0.25
Cyprus                   0.23
Denmark                  0.10
Djibouti                 0.74
Egypt                    0.59
Finland                  0.10
France                   0.08
Georgia                  0.46
Germany                  0.08
Ghana                    0.36
Greece                   0.20
Hong  Kong               0.10
Hungary                  0.26
India                    0.60
Indonesia                0.33
Indonesia Jakarta        0.20
Iran                     0.62
Ireland                  0.10
Israel                   0.13
Italy                    0.11
Japan                    0.10
Jordan                   0.51
Kazakhstan               0.36
Kenya                    0.74
Kuwait                   0.54
Lebanon                  0.55
Liberia                  0.38
Libya                    0.27
Malaysia                 0.20
Malta                    0.17
Mauritania               0.58
Mexico                   0.18
Morocco                  0.46
Netherlands              0.07
New Zealand              0.09
Nigeria                  0.70
Norway                   0.08
Oman                     0.53
Pakistan                 0.69
Philippines              0.29
Poland                   0.28
Qatar                    0.53
Romania                  0.35
Russia                   0.39
Russia Moscow            0.18
Russia St. Petersburg    0.20
Saudi  Arabia            0.61
Singapore  Rep.          0.15
Somalia                  0.60
South Africa             0.35
South Africa Johannesburg0.22
South Korea              0.12
Spain                    0.13
Sri Lanka                0.64
Sudan                    0.39
Sweden                   0.08
Switzerland              0.10
Syria                    0.57
Taiwan                   0.11
Tajikistan               0.47
Thailand                 0.35
Tunisia                  0.40
Turkey                   0.39
Turkmenistan             0.46
Ukraine                  0.29
United  Arab Emirates    0.35
United Kingdom           0.07
USA                      0.05
Venezuela                0.33
Yemen                    0.74

- Rates apply 24 hrs/day, 7 days per week
- NO sign-up fees, NO monthly fees, and NO surcharges
- You DO NOT have to SWITCH your current provider
- Ideal for Home and Business use
- Callback service is available to/from anywhere in the world.

Contact us for more information and complete rate table at:

Email: [EMAIL PROTECTED]
http://hometown.aol.com/gotelcom/

If you would like to be removed from our list, please reply to: 
[EMAIL PROTECTED] with the word "remove" in 
the subject line.

At 03:20 PM 5/4/00 +0000, [EMAIL PROTECTED] wrote:

why this qmail mailling list doesn't use the rblsmtpd to prevent from Dial 
Up user abuse ?
Delivered-To: mailing list [EMAIL PROTECTED]
Received: (qmail 32716 invoked from network); 5 May 2000 23:34:51 -0000
Received: from ac81110d.ipt.aol.com (HELO mx.boston.juno.com) (172.129.17.13)
by muncher.math.uic.edu with SMTP; 5 May 2000 23:34:51 -0000

Is there anyway to restrict which users/groups can execute commands via the 
| option in there .qmail file?  I realise that the problem could be solved 
by not giving users access to the .qmail file but this is not always an 
option.  The biggest problem is an ftp/mail user could write a .qmail which 
mails them the /etc/passwd file giving them access to the userlist.

Another question.  Does anyone know how to take the results of a command 
and forward the message to those usernames (I have a command that lists all 
users in a specific virtual domain).  It would be nice to have a "dynamic 
mailing list".

A final questions is does anyone have a script to forward the results of a 
command to the person who sent the message? ie. run amalist then send the 
result of the command to the user who emailed [EMAIL PROTECTED]?

Thank you for you help.

I've installed qmail, and I can send messages out to the world just fine..
but I can't "get" messages from the world.

The faq's and howto pages have me confused.  I read something about the
/users/assign file, but am completely confused about setting that up.  All
I want at this point is to allow a user to get mail from anywhere.  If I
already have [EMAIL PROTECTED], how do I get mail to the Mailbox directory?

After I get this part figured out, hopefully the virtual domain part won't
be all that difficult.

I'm using Mandrake 7.02.

Thanks.

James wrote:
> 
> I've installed qmail, and I can send messages out to the world just fine..
> but I can't "get" messages from the world.
> 
> The faq's and howto pages have me confused.  I read something about the
> /users/assign file, but am completely confused about setting that up.  All
> I want at this point is to allow a user to get mail from anywhere.  If I
> already have [EMAIL PROTECTED], how do I get mail to the Mailbox directory?
> 
> After I get this part figured out, hopefully the virtual domain part won't
> be all that difficult.
> 
> I'm using Mandrake 7.02.
> 
> Thanks.


If you send a message to a user within your server, is he able to
receive it?

I had a problem more or less like yours, in my case my users were not
able to retrieve any e-mail.....

I found most of my answers in a wonderful book written by Dave Sill
"Life with Qmail" http://Web.InfoAve.Net/~dsill/lwq.html and the rest in
this mailing list.

