RE: [toaster] spam problem

[Lucas Valdeón Villa]

 
 Hi Rene,
 
   Thank you for the rbls. But what really happen is that several ips try to open a 
smtp connection using from <> and rcpt to: [EMAIL PROTECTED] . Server send vchkusr 
error but seems connection still open during a while. I have all connections busy with 
spam and any user can send mail. 
With the new rbls I deny more mail but I have same problem :(
 
  Thank you, 
 Lucas
 
 
-Mensaje original- 
De: Rene [mailto:[EMAIL PROTECTED] 
Enviado el: jue 16/09/2004 7:38 
Para: [EMAIL PROTECTED] 
CC: 
Asunto: Re: [toaster] spam problem


 
<>

RE: [toaster] spam problem

[Lucas Valdeón Villa]

Hi,
  
  What I suffer is a 'dictionnary-generated' attack. 
Problem is the same described in:
http://marc.theaimsgroup.com/?t=10950893654&r=1&w=2
 
One solution proposed in the qmail mailing list is this patch:
http://netdevice.com/qmail/patch/goodrcptto-12.patch
 
I think this patch is not in netqmail neither shupp patches, isn´t it?
 
 Thank you, 
Lucas
 
 

-Mensaje original- 
De: Rene [mailto:[EMAIL PROTECTED] 
Enviado el: jue 16/09/2004 7:38 
Para: [EMAIL PROTECTED] 
CC: 
Asunto: Re: [toaster] spam problem


 

<>

RE: [toaster] spam problem

[David]

Hi,
I think you may use chkusr patch instead, that's the one you'll find in
shupp's guide. That way emails with invalid recipients are stopped at
smtp level. 
Just be sure you chose the right version, cdb or mysql.
HTH

On Thu, 2004-09-16 at 10:17, Lucas Valdeón Villa wrote:
> Hi,
>   
>   What I suffer is a 'dictionnary-generated' attack. 
> Problem is the same described in:
> http://marc.theaimsgroup.com/?t=10950893654&r=1&w=2
>  
> One solution proposed in the qmail mailing list is this patch:
> http://netdevice.com/qmail/patch/goodrcptto-12.patch
>  
> I think this patch is not in netqmail neither shupp patches, isn´t it?
>  
>  Thank you, 
> Lucas
>  
> 
> 
>   -Mensaje original- 
>   De: Rene [mailto:[EMAIL PROTECTED] 
>   Enviado el: jue 16/09/2004 7:38 
>   Para: [EMAIL PROTECTED] 
>   CC: 
>   Asunto: Re: [toaster] spam problem
>   
>   
>
> 

RE: [toaster] spam problem

[Rene]

If the Servers are even the same, just add them to you
/home/vpopmail/etc/tcp.smtp file :

*.*.*.*:allow,RBLSMTPD="-Connection refused because of virusmails from
this server !!! contact us at foo"

and run qmailctrl cdb after that

RE: [toaster] spam problem

[Lucas Valdeón Villa]

 
 hi,
 
   Yes, I use chkusr patch, but the connections are slow and they use several rcpto to:
 
 Thank you,
   Lucas
 
--
Hi,
I think you may use chkusr patch instead, that's the one you'll find in
shupp's guide. That way emails with invalid recipients are stopped at
smtp level.
Just be sure you chose the right version, cdb or mysql.
HTH

On Thu, 2004-09-16 at 10:17, Lucas Valdeón Villa wrote:
> Hi,
>  
>   What I suffer is a 'dictionnary-generated' attack.
> Problem is the same described in:
> http://marc.theaimsgroup.com/?t=10950893654&r=1&w=2 
>  
> 
> One solution proposed in the qmail mailing list is this patch:
> http://netdevice.com/qmail/patch/goodrcptto-12.patch 
>  
> 
> I think this patch is not in netqmail neither shupp patches, isn´t it?
> 
>  Thank you,
> Lucas
> 
>
>
>   -Mensaje original-
>   De: Rene [mailto:[EMAIL PROTECTED]  ]
>   Enviado el: jue 16/09/2004 7:38
>   Para: [EMAIL PROTECTED]
>   CC:
>   Asunto: Re: [toaster] spam problem
>  
>  
>   
>

<>

RE: [toaster] spam problem

[Lucas Valdeón Villa]

