LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 10-06-2004, 02:44 PM   #1
lsimon4180
Member
 
Registered: Oct 2004
Location: Chicago, IL
Distribution: Fedora Core 2
Posts: 101

Rep: Reputation: 15
qmail server getting attacked


Hi

I am running fedora 2 with qmail and the mail server has been up for 2 days and my qmail stats show alot of delevery atempts and messages:

Completed messages: 224
Recipients for completed messages: 219
Total delivery attempts for completed messages: 228
Average delivery attempts per completed message: 1.01786
Bytes in completed messages: 1027919
Bytes weighted by success: 821661
Average message qtime (s): 30.8267

Total delivery attempts: 228
success: 194
failure: 25
deferral: 9
Total ddelay (s): 6970.408828
Average ddelay per success (s): 35.929942
Total xdelay (s): 124.157869
Average xdelay per delivery attempt (s): 0.544552
Time span (days): 2.29918
Average concurrency: 0.00062501

Is the server being attacked?
are there any security patches?

I might of sent about 50 emails myself for testing purposes but no where near that many.

i am also getting alot of AOL spam warings:

1 0.13 Connected to 205.188.156.249 but greeting failed./Remote host said:
554- (RTR:SC) http://postmaster.info.aol.com/error...trsc.html/554- AOL does
not accept e-mail transactions from IP addresses which/554- generate complaints or
transmit unsolicited bulk e-mail./554 Connecting IP: xxx.xxx.xxx.xxx/

is there anyway to stop these attacks is somehting not configured correctly on my side?

i only have 2 domains in my rcpthosts file and nothing else.

Thanks

Lenny
 
Old 10-11-2004, 10:03 AM   #2
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
Where did you find these stats? What program provided these? How did you install qmail? Was it part of a howto? What howto did you use?

You should try to examnie your logs carefully and see if you can figure out where the messages are coming from and where they are going. If messages seem to be coming from a certain IP, you can block the IP address using tcprules (/etc/tcp.smtp) or you can block it at your firewall (you ARE running a firewall, aren't you?)

Where are the messages going? If they are going to your local mailbox, then you may not be able to do much except try to deploy some anti-spam measures. If the messages are being delivered to other domains, then it must mean you are an open relay (not likely, since you have something in rcpthosts, which is all that's required) or you have legitimate users of your mail server who are sending the messages.
 
Old 10-11-2004, 10:33 AM   #3
dukeinlondon
Member
 
Registered: May 2003
Location: London
Distribution: kubuntu 8.10
Posts: 593
Blog Entries: 1

Rep: Reputation: 30
About the AOL messages, you IP is likely to be in a range that has been used by spammers (or has been complained about) and some of your mail fail. Maybe you have qmail configured to retry a number of times (hence the number of failures)

I don't know qmail myself but reading your stats, that's what I would say.
 
Old 10-11-2004, 06:35 PM   #4
lsimon4180
Member
 
Registered: Oct 2004
Location: Chicago, IL
Distribution: Fedora Core 2
Posts: 101

Original Poster
Rep: Reputation: 15
hey,

i got those stats from qmail's Nightly Qmail Stats Report

program in also knows as qlogtools or qmail analog.

Its weird now im at:

Completed messages: 412
Recipients for completed messages: 399
Total delivery attempts for completed messages: 408
Average delivery attempts per completed message: 0.990291
Bytes in completed messages: 1793493
Bytes weighted by success: 1539035
Average message qtime (s): 16.9008

Total delivery attempts: 408
success: 363
failure: 36
deferral: 9
Total ddelay (s): 7029.538476
Average ddelay per success (s): 19.365120
Total xdelay (s): 180.791914
Average xdelay per delivery attempt (s): 0.443117
Time span (days): 6.91846
Average concurrency: 0.000302452

not sure if there are holes in qmail or not..

lenny
 
Old 10-11-2004, 08:22 PM   #5
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
Well, it really depends on how much traffic is supposed to be coming into your server. I figured that because you only just recently got the system up and running that there woudl not be much traffic (if any) coming into qmail. When there is only a little traffic it's easier to diagnose.

I recommend looking at the qmail-send logs and try to watch them over time. For example...

tail -f /var/log/qmail/qmail-send/current | tai64nlocal

This will allow you to watch as new mail is delivered. Watch for lines that say "to remote" which means it's sending mail to remote machines. Lines that say "to local" are messages being delivered to your local box.

