Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm running qmail, with the qmailqueue and logrelay patches. I noticed the following in the log files this evening
From smtpd logs...
Code:
2003-06-24 23:41:05.127333500 tcpserver: status: 1/20
2003-06-24 23:41:05.127540500 tcpserver: pid 2065 from 218.233.19.200
2003-06-24 23:41:05.177742500 tcpserver: ok 2065 mydomain.net:10.10.201.4:25 :218.233.19.200::4523
2003-06-24 23:41:07.732345500 tcpserver: end 2065 status 0
2003-06-24 23:41:07.732350500 tcpserver: status: 0/20
and from the qmail logs...
Code:
2003-06-24 23:41:07.535523500 new msg 34789
2003-06-24 23:41:07.535530500 info msg 34789: bytes 727 from <edu_web@returnmails.com> qp 2072 uid 1005
2003-06-24 23:41:07.556375500 starting delivery 283: msg 34789 to remote edu_test@hanmail.net
2003-06-24 23:41:07.556382500 status: local 0/10 remote 1/20
2003-06-24 23:41:25.865891500 delivery 283: success: 211.43.197.77_accepted_message./Remote_host_said:_250_2.0.0_h5P6f4tt011912_Message_accepted_for_delivery/
2003-06-24 23:41:25.865901500 status: local 0/10 remote 0/20
2003-06-24 23:41:25.865904500 end msg 34789
To me this looks like I've just been hopped on. I've tried a couple of different online open relay tests and both came out okay, but I can't figure out why this message seems to have been sent successfully.
A trace on the three addresses supplied shows they're in APNIC and IIRC all within the .kr TLD. Korean netblock owners are not that renowned for their good network management practices, innit?
but I can't figure out why this message seems to have been sent successfully.
Well, what anti-spam measures/reinforcements do you have in place in /var/qmail/control and/or tcp wrappers? Please FUP/Post the restrictions you set Qmail up with to the appropriate forum: Linux-networking.
Yep. did that recently and all seemed fine. The problems ocurred after a qmail-scanner install and was traced back to a missing "127." in my smtp rules. Must have looked at that file 20 times before someone else pointed out the mistake (thanks jer!).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