 
 No, servers are always diferents :(
 
   Lucas

-Mensaje original- 
De: Rene [mailto:[EMAIL PROTECTED] 
Enviado el: jue 16/09/2004 10:30 
Para: [EMAIL PROTECTED] 
CC: 
Asunto: RE: [toaster] spam problem



If the Servers are even the same, just add them to you
/home/vpopmail/etc/tcp.smtp file :

*.*.*.*:allow,RBLSMTPD="-Connection refused because of virusmails from
this server !!! contact us at foo"

and run qmailctrl cdb after that


 

<>

[toaster] Recieved by "0" and Squirrelmail

[Marcus Williams]

Hi -

I've installed the toaster on a new box as per the toaster
instructions (bar an upgrade to latest vpopmail and also I'm using
debians installation of daemontools etc). I'm trying to get the
squirrelmail spam (rbl list filters) plugin to work but I need to set
my SpamFilters_YourHop variable up. This needs to be set to something
unique in my Received headers. Normally I could do this by using the
Received header that has my hostname in it, but with the toaster this
appears to be missing - I get a "0" where I'd expect the hostname.

Is this normal? - I get the expected header on a non-toaster build of
qmail (admittedly on a different machine) 

Thanks

Marcus

--
My headers are (the relevant header is preceded with a *):

Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 4604 invoked by uid 89); 16 Sep 2004 10:06:58 -
* Received: from unknown (HELO ptb-relay01.plus.net) (212.159.14.212)
*  by 0 with (DHE-RSA-AES256-SHA encrypted) SMTP; 16 Sep 2004 10:06:58 -
Received: from [81.174.233.49] (helo=quinticltd.force9.co.uk)
 by ptb-relay01.plus.net with smtp (Exim) id 1C7t9x-00083D-Sr
for [EMAIL PROTECTED]; Thu, 16 Sep 2004 10:06:37 +
Received: (qmail 5314 invoked from network); 16 Sep 2004 10:06:37 -
Received: from unknown (HELO pokemon.quintic.bogus) (192.9.200.88)
  by bart.quintic.bogus with SMTP; 16 Sep 2004 10:06:37 -
Date: Thu, 16 Sep 2004 11:08:00 +0100
From: Marcus Williams <[EMAIL PROTECTED]>
X-Mailer: The Bat! (v3.0.0.15) Professional
Organization: Quintic Ltd
X-Priority: 3 (Normal)
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: test
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

--

-- 
Marcus Williams -- http://www.quintic.co.uk
Quintic Ltd, 39 Newnham Road, Cambridge, UK
  This message is private [ ] public [*]

Re: [toaster] Recieved by "0" and Squirrelmail

[Marcus Williams]

On 16/09/2004, Marcus Williams wrote:
> Normally I could do this by using the
> Received header that has my hostname in it, but with the toaster this
> appears to be missing - I get a "0" where I'd expect the hostname.

bah. Should've checked the run scripts. I didnt notice the "-l 0" on
the tcpserver command line.

Sorry for noise.

Marcus

-- 
Marcus Williams -- http://www.quintic.co.uk
Quintic Ltd, 39 Newnham Road, Cambridge, UK
  This message is private [ ] public [*]

[toaster] Debugging chkuser patch

[a . h . s . boy]

I've applied Shupp's qmail-toaster-0.7b3 and chkuser-0.7b2.mysql 
patches to netqmail, and Qmail is functioning, but the chkuser patch 
doesn't appear to be working properly.

My configuration is correct as far as I can tell -- the mfcheck patch, 
for example, is working right, and my .qmail-default files are set to 
bounce. But Qmail is still accepting mail to non-existent users.

Is there some way to debug the process to see why Qmail is allowing the 
bad recipient to be OK'd? A telnet session tells me nothing, and adding 
recordio logs only the facts of the transaction but doesn't give me any 
clue as to _why_ its happening.

I'm not a C programmer, but if there's an easy way to add some logging 
code to the chkuser patch, I'd love to have it tell me what's going on 
when it makes the decision whether or not to accept the recipient. Any 
ideas? Any other way of debugging this?

Apologies for reposting this plea, but this is the 3rd message on 
various lists that I've tried for help and nary a response.

Cheers,
spud.
---
a.h.s. boy
spud(at)nothingness.org"as yes is to if,love is to yes"
http://www.nothingness.org/
---

Re: [toaster] Debugging chkuser patch

[Bill Shupp]

a.h.s. boy wrote:
I've applied Shupp's qmail-toaster-0.7b3 and chkuser-0.7b2.mysql 
patches to netqmail, and Qmail is functioning, but the chkuser patch 
doesn't appear to be working properly.