It's possible you may have a mailbox that is filling up that you didn't expect... like maybe the "postmaster" account that is created by default by vpopmail. Try to watch this log file for an hour or two. You may need to restart the command occasionally because when the log file gets full, it will stop being echo'd to the command line using the "tail" command.

Combine this with the grep command and I"m sure you can figure out where the messages are coming from and where they are going. It's possible you may not have a problem at all, but there's no way for me to tell because I have no idea how much traffic you're supposed to be getting right now.

Wish I could help more.
 
Old 10-12-2004, 11:20 PM   #6
lsimon4180
Member
 
Registered: Oct 2004
Location: Chicago, IL
Distribution: Fedora Core 2
Posts: 101

Original Poster
Rep: Reputation: 15
hello,

thanks so much for the tip.

im going to montior the traffic and see whats going on...this server doesnt have any users on it just myself for testing and as of right now i have the following stats:

Completed messages: 535
Recipients for completed messages: 522
Total delivery attempts for completed messages: 531
Average delivery attempts per completed message: 0.992523
Bytes in completed messages: 2543949
Bytes weighted by success: 2284529
Average message qtime (s): 13.1353

Total delivery attempts: 531
success: 482
failure: 40
deferral: 9
Total ddelay (s): 7093.627593
Average ddelay per success (s): 14.717070
Total xdelay (s): 242.786280
Average xdelay per delivery attempt (s): 0.457225
Time span (days): 8.72188
Average concurrency: 0.000322181


very strange i do see bogus emails going through so im adding them to the badmailfrom file for qmail but im not too sure where to go to see the IP addresses of the people who are doing this.

thanks

lenny
 
Old 10-13-2004, 02:21 AM   #7
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
>> so im adding them to the badmailfrom file

Are the deliveries going to "local"? Maybe to your mailbox?

Sounds like you're getting the first wave of spam coming to your shiny new mail server?

To see where they are coming from, you'll need to check your qmail-smtpd logs, whicih shows messages that are trying to be sent to your server. qmail-smtpd is what queues the messages for delivery by qmail-send. So when you're watching qmail-send logs, they are showing the messages being delivered to your local users or to remote addresses... your'e watching the hind-end of the process.

Check your qmail-smtpd logs which is new mail coming in. This is where you can get the IP address of the people who are trying to send these messages. I recommend doing the tail -f trick we talked about on your qmail-smtpd logs and wait to see if they show up in your mailbox.

if they do, you can block that IP address using your etc/tcp.smtp file which is more effective than just blocking an email address that may be never used by the spammer again.

If you feel pretty sure these are just spams coming to your new server, that's another can of worms.

if they are remote deliveries, that's something to be concerned about ifyou're the only valid account right now.
 
Old 10-13-2004, 12:08 PM   #8
lsimon4180
Member
 
Registered: Oct 2004
Location: Chicago, IL
Distribution: Fedora Core 2
Posts: 101

Original Poster
Rep: Reputation: 15
thanks so much for the advice.

ill try to monitor the activity, but i do think this is just spam hitting my server..any suggestions or patches for qmail to tighten it up?

thanks

lenny
 
Old 10-13-2004, 12:32 PM   #9
lsimon4180
Member
 
Registered: Oct 2004
Location: Chicago, IL
Distribution: Fedora Core 2
Posts: 101

Original Poster
Rep: Reputation: 15
another thing im trying to do is a apply a patch..below is the patch file and the steps/issues im running into:

file name smtpd.patch:

--- orig/qmail-smtpd.c Mon Jun 15 06:53:16 1998
+++ qmail-smtpd.c Sat Feb 9 12:07:19 2002
@@ -53,6 +53,7 @@
void err_nogateway() { out("553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)\r\n"); }
void err_unimpl() { out("502 unimplemented (#5.5.1)\r\n"); }
void err_syntax() { out("555 syntax error (#5.5.4)\r\n"); }
+void err_relay() { out("553 we don't relay (#5.7.1)\r\n"); }
void err_wantmail() { out("503 MAIL first (#5.5.1)\r\n"); }
void err_wantrcpt() { out("503 RCPT first (#5.5.1)\r\n"); }
void err_noop() { out("250 ok\r\n"); }
@@ -216,6 +217,21 @@
return r;
}