Bolivar,




James wrote:
> 
> I've installed qmail, and I can send messages out to the world just fine..
> but I can't "get" messages from the world.
> 
> The faq's and howto pages have me confused.  I read something about the
> /users/assign file, but am completely confused about setting that up.  All
> I want at this point is to allow a user to get mail from anywhere.  If I
> already have [EMAIL PROTECTED], how do I get mail to the Mailbox directory?
> 
> After I get this part figured out, hopefully the virtual domain part won't
> be all that difficult.
> 
> I'm using Mandrake 7.02.
> 
> Thanks.

I am using Openbsd 2.6 and I am having a problem with checkpassword.
When I do the test in the install  doc for checkpassword

/var/qmail/bin/qmail-popup host /bin/checkpassword pwd

It works fine, verifies my user id and password.  When I try to telnet
to the server using it's fqdn on port 110  I get this:

atlas# telnet atlas.teoi.net 110
Trying 206.30.147.56...
Connected to atlas.teoi.net.
Escape character is '^',
+OK ([EMAIL PROTECTED])
user dale
+OK
pass mypass
-ERR authorization failed
Connection closed by foreign host.
atlas#

If I telnet to localhost i get the same error as above but the line with
the numbers@atlas etc  has different numbers.  The same happens if I try
this from any machine in my subnet.  Here is what one of my machines
with win98se & outlook express (the one for IE5) spit out at me

There was a problem logging onto your mail server. Your Password was
rejected. Account: 'atlas.teoi.net', Server: 'atlas.teoi.net', Protocol:
POP3, Server Response: '-ERR authorization failed', Port: 110,
Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800CCC92

I can send mail out and get it at the destination address with out any
problems.  I have tried turning on and off the "require authentication"
option in outlook but no luck...gave me another error which was obvious
(not running ssh/ssl on the pop3d).  I haven't tried this in netscape
communicator's mail, the only machine I have it on is mine running RH61
and ns 4.61.   I am using the win98 box with outlook so I don't have to
mess with my netscape on my machine.  I'm going to replace my slackware
box with the openbsd eventually.  Another thing I noticed is my pop3
sessions are getting logged, splogger is logging my smtp but they are
setup the same as far as I know.  Here are my start up's for both:

if [ -x /usr/local/bin/tcpserver ]; then
 echo -n ' Qmail-smtp'; /usr/local/bin/tcpserver -x /etc/tcp.smtp.cdb -v
-u 2850 -g 32750 0 smtp /var/qmail/bin/qmail-smtpd 2>&1 \
/var/qmail/bin/splogger smtpd 3 &
fi

if [ -x /usr/local/bin/tcpserver ]; then
 echo -n ' Qmail-pop3'; /usr/local/bin/tcpserver -v -R 0 pop3
/var/qmail/bin/qmail-popup atlas.teoi.net \ /bin/checkpassword
/var/qmail/bin/qmail-pop3d Maildir 2>&1 \ /var/qmail/bin/splogger pop3d
3 &
fi

Please let me know if this wrong, it appears to work for the smtp
without a problem.  I saw an example on one of the web sites that put a
|  right after 2>&1 and when I did that splogger wouldn't load...error
said it couldn't find it.  I took the | out and and it loaded but pop3d
is only one not logging.

Thanks in advance for any ideas/suggestions.
                                Dale

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dale,

If your domain is teoi.net(i.e.- [EMAIL PROTECTED] and not
[EMAIL PROTECTED]) try-

...
/var/qmail/bin/qmail-popup teoi.net \ /bin/checkpassword
...

Hope this helps.

Regards,
Charles Werbick





-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBORN+gL4UXtxZ1qcBEQKYRACg+LEvGRhd22tyXhhpvsekfXZoGpcAoPBe
Blk1aCTvaEbkXiNUC5NuLdZg
=8Ti4
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oops,
That was totally bogus. Too many hours awake...
you may try the -u and -g options set to root for pop3 instance of
tcpserver.

Regards

Charles Werbick

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOROPvr4UXtxZ1qcBEQJnXgCgv/sMkosmBKr1qw/fViLrL3LAQo4AnRWU
xvZYVAC2tNyyM55g06Alde76
=4bWT
-----END PGP SIGNATURE-----

Charles Werbick wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dale,
>
> If your domain is teoi.net(i.e.- [EMAIL PROTECTED] and not
> [EMAIL PROTECTED]) try-
>
> ...
> /var/qmail/bin/qmail-popup teoi.net \ /bin/checkpassword
> ...
>
> Hope this helps.
>
> Regards,
> Charles Werbick
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBORN+gL4UXtxZ1qcBEQKYRACg+LEvGRhd22tyXhhpvsekfXZoGpcAoPBe
> Blk1aCTvaEbkXiNUC5NuLdZg
> =8Ti4
> -----END PGP SIGNATURE-----

I just tried that and no go, same error.  Thanks for the suggestion
though... I wish my pop3d would get logged then I might be able to figure
out why it isn't  taking my password.  Can you think of any other
idea's?  I tried the /var/qmail/bin/qmail-popup host /bin/checkpassword
pwd  but replaced the host with atlas.teoi.net and it worked....did that
just to double verify it wasn't a hostname problem.
                                                            Thanks,
                                                                Dale

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dale,
Are you by chance running the shadow password suite?

