Re: Help! Is this an attack or a virus? Qmail on FBSD is flooding

From: Vitali Malicky (life_at_zone3000.net)
Date: 07/18/03

  • Next message: Kevin Oberman: "Re: dmesg showing wrong frequency (IBM T30)" 
    To: <keith@smmc.qld.edu.au>, "Free bsd " <freebsd-questions@FreeBSD.org>
Date: Fri, 18 Jul 2003 17:52:04 +0300

    > G'day Vitali,
    > Thanks for your advice I'll look into it
    > I was thinking about it last night and figured that there must be messages
    > in the Q. A quick check showed that one such message was Qd to send a
    > couple of jpgs to dozens of CCd addresses!
    > That does look like a virus on one of my internal clients...(using their
    > address book)
    > What say you?
    >

    why not a virus? if so, then look at the "From:" field. knowing your user
    and what machine he/she is working at localize the machine and clean it,
    that's not a problem. by the way how do your clients send mail? Since my
    clients can't send mail but to themselves on this very same server until
    they take their mail from the pop3 server (I use tcpserver, vpopmail
    supervised by svscan). Until the users authorize on the pop3 they can't send
    any mail (dynamic relaying). As soon as they're authorized they are granted
    permission for 20 minutes to send mail. In 20 minutes (unless their email
    clients automatically jerk the pop3 server every 5 or so minutes) the
    relaying permition for the client's IP is nulled.

    the moral of the fable is: viruses can't make e-mail client application
    tease the pop3 every 5 minutes, nor authorize on pop3, but some of the
    "clever" viruses can send mail even if the e-mail client application is
    closed (Exited from, I mean)... and what if the relay were closed for the IP
    where the virus "lives"?

    if it's open i can "cat /path/to/vpopmail/etc/open-smpt"

    10.1.1.36:allow,RELAYCLIENT="",RBLSMTPD="" 1058539366
    10.1.1.12:allow,RELAYCLIENT="",RBLSMTPD="" 1058539411
    10.1.1.5:allow,RELAYCLIENT="",RBLSMTPD="" 1058539321
    10.1.1.22:allow,RELAYCLIENT="",RBLSMTPD="" 1058538971

    and localize all the IP's of the clients who are actively using mail server
    now. whithout guesswork...

    Best regards Vitali. 

    --
Error Code=-1 Continue?
              Yes | No
--
> Keith
>
>
> > Hi, dear All!
> >
> > qmail-remote sends mail to remote hosts as long as qmail-local sends
> > local mail (inside the box). how many qmail-remote processes do you have
> > (ps ax|grep qmail-remote|wc -l)? did you try to delete the messages from
> > the queue, if so you should have done it correctly. please, obtain the
> > qmail-remove package (find it on Google), there is an instruction how to
> > delete the queued messages. and see the log file (grep qmail-remote
> > /var/log/maillog | more), as this information is not nuff
> >
> > WBR
> >
> > --
> > Error Code=-1 Continue?
> >               Yes | No
> > --
> >
> > ++++ http://www.geocities.com/vitali_malicky
> >
> >
> >
> >> Hi Victor thanks,
> >> I had deleted that one persons account but it staill happens!
> >> What is the qmail-remote thing??
> >> Any ideas?
> >> Keith
> >>
> >>
> >
> >
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe@freebsd.org"
>
>
>
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
  • Next message: Kevin Oberman: "Re: dmesg showing wrong frequency (IBM T30)"

    Relevant Pages

    • Re: POP3 server
      ... Is it possible to setup SBS so that it is a POP3 server for clients to ... download mail from? ...
      (microsoft.public.windows.server.sbs)
    • RE: Use POP3 and Exchange on the same machine
      ... Exchange contains a POP3 server for users to collect email. ... Is it the smtp you wish to enable so that your POP3 clients are able to send ...
      (microsoft.public.exchange.misc)
    • Re: Dynamic DNS and remote email access using POP3 or ES
      ... Don't do it with two update clients - pick one. ... Currently my MX points to my ISP as I use the Pop3 connector to get ... your users connect to your server using IMAP, even, if you can't get RCP ...
      (microsoft.public.windows.server.sbs)
    • Re: Exchange 2007 - Pop3 clients - sending mail - HOW TO?
      ... pop3 is running and external Outlook Express client are able to download ... The normal way of things is for these Outlook Express clients to use their ... ISP mail server to send mail. ...
      (microsoft.public.exchange.setup)
    • Re: Dynamic DNS and remote email access using POP3 or ES
      ... Currently my MX points to my ISP as I use the Pop3 connector to get the ... Note that not all clients have Win XP. ... All ports have been forwarded by my router to the server (which is running ...
      (microsoft.public.windows.server.sbs)
    • Quantcast