+int addrrelay()
+{
+ int j;
+ j = addr.len;
+ while(--j >= 0)
+ if (addr.s[j] == '@') break;
+ if (j < 0) j = addr.len;
+ while(--j >= 0) {
+ if (addr.s[j] == '@') return 1;
+ if (addr.s[j] == '%') return 1;
+ if (addr.s[j] == '!') return 1;
+ }
+ return 0;
+}
+

int seenmail = 0;
int flagbarf; /* defined if seenmail */
@@ -250,6 +266,7 @@
void smtp_rcpt(arg) char *arg; {
if (!seenmail) { err_wantmail(); return; }
if (!addrparse(arg)) { err_syntax(); return; }
+ if (addrrelay()) { err_relay(); return; }
if (flagbarf) { err_bmf(); return; }
if (relayclient) {
--addr.len;


when i run patch < /usr/src/qmail/qmail-1.03/smtpd.patch
i get this:

[root@baguh qmail-1.03]# patch < /usr/src/qmail/qmail-1.03/smtpd.patch
patching file qmail-smtpd.c
Reversed (or previously applied) patch detected! Assume -R? [n] y
Hunk #1 succeeded at 123 with fuzz 1 (offset 70 lines).
Hunk #2 succeeded at 519 with fuzz 2 (offset 303 lines).
Hunk #3 FAILED at 553.
1 out of 3 hunks FAILED -- saving rejects to file qmail-smtpd.c.rej

this is what in the qmail-smtpd.c.rej file:

***************
*** 569,575 ****
void smtp_rcpt(arg) char *arg; {
if (!seenmail) { err_wantmail(); return; }
if (!addrparse(arg)) { err_syntax(); return; }
- if (addrrelay()) { err_relay(); return; }
if (flagbarf) { err_bmf(); return; }
if (relayclient) {
--addr.len;
--- 553,558 ----
void smtp_rcpt(arg) char *arg; {
if (!seenmail) { err_wantmail(); return; }
if (!addrparse(arg)) { err_syntax(); return; }
if (flagbarf) { err_bmf(); return; }
if (relayclient) {
--addr.len;

any ideas what this patch wont work?

thanks

lenny
 
Old 10-13-2004, 02:17 PM   #10
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
To help control spam, I recommend searching the forums here for a message where I was posting back and forth with Apollo77. We were talking about something called rblsmtpd which is built into qmail by default. By changing a few lines of your qmail-smtpd/run file, you can block an enormous amount of spam.

When you get it working, you may want to check over each of the rbl sites carefully... some of them are no longer in service and having them included in the run file just makes things work slower because it's having to check the extra sites that are dead.

Maybe post your run file here when you're done and it's working... I can easily show you which ones are dead.
 
Old 10-13-2004, 02:53 PM   #11
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
For the patch, I think you are going to need to patch the file manually. This sounds scary, but it's actually quite easy once you understand how its done.

First, you need to open the file qmail-smtpd.c. I know that's the file we want because that's the first line of your patch file.

Now, ignoring the first 2 lines of the file, you should start looking at the rest of the patch file. In the patch file, you'll see there are some lines that begin with a plus (+) and in some cases, your patch file will also contain lines that begin with a minus (-). In your case, the patch file doesn't have any lines that begin with a minus.

Any lines that begin with a plus are lines that we need to add to the qmail-smtpd.c file. Lines that contain a minus are lines we need to remove from the qmail-smtpd.c file.

So, starting at the beginning of the patch file, we see that the first 3 lines don't have any plus or minus. That means these 3 lines are alraedy in the qmail-smtpd.c file. Line 4 of the patch begins with a plus, so that means we are adding this line.

So, looking at your smtpd.c file, search the file and look for the first 3 lines of your patch file. Those lines look like this...

Code:
void err_nogateway() { out("553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)\r\n"); }
void err_unimpl() { out("502 unimplemented (#5.5.1)\r\n"); }
void err_syntax() { out("555 syntax error (#5.5.4)\r\n"); }
once you find this area, the very next line in the patch file shows that we are adding a line because it begins with a plus. The line to be added is...

Code:
void err_relay() { out("553 we don't relay (#5.7.1)\r\n"); }
So now your qmail-smtpd.c file should look like this....

Code:
void err_nogateway() { out("553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)\r\n"); }
void err_unimpl() { out("502 unimplemented (#5.5.1)\r\n"); }
void err_syntax() { out("555 syntax error (#5.5.4)\r\n"); }
void err_relay() { out("553 we don't relay (#5.7.1)\r\n"); }
void err_wantmail() { out("503 MAIL first (#5.5.1)\r\n"); }
void err_wantrcpt() { out("503 RCPT first (#5.5.1)\r\n"); }
void err_noop() { out("250 ok\r\n"); }
You'll notice all I really did was add the line that begins with a plus. Be sure NOT to include the actual plus... just include the code that comes after the plus.