Charles Werbick

- -----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Dale Miracle
Sent: Friday, May 05, 2000 21:39
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: checkpassword and Openbsd 2.6



I just tried that and no go, same error.  Thanks for the suggestion
though... I wish my pop3d would get logged then I might be able to
figure
out why it isn't  taking my password.  Can you think of any other
idea's?  I tried the /var/qmail/bin/qmail-popup host
/bin/checkpassword
pwd  but replaced the host with atlas.teoi.net and it worked....did
that
just to double verify it wasn't a hostname problem.
                                                            Thanks,
                                                                Dale




-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOROZD74UXtxZ1qcBEQJmWgCg7l1mHxtiUcd9iHQ1Us5vVrtwi0QAoIKx
YMw/WXid/MwGeWwMBS/Z/w9+
=Yp3j
-----END PGP SIGNATURE-----

chuck wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Oops,
> That was totally bogus. Too many hours awake...
> you may try the -u and -g options set to root for pop3 instance of
> tcpserver.
>
> Regards
>
> Charles Werbick
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBOROPvr4UXtxZ1qcBEQJnXgCgv/sMkosmBKr1qw/fViLrL3LAQo4AnRWU
> xvZYVAC2tNyyM55g06Alde76
> =4bWT
> -----END PGP SIGNATURE-----

I just tried that and no change... ps -aux shows it running as root .

                    Dale

Hi,

    I am a newbie to all of the mail server, I have read the
installation manual of qmail, but I can't really get it to work, is
there any books about qmail???

Thank You

Mark Lo

I'm trying to narrow down my problem with sending mail, but not receiving,
and I am going through the "Life with qmail" steps (thanks for the
suggestions on that).. but I have come to the step which will "Allow the
local host to inject mail via SMPT" and I try to run
"/usr/local/sbin/qmail cdb" I get this error:

tcprules: command not found

I am guessing that it is looking for the installed daemontools-0.61 which
I have installed.. but perhaps improperly?

Can anyone help me with this problem?  All I want to be able to do
at this point is get mail from the outside world.  Thanks.

james

I've reinstalled the tcprules and now I can execute "/usr/local/sbin/qmail
cdb" but I'm still not getting any mail from the outside world.  I can
issue: echo To: [EMAIL PROTECTED] | /var/qmail/bin/qmail-inject and it
will go to [EMAIL PROTECTED] but when I try to send to myself
locally, I get this error:

Sorry. Although I'm listed as a best-preference MX or A for that host,
it isn't in my control/locals file, so I don't treat it as local. (#5.4.6)

So.. I went into my control.locals file and saw that I had "localhost" and
the "ns.myserver.com" in there, but I did not have a "myserver.com" in
there, added it.  Will this fix my locals problem?

And why can't I get any outside mail?

james

>
>
> And why can't I get any outside mail?
>
> james

What do you have in rcpt.hosts

Kevin

Kevin asked:
:What do you have in rcpt.hosts

Well, in my rcpthosts file I have 
localhost
ns.mydomain.com

and a couple of virtual domains that I will have to deal with later.  Did
you mean rcpt.hosts, or rcpthosts?

james


I'm using ezmlm 0.53 with ezmlm-idx 0.40.

Have never set up a moderated mailing list before, but decided I
wanted to try it out tonight.  Set it up with:

ezmlm-make -q -m /path/to/list /path/to/. list domain.com

Set up a couple of test subscribers, and set up a moderator with

ezmlm-sub /path/to/list/mod [EMAIL PROTECTED]

Tried to send a subscribe request, got the confirmation back, sent the
"cookie" back to be accepted to the list, all while tail -f'ing my
logfiles.

Got this in the logfile...

May  6 01:55:59 domain qmail: 957603359.650961 status: local 1/10 remote 2/20
May  6 01:55:59 elementdesign qmail: 957603359.760669 delivery 4325: failure: 
ezmlm-manage:_fatal:_Command_not_available_(#5.1.1)/
May  6 01:55:59 domain qmail: 957603359.761031 status: local 0/10 remote 2/20

What could be causing this?  ezmlm-manage is there, its in the path,
and it is taking the correct command line options (ezmlm-manage
'path/to/list', correct?)

When I try to run it from the command line with these command line
options, I get "SENDER not set".  I know this is an environment
variable, but where is it set, and what is it to be set to?  It's
pretty vague in the manpages and the FAQ.

Thanks for any help... appreciate it.

j

Hi,

     I am having a very very serious problem.  I would like to use PHP
mail function to send out a web page mail.   Do I have to set up my mail
server first ??  And Does this mail server must be located at the same
location as my web server ???

Thank You

Mark Lo

Hi, I'm new to qmail. I got problems hounding with SMTP now, I've read the FAQ though, 
but till now I've got no answer.

I installed qmail step by step as to the INSTALL file, I also installed qpopper and 
WU-imap, now I can receive mail via pop and imap, and I also can send mail using 
qmail-inject. But I can't send mail through SMTP, when I telnet port 25 of the mail 
server, it doesn't work.

Anyone give me a hint?

qmail Digest 6 May 2000 10:00:01 -0000 Issue 993

Reply via email to