My configuration is correct as far as I can tell -- the mfcheck patch, 
for example, is working right, and my .qmail-default files are set to 
bounce. But Qmail is still accepting mail to non-existent users.

Is there some way to debug the process to see why Qmail is allowing 
the bad recipient to be OK'd? A telnet session tells me nothing, and 
adding recordio logs only the facts of the transaction but doesn't 
give me any clue as to _why_ its happening.

I'm not a C programmer, but if there's an easy way to add some logging 
code to the chkuser patch, I'd love to have it tell me what's going on 
when it makes the decision whether or not to accept the recipient. Any 
ideas? Any other way of debugging this?

Apologies for reposting this plea, but this is the 3rd message on 
various lists that I've tried for help and nary a response.

Cheers,
spud.

strace, that's what I'd use.
Regards,
Bill

Re: [toaster] spam problem

[Bill Shupp]

Lucas Valdeón Villa wrote:
No, servers are always diferents :(

Are they at least from the same network block?  You might try the 0.7b3 
patch for the toaster.  I contains the spam-throttle patch, which is 
similar to tarpit but looks at simultaneous incoming connections, rather 
than per session limits.  If you can determine the net block that these 
come from, you could put more stringent limits on them, or us tcprules 
to block that net entirely.

Regards,
Bill

RE: [toaster] spam problem

[Lucas Valdeón Villa]

 
 Hi,
 
 No, they are from different network segments :(
So spam-throttle patch won´t be effective. Afaik this patch tries to slow down 
connections from the same ip.
The attack is from several ips and they establish a connection doing this slow. So my 
concurrencyincoming is reach and server reject the new conections.
What I consider interesting for chkusr patch is a badrecipient limit. Dictionary 
attacks try several rcpt to: introducing sleep between each rcpt to. 
Look at http://netdevice.com/qmail/patch/goodrcptto-12.patch
and look for:
"To prevent dictionary attacks, the transmission channel is closed after the
number of bad recipients set in control/brtlimit or BRTLIMIT, two by default.
Repeated attempts from the same IPs may be handled by a cron that looks at the
logs and updates tcprules accordingly."
 
This is would be helpful .
 
 Thank you and congratulations for your excelent work,
   Lucas
 
 
-Mensaje original- 
De: Bill Shupp [mailto:[EMAIL PROTECTED] 
Enviado el: jue 16/09/2004 17:51 
Para: [EMAIL PROTECTED] 
CC: 
Asunto: Re: [toaster] spam problem



Lucas Valdeón Villa wrote:

>
> No, servers are always diferents :(
>
>

Are they at least from the same network block?  You might try the 0.7b3
patch for the toaster.  I contains the spam-throttle patch, which is
similar to tarpit but looks at simultaneous incoming connections, rather
than per session limits.  If you can determine the net block that these
come from, you could put more stringent limits on them, or us tcprules
to block that net entirely.

Regards,

Bill


 

<>

Re: [toaster] spam problem

[Bill Shupp]

Lucas Valdeón Villa wrote:
Hi,
No, they are from different network segments :(
So spam-throttle patch won´t be effective. Afaik this patch tries to slow down connections from the same ip.
 

No, not exactly.  That's what tarpit does.  Spam-throttle does it by net 
block.

The attack is from several ips and they establish a connection doing this slow. So my concurrencyincoming is reach and server reject the new conections.
What I consider interesting for chkusr patch is a badrecipient limit. Dictionary attacks try several rcpt to: introducing sleep between each rcpt to. 
Look at http://netdevice.com/qmail/patch/goodrcptto-12.patch
and look for:
"To prevent dictionary attacks, the transmission channel is closed after the
number of bad recipients set in control/brtlimit or BRTLIMIT, two by default.
Repeated attempts from the same IPs may be handled by a cron that looks at the
logs and updates tcprules accordingly."

This is would be helpful .
Thank you and congratulations for your excelent work,
  Lucas

Tonino has sent me a beta version of the new chuser patch (notice the 
new spelling of the name).  It has a LOT more features, including quota 
support, and rcpt to limits.  You should email him and see if he'll 
send  you a copy.  It might be useful to you.

Regards,
Bill