Also notice in your patch file, there are lines that look like this...

@@ -216,6 +217,21 @@

This is showing you a particular line number of your qmail-smtpd.c file. This will help to give you an idea of where to look. So you should look in the neighborhood of line 216 and 217.

The next part of our patch file shows...

Code:
return r;
}
And right after this (in the patch file) you will see we are adding a whole bunch of new lines because there are several that begin with a plus. Just like before, just add the lines with a plus. So your new and improved qmail-smtpd.c file shoudl look liek this...

Code:
return r;
}

int addrrelay()
{
 int j;
 j = addr.len;
 while(--j >= 0)
 if (addr.s[j] == '@') break;
 if (j < 0) j = addr.len;
 while(--j >= 0) {
 if (addr.s[j] == '@') return 1;
 if (addr.s[j] == '%') return 1;
 if (addr.s[j] == '!') return 1;
 }
 return 0;
}

int seenmail = 0;
int flagbarf; /* defined if seenmail */
Now you'll see that there is another line that looks like this...

@@ -250,6 +266,7 @@

which means we're jumping to a new part of our qmail-smtpd.c file. Just go to that area and you are adding another line, as indicated by the plus sign.

Now there is ONE small thing that i'm not sure about... You'll notice yoru patch file looks like this...

Code:
void smtp_rcpt(arg) char *arg; {
if (!seenmail) { err_wantmail(); return; }
if (!addrparse(arg)) { err_syntax(); return; }
+ if (addrrelay()) { err_relay(); return; }
if (flagbarf) { err_bmf(); return; }
if (relayclient) {
--addr.len;
the part I'm unsure about is the last line which says --addr.len; I'm not sure if this is meaning that line shoudl be removed or what.

Check your qmail-smtpd.c file and see if the line looks like this...

-addr.len;

Notice there is a single dash at the beginning of that line. If there is just a single dash in the actual smtpd.c file, then it means the patch intends for you to remove this line.

Let me know abotu this area. I dont have the qmail-smtpd.c file in front of me right now, so I'm not sure how to advise you further until you have looked at this area closer.

Good luck, and happy patching!
 
Old 10-13-2004, 02:57 PM   #12
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
When you are done applying the patch, you can just go to your qmail source directory and run "make setup check" and it will apply your patch to qmail. You may also want to restart qmail with "qmailctl restart" but I dont think you need to because of the way smtp works.
 
Old 10-13-2004, 03:51 PM   #13
lsimon4180
Member
 
Registered: Oct 2004
Location: Chicago, IL
Distribution: Fedora Core 2
Posts: 101

Original Poster
Rep: Reputation: 15
thanks so much,


ive edited the qmail-smtpd.c file as u told me to but once its saved i run make setup check and i get this:

make: *** No rule to make target `str_cpyb.c', needed by `str_cpyb.o'. Stop

im in the src directory for qmail too: /usr/src/qmail/qmail-1.03

any ideas

Lenny
 
Old 10-13-2004, 04:24 PM   #14
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
Is there possibly more to that patch? Maybe there are some additional lines that need to be patched, or maybe there are other files that need to be patched. Can you post the entire contents of that patch???

Also, what patch is that called???

You may want to email me (or post) a copy of the qmail-smtpd.c file you patched. Maybe there is an error in there somewhere that I can spot.
 
Old 10-13-2004, 04:28 PM   #15
lsimon4180
Member
 
Registered: Oct 2004
Location: Chicago, IL
Distribution: Fedora Core 2
Posts: 101

Original Poster
Rep: Reputation: 15
sure np here is the info:

i got it from here

http://qmail.org/qmail-smtpd-relay-reject

thats all the info on the patch....

if u go to http://qmail.org/top.html and scroll down to the 'Anti-spam techniques and code' section ull see a line link the following:

Russell Nelson has a patch to reject relay probes generated by so-called anti-spammers. These relay probes have '!', '%' and '@' in the local (username) part of the address.

thanks all the info

thanks lenny
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
qmail +qmail-qfilter + qmail-scanner-queue+qmail-user-masq.pl problem countcobolt Linux - Networking 0 07-08-2004 12:29 PM
I think I've been attacked! smacky Linux - Security 7 10-21-2003 03:39 AM
Have I been attacked? tangle Linux - Security 6 08-03-2003 09:33 PM
New Qmail Server icefantum Linux - Networking 7 06-07-2003 07:34 PM
Being Attacked? andy18 Linux - Security 1 05-11-2003 12:09 PM


All times are GMT -5. The time now is 07:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration